retain response AD bit if requestor's AD bit was set (#5191)

Signed-off-by: Chris O'Haver <cohaver@infoblox.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/plugin/cache/cache.go b/plugin/cache/cache.go
index 58a73e72c..fb84fcec0 100644
--- a/plugin/cache/cache.go
+++ b/plugin/cache/cache.go
@@ -109,6 +109,7 @@ type ResponseWriter struct {
 	server string // Server handling the request.
 
 	do         bool // When true the original request had the DO bit set.
+	ad         bool // When true the original request had the AD bit set.
 	prefetch   bool // When true write nothing back to the client.
 	remoteAddr net.Addr
 }
@@ -185,8 +186,10 @@ func (w *ResponseWriter) WriteMsg(res *dns.Msg) error {
 	res.Ns = filterRRSlice(res.Ns, ttl, w.do, false)
 	res.Extra = filterRRSlice(res.Extra, ttl, w.do, false)
 
-	if !w.do {
-		res.AuthenticatedData = false // unset AD bit if client is not OK with DNSSEC
+	if !w.do && !w.ad {
+		// unset AD bit if requester is not OK with DNSSEC
+		// But retain AD bit if requester set the AD bit in the request, per RFC6840 5.7-5.8
+		res.AuthenticatedData = false
 	}
 
 	return w.ResponseWriter.WriteMsg(res)