Looking at the dnssec-bis-updates presentation from the DNSEXT meeting
in Philadelphia, it was apparent that a few bits had fallen through
the cracks between then and now. This is one of them. Anyway, here
is the proposed additional text:

3.6. Setting the AD bit on Replies

Section 3.2.3 of [RFC4035] describes under which conditions a
validating resolver should set or clear the AD bit in a response.
order to protect legacy stub resolvers and middleboxes, validating
resolvers SHOULD only set the AD bit when a response both meets the
conditions listed in RFC 4035, section 3.2.3, and the request
contained either a set DO bit or a set AD bit.

Note that the use of the AD bit in the query was previously
undefined. This document defines it as a signal indicating that the
requester understands and is interested in the value of the AD bit
the response. This allows a requestor to indicate that it
understands the AD bit without also requesting DNSSEC data via the

Any comments?

David Blacka
Sr. Engineer Platform Product Development

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.