<div dir="ltr">Hi Michel.<div>You will get an authoritative answer (AA bit = 1) if the server is either primary (master) or secondary (slave) for the QNAME (query name); in this case <span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">"reseau1.lan". From the config snip you provided this is because you have the config:</span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px"><br></span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">zone </span><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">"reseau1.lan" {</span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px"> type master;</span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">...</span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">};</span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px"><br></span></div><div><font color="#1d2228" face="Helvetica Neue, Helvetica, Arial, sans-serif">If you make a query for "xxx.</font><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">reseau1.lan" to this server, the response you get back will depend on whether you have anything in the zone file (</span><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">"db.reseau1.lan") that would match that QNAME. If you do not have "xxx" or "*" (wildcard) then there will be no match and the response will be (authoritative) NXDOMAIN - this name does not exist at all.</span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">Personally I would not use a wildcard because it gives the impression that any name exists when really it doesn't.</span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-size:13px;color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">NOTE that the existence of </span><span style="font-size:13px;color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">"reseau1.lan" means that ALL names beneath this point will be swallowed by the server, e.g. "a.b.c.d.e.f.</span><span style="font-size:13px;color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif">reseau1.lan" will all return NXDOMAIN <a class="gmail_plusreply" id="plusReplyChip-0">+AA=1</a></span><br></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px"></span></div><div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px"><br></span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">What behaviour do you think you would like to see?</span></div></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px"><br></span></div><div><font color="#1d2228" face="Helvetica Neue, Helvetica, Arial, sans-serif">Looking at another part of your config, you should not need this at all:</font></div><div><font color="#1d2228" face="Helvetica Neue, Helvetica, Arial, sans-serif"><br></font></div><div><font color="#1d2228" face="Helvetica Neue, Helvetica, Arial, sans-serif">options {</font></div><div><font color="#1d2228" face="Helvetica Neue, Helvetica, Arial, sans-serif"> forwarders {8.8.8.8;};</font></div><div><font color="#1d2228" face="Helvetica Neue, Helvetica, Arial, sans-serif">...</font></div><div><font color="#1d2228" face="Helvetica Neue, Helvetica, Arial, sans-serif">};</font></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px"><br></span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">If your server can reach the Internet it can recurse all on its own.</span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px"><br></span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">I hope that helps.</span></div><div><span style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">Greg</span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 13 Dec 2023 at 16:29, Michel Diemer via bind-users <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-family:Arial,Helvetica,sans-serif;font-size:12px"> </div>
<div style="margin-top:20px;padding-top:5px">
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12px">
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none">Dear Bind user,</div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none"> </div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none">I am a teacher and trying to understand how dns works. I am spending hours reading various sources without finding satisfying information. For teaching purposes I have created a virtual machine with isc dhcp server and bind9 and another virtual machine that uses the first one as ics dhcp and dns server.</div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none"> </div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none">I have disabled IPv6 by setting link-local: [] in netplan's setting.</div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none"> </div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none">The name of the network (dns zone) is "reseau1.lan". When I "dig -4 reseau1.lan" the AUTHORITY bit is set to 1. </div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none"> </div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none">Why or when should the AUTHORITY bit set to 1 ? What does it take for nslookup to give me an authoritative answer ? </div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none"> </div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none">If I "ping xxx.reseau1.lan" I get an NXDOMAIN answer. Why NXDOMAIN and not NOERROR (NODATA) ? The domain "reseau1.lan" exists and my dns server is authoritative for this zone (SOA record) but the computer "xxx" on this domain does not. Should I use a wildcard dns record ?</div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none"> </div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none">I have tryed to empty the list of forwarders and disable the dns cache ... should I configure a dns-resolver only for the domain reseau1.lan and then a dns forwared for external dns queries ? Or maybe configure the resolver for the lan network interface and the forwarder on the internet network interface on the dns server ?</div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none"> </div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none">I managed to get "AUTHORITY: 1" when typing "dig -4 soa reseau1.lan" by disabling the forwarders and the cache so I guess I should configure bind per network interface. But when typing "dig -4 pc1.reseau1.lan" the AUTHORITY bit is always set to 0.</div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none"> </div>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none"><br>
<img id="m_1915467441503972963m_1457360552397688948embedded0" src="cid:ii_18c640f49f0f832d6281"><span style="text-decoration:none">͏ </span><br>
<br>
<img id="m_1915467441503972963m_1457360552397688948embedded1" src="cid:ii_18c640f49f04ca99dc32"></div>
<br>
<br>
<img id="m_1915467441503972963m_1457360552397688948embedded2" src="cid:ii_18c640f49f0785e881f3"><span style="text-decoration:none">͏ </span>
<div dir="ltr" style="color:rgb(29,34,40);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;outline:none">
<div><br>
<br>
Kind Regards,<br>
<br>
Michel Diemer</div>
</div>
</div>
</div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>