win2k SOA Non-Authoritative Response

Barry Margolin barmar at
Wed Oct 31 20:02:10 UTC 2001

In article <9rpiog$gtp at>,
Jay Remsen  <jkremsen at> wrote:
>My colleague and I currently support several Bind DNS servers and recently 
>inherited a win2k DNS active directory server.   While trying to integrate the 
>win2k server into our DNS structure we noticed that the win2k server was 
>responding to queries with what appears to be non-authoritative answers for 
>things that it is the authoritative server.  Looking at the packets with a 
>sniffer, we see that the AA bit is set in the replies but there is not any info 
>in the Authority Section of the packet.  However, there is info in the 

Filling in the authority section is not required unless you're sending a
referral.  BIND includes the NS records in the authority section of its
replies, but this is not required AFAIK.

>Additional Section.  DIG, NSLOOKUP and Host commands all show the replies as 
>being non-authoritative even when the AA bit is set.  The following is an 
>example of what we are seeing.

What do you mean "show the replies as being non-authoritative"?  The
"flags" section contains "aa", which means the reply is authoritative.  The
Authority section has nothing to do with whether a reply is authoritative
or not; it's used to refer the client to some other server that's supposed
to be authoritative for the zone.

>$ dig @ soa
>; <<>> DiG 8.3 <<>> @ soa
>; (1 server found)
>;; res options: init recurs defnam dnsrch
>;; got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>;;, type = SOA, class = IN
>            1H IN SOA admin. (
>                                        104             ; serial
>                                        15M             ; refresh
>                                        10M             ; retry
>                                        1D              ; expiry
>                                        1H )            ; minimum
>      1H IN A
>;; Total query time: 3 msec
>;; FROM: kotpns01 to SERVER:
>;; WHEN: Wed Oct 31 12:47:56 2001
>Has anyone seen this before, or thinks that this is going to be a problem in a 
>bind environment?
>Jay Remsen
>jkremsen at

Barry Margolin, barmar at
Genuity, Woburn, MA
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list