What are all the flags in a dig response?

domain-name-system dig

dig responses return flags in the comments section:

$ dig example.com +noall +comments

; <<>> DiG 9.8.3-P1 <<>> example.com +noall +comments
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

On the last line here, there are flags:

flags: qr rd ra;

What are all the possible flags that dig has?

Here's a list of the ones I've found so far:

  • rd - Recursion Desired
  • ra - Recursion Available
  • aa - Authoritative Answer
  • qr - Query?
  • cd - Checking Disabled (not sure what this means)
  • others?

I am using RFC 1035 as source, keeping to the sequence from there, regardless if you already mentioned it in your question.

  • QR specifies whether this message is a query (0), or a response (1)
  • OPCODE A four bit field, only valid values: 0,1,2
  • AA Authoritative Answer
  • TC TrunCation (truncated due to length greater than that permitted on the transmission channel)
  • RD Recursion Desired
  • RA Recursion Available
  • Z Reserved for future use. Must be zero

There were two more DNSSEC-related flags introduced in RFC 4035:

  • CD (Checking Disabled): indicates a security-aware resolver should disable signature validation (that is, not check DNSSEC records)
  • AD (Authentic Data): indicates the resolver believes the responses to be authentic - that is, validated by DNSSEC

From: http://www.perdisci.com/useful-links/dig-info

DIG response header:

Flags:
AA = Authoritative Answer

TC = Truncation

RD = Recursion Desired (set in a query and copied into the response if recursion is supported)

RA = Recursion Available (if set, denotes recursive query support is available)

AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated)

CD = Checking Disabled (DNSSEC only; disables checking at the receiving server)

Response code:

0 = NOERR, no error

1 = FORMERR, format error (unable to understand the query)

2 = SERVFAIL, name server problem

3= NXDOMAIN, domain name does not exist

4 = NOTIMPL, not implemented

5 = REFUSED (e.g., refused zone transfer requests)

For more information read:

RFC1035 - 4.1.1. Header section format (https://www.rfc-editor.org/rfc/rfc1035)

RFC6895 - 2. DNS Query/Response Headers (https://www.rfc-editor.org/rfc/rfc6895)

Related

What's your favorite Powershell command or script for system administration? [closed]
How do I list IP addresses blocked by iptables?
Can I run a GUI program in the background on the windows command-line?
Remote Desktop - remote computer that was reached is not the one you specified
How to scale php5+MySQL above 200 requests/second?
Upstart: allowing a normal user to stop and start my custom service
Allow non-admin user to shutdown/reboot Server 2012
ISC DHCP infinite lease time
Use IAM to Allow User to Edit AWS / EC2 Security Groups?
Is it still "wrong" to require STARTTLS on incoming SMTP messages
Is it safe to delete files in C:\Windows\Installer?
ASCII vs Binary vs Auto?