win2k SOA Non-Authoritative Response

Jay Remsen jkremsen at
Wed Oct 31 18:05:35 UTC 2001

My colleague and I currently support several Bind DNS servers and recently 
inherited a win2k DNS active directory server.   While trying to integrate the 
win2k server into our DNS structure we noticed that the win2k server was 
responding to queries with what appears to be non-authoritative answers for 
things that it is the authoritative server.  Looking at the packets with a 
sniffer, we see that the AA bit is set in the replies but there is not any info 
in the Authority Section of the packet.  However, there is info in the 
Additional Section.  DIG, NSLOOKUP and Host commands all show the replies as 
being non-authoritative even when the AA bit is set.  The following is an 
example of what we are seeing.

$ dig @ soa

; <<>> DiG 8.3 <<>> @ soa
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;;, type = SOA, class = IN

;; ANSWER SECTION:            1H IN SOA admin. (
                                        104             ; serial
                                        15M             ; refresh
                                        10M             ; retry
                                        1D              ; expiry
                                        1H )            ; minimum


;; Total query time: 3 msec
;; FROM: kotpns01 to SERVER:
;; WHEN: Wed Oct 31 12:47:56 2001

Has anyone seen this before, or thinks that this is going to be a problem in a 
bind environment?


Jay Remsen
jkremsen at


More information about the bind-users mailing list