On 2024-06-23 15:50 +02, Otto Moerbeek <o...@drijf.net> wrote: > On Sun, Jun 23, 2024 at 03:43:54PM +0200, Otto Moerbeek wrote: > >> It is possible to argue that it is correct in doing so, *if* it >> didn't set the AD flag in the request > > or added the DO flag >
I think the problem is that unwind is a bit too enthusiastic when it manages to validate an answer. It will always set the AD flag in that case, no matter if it was asked or not: $ dig @::1 +qr +noadflag +nocmd ripe.net ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65381 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ripe.net. IN A ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65381 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ripe.net. IN A ;; ANSWER SECTION: ripe.net. 193 IN A 193.0.11.51 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Sun Jun 23 16:08:48 CEST 2024 ;; MSG SIZE rcvd: 42 So there are valid reasons to ignore the SHOULD item: It was easier to implement this way. But it seems like the "full implications" have not been understood. -- In my defence, I have been left unsupervised.
