ad flag missing in response to a tlsa query
Claus Assmann
ml+unbound-users at esmtp.org
Wed Jan 1 09:50:25 UTC 2020
I'm trying to figure out why the ad flag is not set for a specific
TLSA query:
unbound 1.9.6 is listening on port 1153:
dig +ad -p 1153 -t tlsa _25._tcp.mail.roaringpenguin.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19607
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
It works fine for other domains, e.g.,
dig +ad -p 1153 -t tlsa _25._tcp.mail.nllabs.nl.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61517
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
delv can seemingly verify that -t tlsa _25._tcp.mail.roaringpenguin.com
does not exist:
; negative response, fully validated
; _25._tcp.mail.roaringpenguin.com. 1624 IN \-ANY ;-$NXDOMAIN
So what is wrong? Do I misunderstand what the ad flag indicates?
Is some setup (my side, server side) wrong?
More information about the Unbound-users
mailing list