From dc6a57ffb8686b3d78971b6adaa283c0d77b3a69 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 20 Aug 2019 23:17:27 +0100
Subject: [PATCH] Always force AD bit to zero in authoritative DNS answers.

---
 src/auth.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/auth.c b/src/auth.c
index 7446580..854af0d 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -836,6 +836,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
       header->hb4 &= ~HB4_RA;
     }
 
+  /* data is never DNSSEC signed. */
+  header->hb4 &= ~HB4_AD;
+
   /* authoritative */
   if (auth)
     header->hb3 |= HB3_AA;