DNSSEC - Ad Flag not activated

bind flags dnssec

You won't. AD is not set by authoritative servers, only recursive resolvers which have validated the chain of trust. I know that seems stupid, since the authoritative server has the keys - but that's how it is.


Per user53814's answer, you won't get the AD bit from an authoritative server. This is by design - just because the server has keys doesn't prove it has the right keys.

Your recursive resolver will perform validation, but it won't send back the AD bit unless the client has indicated DNSSEC awareness by sending the DO bit in the query (i.e. with the +dnssec option to dig). This is how DNSSEC maintains backwards compatibility, by ensuring that unexpected DNSSEC data isn't sent to clients that aren't expecting it.

Note however that your validating recursive resolver will still indicate validation failure by returning a SERVFAIL error code. Hence a stub that is not DNSSEC-aware can still be protected from receiving bad answers just by talking to a a DNSSEC-aware recursor.


I had the same problem. And solved it by updating to the bind contained in Debian jessie (1:9.9.5.dfsg-7) and put the following in dnssec-validation auto; in /etc/bind/named.conf.options. Now the ad flag is set for all but the authoritative domains.

Related

Using NTP to sync a group of linux servers to a common time source
What are the pros and cons of running your own DNS server?
How can I prevent vanishing error when using rsync with an nfs mount?
Does NTFS performance degrade significantly in volumes larger than five or six TB?
Native SMB/CIFS through ZFS or Samba Instead
Gigabit ethernet generally faster than Firewire 800?
Recommended software for a Centralized logging server? [closed]
FreeBSD Hypervisor?
Can I use the same SSL certificate for smtp, imap, pop3 and http?
How to shrink 40GB LOG file
Monitoring VMware ESXi (free) vs. vSphere
Best practice for placing DNS records and subdomains