[dns-operations] Any known AD=1 intolerant iterative resolvers?

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Apr 14 22:19:24 UTC 2020

Does anyone know of any iterative resolvers one is likely to run into on
some ISP's network, hotel, or WiFi hotspot that will choke on queries
with AD=1, per:


FWIW, "dig" sets AD=1 by default, and I've never seen a need to use
"+noad" to get the upstream resolver to respond correctly.  But perhaps
I've just not tested in the "wrong" places.

Is there a way to leverage RIPE ATLAS to look for AD=1 (in queries)

The reason I ask, is that the MUSL libc stub resolver has no support for
EDNS and so no DO=1, but Postfix DANE support still needs to see the AD
bit from the local resolver, which is not sent when there's no AD=1 in
the query.

My instinct is that it is now safe to just always send AD=1 in queries,
which would partly resolve the issue, but if that is liable to break
lookups via some extant resolvers, then AD=1 would need to be
configurable via options in /etc/resolv.conf or similar.


More information about the dns-operations mailing list