What the flags on DNS query responses mean

July 6, 2007

Responses from DNS servers come with various useful and informative flags. Since I just looked them up while figuring out just what was going on with a peculiar nameserver, I'm going to write it down for my future reference.

qr Yes, this is really a DNS response that dig is printing.
aa The server is authoritative for the domain.
rd You asked for recursive resolution of your query.
ra The server is willing to do recursive queries for you.
tc The response was truncated because it was too big to fit in a UDP packet.

These come from RFC1035 section 4.1.1, which is worth reading in full (it's short).

Every nameserver for a domain should be an authoritative server for the domain and so its responses about the domain should always have the aa bit set. These days, seeing ra from a domain's nameserver should make you nervous, especially if the nameserver does not report itself as authoritative (ie, doesn't set aa).

(Real secondary servers for a domain are authoritative for the domain and know it, even though they do not hold a permanent local copy of the domain's DNS records. Informal secondaries, where you just list a nameserver that will do recursive queries for the Internet as one of your NS records, are not authoritative and will not set aa on replies. Yes, people really do that.)

Written on 06 July 2007.
« How not to set up your DNS (part 15)
Weekly spam summary on July 7th, 2007 »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Jul 6 16:45:17 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.