Getting AUTHORITY flag set to zero even though I am getting results from authoritative DNS server for that zone, why?

Ihattaren · April 21, 2024, 3:54am

[root@master ~]# dig master.example.com

; <<>> DiG 9.16.23-RH <<>> master.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14798
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f4ad1e4a9fad4e8a0100000066248aef744574463690ba3e (good)
;; QUESTION SECTION:
;master.example.com.            IN      A

;; ANSWER SECTION:
master.example.com.     86400   IN      A       192.168.1.3

;; Query time: 0 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Sun Apr 21 09:26:35 +0545 2024
;; MSG SIZE  rcvd: 91

I can share all my configuration files if required as this is test environment.

drysdalk · April 21, 2024, 9:29am

Hello,

Here, the "aa" flag tells us that the DNS server you queried is returning an authoritative answer to your query - in other words, it knows with certainty that the given record does or does not exist. Normally a DNS server is able to return an authoritative answer when it actually has a zone defined for that domain, and therefore knows which records within that zone you have queried either do exist, or do not exist.

The AUTHORITY flag is slightly different. When it's set to 1, that indicates that an authority record is included in the DNS server's response. That would provide a separate section in your dig output showing which name servers were authoritative for the domain.

However, including the authority section is an optional thing in the DNS protocol specification, and to save time and resources, many DNS servers have an option to disable this. In the case of BIND, if you have the minimal-responses flag set in your options, authority records will never be returned, and so every reply to a request will always have the AUTHORITY flag set to 0, even if the response is authoritative and has the "aa" flag set. In all cases, for authoritative responses the "aa" flag itself will be set correctly, and that is never optional.

If you're not using BIND, presumably whatever name server you are using has a similar option somewhere in its configuration to include or exclude these extra optional sections in DNS replies. You'd have to check the documentation for your name server software to see what that is.

Hope this helps !

DrScriptt · April 22, 2024, 3:00pm

Nitpick: The server returned NOERROR and an answer:

;; ANSWER SECTION:
master.example.com.     86400   IN      A       192.168.1.3

So the server did know that the record did exist and returned it's value.