What the flags on DNS query responses mean

July 6, 2007

Responses from DNS servers come with various useful and informative flags. Since I just looked them up while figuring out just what was going on with a peculiar nameserver, I'm going to write it down for my future reference.

qr Yes, this is really a DNS response that dig is printing.
aa The server is authoritative for the domain.
rd You asked for recursive resolution of your query.
ra The server is willing to do recursive queries for you.
tc The response was truncated because it was too big to fit in a UDP packet.

These come from RFC1035 section 4.1.1, which is worth reading in full (it's short).

Every nameserver for a domain should be an authoritative server for the domain and so its responses about the domain should always have the aa bit set. These days, seeing ra from a domain's nameserver should make you nervous, especially if the nameserver does not report itself as authoritative (ie, doesn't set aa).

(Real secondary servers for a domain are authoritative for the domain and know it, even though they do not hold a permanent local copy of the domain's DNS records. Informal secondaries, where you just list a nameserver that will do recursive queries for the Internet as one of your NS records, are not authoritative and will not set aa on replies. Yes, people really do that.)

Comments on this page:

By Dan.Astoorian at 2007-07-09 15:02:55:

aa The server is authoritative for the domain.

...well, maybe.

I believe the behaviour was fixed in BIND 9, but earlier versions of BIND had a rather interesting interpretation of "the responding name server is an authority for the domain name": if you made a recursive query to a nameserver, and the answer was not in the cache, BIND would go out and fetch the answer using the name's NS records (i.e., presumably from an authoritative nameserver), and forward the result back to the client verbatim--including the AA flag. Thus, you could make the same query twice in rapid succession to the same forwarding nameserver, and the AA flag would be set in the first response and clear in the second.

I believe this was considered a optimization feature, in that the AA bit was deemed to mean "this answer is fresh from an authoritative server, i.e., it was not taken from a possibly stale cache."

To this day, I always run dig twice in a row if I want to know whether a nameserver really believes it is authoritative for the name I'm querying.

--Dan

Written on 06 July 2007.
« How not to set up your DNS (part 15)
Weekly spam summary on July 7th, 2007 »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Fri Jul 6 16:45:17 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.