For queries with the DO bit set, the results don't contain the AD bit (i.e. there's no ad in flags):
$ DNSSEC=1 dnslookup go.dnscheck.tools tls://wikimedia-dns.org 185.71.138.138
dnslookup master
Server: tls://wikimedia-dns.org
dnslookup result (elapsed 164.97548ms):
;; opcode: QUERY, status: NOERROR, id: 27557
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;go.dnscheck.tools. IN A
;; ANSWER SECTION:
go.dnscheck.tools. 1 IN A 116.203.95.251
Compare it with kdig, which returns ad in Flags:
$ kdig go.dnscheck.tools +dnssec +tls-hostname=wikimedia-dns.org @185.71.138.138
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-128-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 12425
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; PADDING: 391 B
;; QUESTION SECTION:
;; go.dnscheck.tools. IN A
;; ANSWER SECTION:
go.dnscheck.tools. 1 IN A 116.203.95.251
;; Received 457 B
;; Time 2025-05-29 13:25:23 EEST
;; From 185.71.138.138@853(TLS) in 148.4 ms
For queries with the DO bit set, the results don't contain the AD bit (i.e. there's no
adinflags):Compare it with
kdig, which returnsadinFlags: