1. DNSSEC/cdflag

DNSSEC and Google’s Public DNS Service 9 Apr 2013 in DNS by Geoff Huston http://labs.apnic.net/?p=316

Unbound: https://www.unbound.net/pipermail/unbound-users/2016-March/004272.html

こんな説明で分かるのだろうか。 

 +[no]cdflag
       Set [do not set] the CD (checking disabled) bit in the query.
    This requests the server to not perform DNSSEC validation of responses.

すでにキャッシュされている項目はすべて無視するのだろうか。

DNSSEC RFCを精読するつもりはない。

-- ToshinoriMaeno 2016-08-16 16:09:01

初期のDNSSECには: http://www.freesoft.org/CIE/RFC/2065/40.htm 

The CD (checking disabled) bit indicates in a query that
non-verified data is acceptable to the resolver sending the query.

These bits are zero in old servers and resolvers.

Security aware servers NEVER return Bad data. For non-security aware resolvers or security aware resolvers requesting service by having the CD bit clear, security aware servers MUST return only Authenticated or Insecure data with the AD bit set in the response. Security aware resolvers will know that if data is Insecure versus Authentic by the absence of SIG RRs.

Security aware servers MAY return Pending data to security aware resolvers requesting the service by clearing the AD bit in the response. The AD bit MUST NOT be set on a response unless all of the RRs in the response are either Authenticated or Insecure.