No CD in forwarded queries unless dnssec-debug for TCP too.
diff --git a/src/forward.c b/src/forward.c
index 27f619b..1b6f80e 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -1431,7 +1431,10 @@
if (option_bool(OPT_DNSSEC_VALID))
{
size = add_do_bit(header, size, ((char *) header) + 65536);
- header->hb4 |= HB4_CD;
+ /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
+ this allows it to select auth servers when one is returning bad data. */
+ if (option_bool(OPT_DNSSEC_DEBUG))
+ header->hb4 |= HB4_CD;
}
#endif