[root@master ~]# dig master.example.com
; <<>> DiG 9.16.23-RH <<>> master.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14798
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f4ad1e4a9fad4e8a0100000066248aef744574463690ba3e (good)
;; QUESTION SECTION:
;master.example.com. IN A
;; ANSWER SECTION:
master.example.com. 86400 IN A 192.168.1.3
;; Query time: 0 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Sun Apr 21 09:26:35 +0545 2024
;; MSG SIZE rcvd: 91
I can share all my configuration files if required as this is test environment.
Hello,
Here, the "aa" flag tells us that the DNS server you queried is returning an authoritative answer to your query - in other words, it knows with certainty that the given record does or does not exist. Normally a DNS server is able to return an authoritative answer when it actually has a zone defined for that domain, and therefore knows which records within that zone you have queried either do exist, or do not exist.
The AUTHORITY flag is slightly different. When it's set to 1, that indicates that an authority record is included in the DNS server's response. That would provide a separate section in your dig
output showing which name servers were authoritative for the domain.
However, including the authority section is an optional thing in the DNS protocol specification, and to save time and resources, many DNS servers have an option to disable this. In the case of BIND, if you have the minimal-responses
flag set in your options, authority records will never be returned, and so every reply to a request will always have the AUTHORITY flag set to 0, even if the response is authoritative and has the "aa" flag set. In all cases, for authoritative responses the "aa" flag itself will be set correctly, and that is never optional.
If you're not using BIND, presumably whatever name server you are using has a similar option somewhere in its configuration to include or exclude these extra optional sections in DNS replies. You'd have to check the documentation for your name server software to see what that is.
Hope this helps !
3 Likes
Nitpick: The server returned NOERROR
and an answer:
;; ANSWER SECTION:
master.example.com. 86400 IN A 192.168.1.3
So the server did know that the record did exist and returned it's value.