Reponses from a non-authoritative server with the AA flag set

[Barry Margolin]

In article <dbrbl5$2put$1 at sf1.isc.org>, svieth at wi.rr.com wrote:

> Hi:
> 
> I found numerous discussions in c.p.d.b that mention that BIND 8 would
> return answers with the AA bit for zones that the BIND 8 server was not
> authoritative for.  This happens the first time that the BIND 8 server
> is asked to resolve a particular name.  After that, the result is
> cached and BIND 8 returns answers without AA set for that particular
> query because the answer is coming from the BIND 8 server's cache.
> 
> In BIND 9, it is said that answers always have the AA bit clear unless
> that particular BIND 9 server is authoritative for the zone that they
> query was asking about.
> 
> My question is this:  We have a case where a load balancer is returning
> answers with the AA bit for a certain zone but the load balancer's
> address is not listed in an NS record for that zone.
> 
> [Our PCs have the address of the load balancer set as their DNS
> server.]
> 
> Will that cause a problem for any client resolvers?  The answer is
> coming back with AA set but the answer is not coming directly from one
> of the nameservers which are listed as authoritative for that zone.  As
> I said above, this seemed to be acceptable behavior in BIND 8.

So as far as you can tell, the load balancers are acting like BIND 8 
servers.  Since this never caused any problems with BIND 8, why do you 
think it would cause a problem with your load balancers?

Anyway, client resolvers don't have any reason to care about the AA 
flag.  It's only used by recursive servers, to warn about lame servers 
(servers that are supposed to be authoritative, but don't set the AA 
flag), and by slave servers when querying the master (they won't pull a 
zone transfer if the master isn't authoritative).

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***