Z flag is different from 0
Miner, Jonathan W (CSC) (US SSA)
jonathan.w.miner at baesystems.com
Tue Nov 30 13:54:12 UTC 2004
I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master =
and secondard), which support a dozen (+/-) domains. We recently =
upgraded our firewall to CheckPoint with thier SmartDefense product. (We =
had been running an older Gauntlet firewall)
My issue is that SmartDefense is alerting on our outgoing DNS queries, =
saying "Bad DNS Headers, Z flag is different from 0". I've looked at =
RFC2929, which says:
2.1 One Spare Bit?
There have been ancient DNS implementations for which the Z bit being
on in a query meant that only a response from the primary server for
a zone is acceptable. It is believed that current DNS
implementations ignore this bit.
Assigning a meaning to the Z bit requires an IETF Standards Action.
Should I be looking for a way to configure bind to not set the Z flag? =
Or is there some other solution to this issue?
Thanks in advance.
More information about the bind-users