Hello,

I would like to report a bug in Knot DNS 3.5.x where AXFR responses do not have the Authoritative Answer (AA) bit set, which appears to violate RFC 5936 §2.2.

Affected versions tested:

• 3.5.3
• 3.5.4

Packages tested:

• cznic.1~bookworm

Summary

RFC 5936 §2.2 states:

"Each DNS message returned by the AXFR server MUST have the AA bit set to 1."

However, Knot DNS sends AXFR responses with flags set to qr only. The AA bit is not set in any of the messages in the transfer stream.

As a result, strict secondary DNS servers, notably Windows Server DNS, reject such responses as invalid and abort the zone transfer.

Expected behavior

AXFR response messages should have the AA bit set.

Expected flags:

qr aa

Actual behavior

AXFR response messages have only the QR bit set.

Actual flags:

qr

Possible root cause

The function axfr_process_query() in src/knot/nameserver/axfr.c does not appear to call knot_wire_set_aa().

By contrast, the normal query path, via solve_answer() in internet.c, does set the AA bit, so SOA, A, and other authoritative responses are returned correctly. The AXFR code path appears to bypass this logic.

Minimal reproducer

dig @<knot-master> +tcp AXFR <zone> | head -2

Observed output:

;; flags: qr;

The AA bit is missing.

This can also be verified with tcpdump: byte 3 of each DNS message in the AXFR stream has value 0x80 / QR only, instead of 0x84 / QR + AA.


--

Best regards,
Mateusz Masłowski