"A server MUST not set the AD bit unless it knows that a secure
transport is in use between it and the requesting client."
and the way the dns application tells that ipsec is established
between it and the client is ...?
Yep, this is a problem. There needs to be an API that applications can
call to determine if ipsec is present and what level of protection is
engaged. Sorry, this stuff isn't easy.
as i said, the current spec is the best we could do given the constraints.
we don't love it, but that's the current reality.
randy