== What the flags on DNS query responses mean

Responses from DNS servers come with various useful and informative
flags. Since I just looked them up while figuring out just what was
going on with a [[peculiar nameserver HowNotToDoDNSXV]], I'm going
to write it down for my future reference.

|_. _qr_		| Yes, this is really a DNS response that _dig_
			  is printing.
| _aa_			| The server is authoritative for the domain.
| _rd_			| You asked for recursive resolution of your query.
| _ra_			| The server is willing to do recursive queries for
			  you.
| _tc_			| The response was truncated because it was too
			  big to fit in a UDP packet.

These come from [[RFC1035 http://www.ietf.org/rfc/rfc1035.txt]] section
4.1.1, which is worth reading in full (it's short).

Every nameserver for a domain should be an authoritative server for the
domain and so its responses about the domain should always have the _aa_
bit set. These days, seeing _ra_ from a domain's nameserver should make
you nervous, especially if the nameserver does not report itself as
authoritative (ie, doesn't set _aa_).

(Real secondary servers for a domain *are* authoritative for the domain
and know it, even though they do not hold a permanent local copy of
the domain's DNS records. Informal secondaries, where you just list a
nameserver that will do recursive queries for the Internet as one of
your NS records, are not authoritative and will not set _aa_ on replies.
Yes, people really do that.)