win2k SOA Non-Authoritative Response

Barry Margolin barmar at genuity.net
Wed Oct 31 20:02:10 UTC 2001 

In article <9rpiog$gtp at pub3.rc.vix.com>,
Jay Remsen  <jkremsen at mail.netusa1.net> wrote:
>My colleague and I currently support several Bind DNS servers and recently 
>inherited a win2k DNS active directory server.   While trying to integrate the 
>win2k server into our DNS structure we noticed that the win2k server was 
>responding to queries with what appears to be non-authoritative answers for 
>things that it is the authoritative server.  Looking at the packets with a 
>sniffer, we see that the AA bit is set in the replies but there is not any info 
>in the Authority Section of the packet.  However, there is info in the 

Filling in the authority section is not required unless you're sending a
referral.  BIND includes the NS records in the authority section of its
replies, but this is not required AFAIK.

>Additional Section.  DIG, NSLOOKUP and Host commands all show the replies as 
>being non-authoritative even when the AA bit is set.  The following is an 
>example of what we are seeing.

What do you mean "show the replies as being non-authoritative"?  The
"flags" section contains "aa", which means the reply is authoritative.  The
Authority section has nothing to do with whether a reply is authoritative
or not; it's used to refer the client to some other server that's supposed
to be authoritative for the zone.

>$ dig @192.168.40.51 soa academy.com.
>
>; <<>> DiG 8.3 <<>> @192.168.40.51 soa academy.com.
>; (1 server found)
>;; res options: init recurs defnam dnsrch
>;; got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>;; QUERY SECTION:
>;;      academy.com, type = SOA, class = IN
>
>;; ANSWER SECTION:
>academy.com.            1H IN SOA       plato.academy.com. admin. (
>                                        104             ; serial
>                                        15M             ; refresh
>                                        10M             ; retry
>                                        1D              ; expiry
>                                        1H )            ; minimum
>
>
>;; ADDITIONAL SECTION:
>plato.academy.com.      1H IN A         192.168.40.51
>
>;; Total query time: 3 msec
>;; FROM: kotpns01 to SERVER: 192.168.40.51
>;; WHEN: Wed Oct 31 12:47:56 2001
>
>Has anyone seen this before, or thinks that this is going to be a problem in a 
>bind environment?
>
>Thanks,
>
>Jay Remsen
>jkremsen at netusa1.net
>
>1
>
>
>


-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list