[knot-dns-users] Re: [BUG] AXFR responses missing AA bit (RFC 5936 violation) in Knot 3.5.x

Hello, I would like to report a bug in Knot DNS 3.5.x where AXFR responses do not have the Authoritative Answer (AA) bit set, which appears to violate RFC 5936 §2.2. Affected versions tested: * 3.5.3 * 3.5.4 Packages tested: * cznic.1~bookworm Summary RFC 5936 §2.2 states: "Each DNS message returned by the AXFR server MUST have the AA bit set to 1." However, Knot DNS sends AXFR responses with flags set to |qr| only. The AA bit is not set in any of the messages in the transfer stream. As a result, strict secondary DNS servers, notably Windows Server DNS, reject such responses as invalid and abort the zone transfer. Expected behavior AXFR response messages should have the AA bit set. Expected flags: |qr aa| Actual behavior AXFR response messages have only the QR bit set. Actual flags: |qr| Possible root cause The function |axfr_process_query()| in |src/knot/nameserver/axfr.c| does not appear to call |knot_wire_set_aa()|. By contrast, the normal query path, via |solve_answer()| in |internet.c|, does set the AA bit, so SOA, A, and other authoritative responses are returned correctly. The AXFR code path appears to bypass this logic. Minimal reproducer |dig @<knot-master> +tcp AXFR <zone> | head -2| Observed output: |;; flags: qr;| The AA bit is missing. This can also be verified with |tcpdump|: byte 3 of each DNS message in the AXFR stream has value |0x80| / QR only, instead of |0x84| / QR + AA. -- Best regards, Mateusz Masłowski --