Moin!
Hi,
I'm not sure if it was already discussed on this list.
Why is BIND's dig getting a AD flag and kdig not?
Binds dig is using EDNS0 and
other unnecessary stuff like cookies per
default, while kdig per default emulates and old style DNS client
without bells and whistles, and thus does not get AD, as this was only
defined with DNSSEC (RFC2535/3655/4035). Having EDNS0 support even
without setting DO is considered to be able to interpret the AD bit,
while clients without EDNS0 are considered not to be able to interpret
it and thus don’t get it.
Ok forget the last sentence, bind is also setting the AD
bit on the
query and this actually triggers it, though the RFC where this is
defined currently doesn’t come to my mind. So to get AD with kdig do:
kdig +adflag +noall +header @dotns1.aco.net univie.ac.at soa +qr
So long
-Ralf
—--
Ralf Weber