Re: [dnsext] Spec for AA in query meaning AA-only?

Olafur Gudmundsson <> Tue, 08 February 2011 12:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D9EF93A6DE4 for <>; Tue, 8 Feb 2011 04:23:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B7cg4m1QKrCv for <>; Tue, 8 Feb 2011 04:23:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id EDF423A6DD1 for <>; Tue, 8 Feb 2011 04:23:06 -0800 (PST)
Received: from [IPv6:::1] ( []) by (8.14.4/8.14.4) with ESMTP id p18CNCDA004428 for <>; Tue, 8 Feb 2011 07:23:13 -0500 (EST) (envelope-from
Message-ID: <>
Date: Tue, 08 Feb 2011 07:23:04 -0500
From: Olafur Gudmundsson <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv: Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on
Subject: Re: [dnsext] Spec for AA in query meaning AA-only?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Feb 2011 12:23:08 -0000

On 08/02/2011 1:37 AM, Phil Pennock wrote:
> RFC 1035 defines AA for responses; I'm failing to find a specification
> which states that AA in a query means AA-only.
> I see +aaonly for dig.  Not finding a reference.
> Am I missing it or is this only an informal convention?
> Thanks,

It is an artifact of an idea that Paul Vixie had many years ago
to mean "Authoritative Answers Only".
The idea did not gain traction with the DNS protocol community, but the 
experimental code is still in dig after all these years  (look for
aaonly in bin/dig directory. I do not think the code is in the name-server.

If I recall correctly this was intended to force resolvers to go back to 
authoritative servers and get answer from them rather than give answer 
from cache.

IMHO it is perfectly acceptable for a resolver to reject a query with AA 
bit set as "malformed".