Hello
I was playing around with some experimental code and I noticed
that 'open.nlnetlabs.nl' does not set the DO bit in the reply, when
it is set in the query, as is required per RFC 3225.
NSD:
% dig @open.nlnetlabs.nl +dnssec mx miek.nl | grep EDNS
; EDNS: version: 0, flags:; udp: 4096
BIND:
% dig @miek.nl +dnssec mx miek.nl | grep EDNS
; EDNS: version: 0, flags: do; udp: 4096
grtz,
Hi Miek,
You are hitting something old. From the REQUIREMENTS of NSD:
+ If the DNSSEC OK bit (DO bit) is set then the query will be
processed as a DNSSEC request. Although RFC3225 does not
explicitly specify this NSD clears the DO bit in the answer.
This has been in there since version 1.0.1 
I believe that the scope RFC3255 is explicit for resolvers, and RFC 4034
is not clear about it what an authoritative server should do.
I know we made dnext-dnssec-bis-updates for this:
5.6. Setting the DO Bit on Replies
As stated in [RFC3225], the DO bit of the query MUST be copied in the
response. At least one implementation has done something different,
so it may be wise for resolvers to be liberal in what they accept.
Although I don't think we are violating with the RFCs, it is possible to
make NSD copy the DO bit, instead of clear it.
Best regards,
Matthijs
[ Quoting Matthijs Mekking at 10:21 on September 20 in "Re: [nsd-users] do bit"... ]
Hi Miek,
You are hitting something old. From the REQUIREMENTS of NSD:
+ If the DNSSEC OK bit (DO bit) is set then the query will be
processed as a DNSSEC request. Although RFC3225 does not
explicitly specify this NSD clears the DO bit in the answer.This has been in there since version 1.0.1
no way!
I believe that the scope RFC3255 is explicit for resolvers, and RFC 4034
is not clear about it what an authoritative server should do.
ah, okay. I was put off guard by this line in 3225.
The DO bit of the query MUST be copied in the response.
grtz Miek