On Aug 7, 2008, at 3:05 PM, Wouter Wijngaards wrote: > * PGP Signed by an unverified key: 08/07/08 at 15:05:47 > > Hi James, > > You are using an older version of Bind9 I think; since this was > considered bad behaviour by Bind, and fixed in recent releases. > It was fixed because some legacy boxes (adsl I think) did not like > getting AD bits in their replies and crash or hang on it. > > If you just want to get an AD bit in the reply if its secure, set > the AD > bit in the query to signal that you are ready and able to receive > the AD > bit in the reply. > > That means getting your stub resolver to set 'AD' in queries. > > This has just been documented in the lastest dnssec-bis-updates > draft in > the IETF dnsext working group. Can we make that behavior configurable? Roy -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: not available URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20080807/fce54e8f/attachment.pgp>