Moin!
On 25 Feb 2019, at 10:32, Arsen STASIC wrote:
Hi,
I'm not sure if it was already discussed on this list.
Why is BIND's dig getting a AD flag and kdig not?
Binds dig is using EDNS0 and
other unnecessary stuff like cookies per
default, while kdig per default emulates and old style DNS client
without bells and whistles, and thus does not get AD, as this was only
defined with DNSSEC (RFC2535/3655/4035). Having EDNS0 support even
without setting DO is considered to be able to interpret the AD bit,
while clients without EDNS0 are considered not to be able to interpret
it and thus don’t get it.
So long
-Ralf
—--
Ralf Weber