11 Čen
2026
11 Čen
'26
12:36
Hello,
I would like to report a bug in Knot DNS 3.5.x where AXFR responses do not
have the Authoritative Answer (AA) bit set, which appears to violate RFC
5936 §2.2.
Affected versions tested:
- 3.5.3
- 3.5.4
Packages tested:
- cznic.1~bookworm
Summary
RFC 5936 §2.2 states:
"Each DNS message returned by the AXFR server MUST have the AA bit set to
1."
However, Knot DNS sends AXFR responses with flags set to qr only. The AA
bit is not set in any of the messages in the transfer stream.
As a result, strict secondary DNS servers, notably Windows Server DNS,
reject such responses as invalid and abort the zone transfer.
Expected behavior
AXFR response messages should have the AA bit set.
Expected flags:
qr aa
Actual behavior
AXFR response messages have only the QR bit set.
Actual flags:
qr
Possible root cause
The function axfr_process_query() in src/knot/nameserver/axfr.c does not
appear to call knot_wire_set_aa().
By contrast, the normal query path, via solve_answer() in internet.c, does
set the AA bit, so SOA, A, and other authoritative responses are returned
correctly. The AXFR code path appears to bypass this logic.
Minimal reproducer
dig @<knot-master> +tcp AXFR <zone> | head -2
Observed output:
;; flags: qr;
The AA bit is missing.
This can also be verified with tcpdump: byte 3 of each DNS message in the
AXFR stream has value 0x80 / QR only, instead of 0x84 / QR + AA.
--
Best regards,
Mateusz Masłowski
11 Čen
11 Čen
14:08
Hello Mateusz,
Thank you for the bug report! It will be fixed soon.
Daniel
On 6/11/26 17:36, Mateusz Masłowski wrote:
Hello,
I would like to report a bug in Knot DNS 3.5.x where AXFR responses do not have the
Authoritative Answer (AA) bit set, which appears to violate RFC 5936 §2.2.
Affected versions tested:
* 3.5.3
* 3.5.4
Packages tested:
* cznic.1~bookworm
Summary
RFC 5936 §2.2 states:
"Each DNS message returned by the AXFR server MUST have the AA bit set to 1."
However, Knot DNS sends AXFR responses with flags set to |qr| only. The AA bit is not set
in any of the messages in the transfer stream.
As a result, strict secondary DNS servers, notably Windows Server DNS, reject such
responses as invalid and abort the zone transfer.
Expected behavior
AXFR response messages should have the AA bit set.
Expected flags:
|qr aa|
Actual behavior
AXFR response messages have only the QR bit set.
Actual flags:
|qr|
Possible root cause
The function |axfr_process_query()| in |src/knot/nameserver/axfr.c| does not appear to
call |knot_wire_set_aa()|.
By contrast, the normal query path, via |solve_answer()| in |internet.c|, does set the AA
bit, so SOA, A, and other authoritative responses are returned correctly. The AXFR code
path appears to bypass this logic.
Minimal reproducer
|dig @<knot-master> +tcp AXFR <zone> | head -2|
Observed output:
|;; flags: qr;|
The AA bit is missing.
This can also be verified with |tcpdump|: byte 3 of each DNS message in the AXFR stream
has value |0x80| / QR only, instead of |0x84| / QR + AA.
--
Best regards,
Mateusz Masłowski
--
16:12
That's great, thank you.
czw., 11 cze 2026 o 19:08 Daniel Salzman <daniel.salzman(a)nic.cz> napisał(a):
Hello Mateusz,
Thank you for the bug report! It will be fixed soon.
Daniel
On 6/11/26 17:36, Mateusz Masłowski wrote:
--
Pozdrawiam
Mateusz Masłowski
Hello,
I would like to report a bug in Knot DNS 3.5.x where AXFR responses do
not have
the Authoritative Answer (AA) bit set, which appears to violate
RFC 5936 §2.2.
Affected versions tested:
* 3.5.3
* 3.5.4
Packages tested:
* cznic.1~bookworm
Summary
RFC 5936 §2.2 states:
"Each DNS message returned by the AXFR server MUST have the AA bit set
to
1."
However, Knot DNS sends AXFR responses with flags set to |qr| only. The
AA bit is
not set in any of the messages in the transfer stream.
As a result, strict secondary DNS servers, notably Windows Server DNS,
reject such
responses as invalid and abort the zone transfer.
Expected behavior
AXFR response messages should have the AA bit set.
Expected flags:
|qr aa|
Actual behavior
AXFR response messages have only the QR bit set.
Actual flags:
|qr|
Possible root cause
The function |axfr_process_query()| in |src/knot/nameserver/axfr.c| does
not
appear to call |knot_wire_set_aa()|.
By contrast, the normal query path, via |solve_answer()| in
|internet.c|, does set
the AA bit, so SOA, A, and other authoritative
responses are returned correctly. The AXFR code path appears to bypass this
logic.
Minimal reproducer
|dig @<knot-master> +tcp AXFR <zone> | head -2|
Observed output:
|;; flags: qr;|
The AA bit is missing.
This can also be verified with |tcpdump|: byte 3 of each DNS message in
the AXFR
stream has value |0x80| / QR only, instead of |0x84| / QR + AA.
--
Best regards,
Mateusz Masłowski
--
5
days inactive
5
days old
2 comments
2 participants
participants (2)
-
Daniel Salzman -
Mateusz Masłowski