[dns-operations] Any known AD=1 intolerant iterative resolvers?
fw at deneb.enyo.de
Wed Apr 15 05:23:37 UTC 2020
* Viktor Dukhovni:
> The reason I ask, is that the MUSL libc stub resolver has no support for
> EDNS and so no DO=1, but Postfix DANE support still needs to see the AD
> bit from the local resolver, which is not sent when there's no AD=1 in
> the query.
> My instinct is that it is now safe to just always send AD=1 in queries,
> which would partly resolve the issue, but if that is liable to break
> lookups via some extant resolvers, then AD=1 would need to be
> configurable via options in /etc/resolv.conf or similar.
This approach does not work because you do not know whether the
recursive resolver merely echoes back the AD bit, or has actually
performed DNSSEC validation.
I'm also not sure if the AD bit will be set for local authoritative
data in the recursive resolver, which did not undergo DNSSEC
validation. You cannot use the AA bit in addition to the AD bit
because some recursive resolvers relay that bit if the answer does not
come from the cache (some versions of BIND 8 did that, others probably
So the answer to the question whether you can send AD=1 queries
without increasing the query failure rate does not really matter
because Postfix cannot use that anyway.
More information about the dns-operations