AD
Click on the red underlined text to get to the source
... the CD bit from a query into the corresponding response. The AD bit
is controlled by name servers; a security-aware name server ...
... security-aware name server MUST
ignore the setting of the AD bit in queries. See Sections 3.1.6,
3.2.2, 3.2.3, 4, and 4.9 for details on the behavior of these bits ...
... A security-aware name server MUST NOT set the AD bit in a response
unless the name server considers all RRsets in the Answer and
...
... name server that supports recursion MUST follow the
rules for the CD and AD bits given in Section 3.2 when generating a
response that involves data obtained via recursion.
...
... The AD Bit ...
... security-aware recursive name server MUST
NOT set the AD bit in a response unless the name server considers all
RRsets in the Answer and Authority ...
... Authority sections of the response to be
authentic. The name server side SHOULD set the AD bit if and only if
the resolver side considers all RRsets in the Answer section and any
relevant negative response RRs ...
... backward compatibility, a recursive name server MAY set
the AD bit when a response includes unsigned CNAME RRs if those CNAME ...
...
A security-aware resolver MUST clear the AD bit when composing query
messages to protect against buggy name servers that blindly copy
...
...
A resolver MUST disregard the meaning of the CD and AD bits in a
response unless the response was obtained by using a secure channel ...
... Handling of the AD Bit ...
... A non-validating security-aware stub resolver MAY chose to examine
the setting of the AD bit in response messages that it receives in
order to determine whether the security-aware recursive name server ...
... security-aware recursive name server. Therefore, there may be little
practical value in checking the status of the AD bit, except perhaps
as a debugging aid. In any case, a security-aware stub resolver MUST
...
... A validating security-aware stub resolver SHOULD NOT examine the
setting of the AD bit in response messages, as, by definition, the
stub resolver performs its own signature validation ...
... bits in the message header. The
meaning of the AD bit was redefined in [RFC3655], and the meaning of
both the CD ...
... RFC3655], and the meaning of
both the CD and AD bit are restated in this document. No new bits in
the DNS ...
... CD bit in a DNS query message or
the AD bit in a DNS response message can use these bits to defeat the
...
... Wellington, B. and O. Gudmundsson, "Redefinition of DNS Authenticated Data (AD) bit", RFC 3655(-> 4035prop | 4034prop | 4033prop), November 2003. ...