Z flag is different from 0

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at baesystems.com
Tue Nov 30 13:54:12 UTC 2004

Hi -

I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master =
and secondard), which support a dozen (+/-) domains.  We recently =
upgraded our firewall to CheckPoint with thier SmartDefense product. (We =
had been running an older Gauntlet firewall)

My issue is that SmartDefense is alerting on our outgoing DNS queries, =
saying "Bad DNS Headers, Z flag is different from 0".  I've looked at =
RFC2929, which says:

2.1 One Spare Bit?

   There have been ancient DNS implementations for which the Z bit being
   on in a query meant that only a response from the primary server for
   a zone is acceptable.  It is believed that current DNS
   implementations ignore this bit.

   Assigning a meaning to the Z bit requires an IETF Standards Action.

Should I be looking for a way to configure bind to not set the Z flag? =
Or is there some other solution to this issue?

Thanks in advance.

More information about the bind-users mailing list