Hello Mateusz,

Thank you for the bug report! It will be fixed soon.

Daniel

On 6/11/26 17:36, Mateusz Masłowski wrote:
> Hello,
>
> I would like to report a bug in Knot DNS 3.5.x where AXFR responses do not have the Authoritative Answer (AA) bit set, which appears to violate RFC 5936 §2.2.
>
> Affected versions tested:
>
>   * 3.5.3
>   * 3.5.4
>
> Packages tested:
>
>   * cznic.1~bookworm
>
> Summary
>
> RFC 5936 §2.2 states:
>
> "Each DNS message returned by the AXFR server MUST have the AA bit set to 1."
>
> However, Knot DNS sends AXFR responses with flags set to |qr| only. The AA bit is not set in any of the messages in the transfer stream.
>
> As a result, strict secondary DNS servers, notably Windows Server DNS, reject such responses as invalid and abort the zone transfer.
>
> Expected behavior
>
> AXFR response messages should have the AA bit set.
>
> Expected flags:
>
> |qr aa|
>
> Actual behavior
>
> AXFR response messages have only the QR bit set.
>
> Actual flags:
>
> |qr|
>
> Possible root cause
>
> The function |axfr_process_query()| in |src/knot/nameserver/axfr.c| does not appear to call |knot_wire_set_aa()|.
>
> By contrast, the normal query path, via |solve_answer()| in |internet.c|, does set the AA bit, so SOA, A, and other authoritative responses are returned correctly. The AXFR code path appears to bypass this logic.
>
> Minimal reproducer
>
> |dig @<knot-master> +tcp AXFR <zone> | head -2|
>
> Observed output:
>
> |;; flags: qr;|
>
> The AA bit is missing.
>
> This can also be verified with |tcpdump|: byte 3 of each DNS message in the AXFR stream has value |0x80| / QR only, instead of |0x84| / QR + AA.
>
>
> --
>
> Best regards,
> Mateusz Masłowski
>
>
> --