From 6b5a6fbe1cc0ceb7e2b516aaada596b79360a5b8 Mon Sep 17 00:00:00 2001
From: Bob Halley <source@isc.org>
Date: Mon, 20 Nov 2000 17:53:35 +0000
Subject: [PATCH] only set AD if they asked for DNSSEC

---
 CHANGES           |  3 +++
 bin/named/query.c | 10 ++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 05f829fe36..186d7db697 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+ 569.	[func]		The DNSSEC AD bit will not be set on queries which
+			have not requested a DNSSEC response.
+
  568.	[func]		Add sample simple database drivers in contrib/sdb.
 
  567.	[bug]		Setting the zone transfer timeout to zero caused an
diff --git a/bin/named/query.c b/bin/named/query.c
index 397c4ae16a..1b0ccce985 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.152 2000/11/16 19:20:08 tale Exp $ */
+/* $Id: query.c,v 1.153 2000/11/20 17:53:35 halley Exp $ */
 
 #include <config.h>
 
@@ -3418,12 +3418,14 @@ ns_query_start(ns_client_t *client) {
 	/*
 	 * Set AD.  We need only clear it if we add "pending" data to
 	 * a response.
+	 *
+	 * XXX  Note: the way AD is set will be changing in the near
+	 *      future.
 	 */
-	message->flags |= DNS_MESSAGEFLAG_AD;
+	if (WANTDNSSEC(client))
+		message->flags |= DNS_MESSAGEFLAG_AD;
 
 	qclient = NULL;
 	ns_client_attach(client, &qclient);
 	query_find(qclient, NULL);
 }
-
-