[Pdns-dev] pdns-recursor not keeping/setting AA flag when recusing locally

Mike Steele mike.steele at pldtechs.net
Thu Apr 23 18:29:30 UTC 2020

TLDR - seeking a quick-n-dirty way to set/keep the AA flag in the
pdns-recursor response when recursing locally from forward-zones-file.

For the time being, since there are thousands of users, we continue to use
PowerDNS for recursion and for Authoriative DNS on the same server.

We have pdns-recursor listening on port 53, but if the domain is in the
forward-zones-file it forwards locally to port 5300 where PowerDNS responds

This works fine, but since it is technically recursing I guess it is not
setting the AA flag. Per some RFC this is bad since an authoritative server
shouldn't be recursing and so some services (Barracuda Networks and
mxtoolbox) will catch this and flag it accordingly as "lame" DNS.

This is not a problem for millions of emails, but for clients that use
Barracuda Networks for SMTP and security, they are not being allowed to
send email to pldi.net.

# dig +all @localhost -p 53 pldi.net ns
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20834
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

# dig +all @localhost -p 5300 pldi.net mx
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63458
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

Is there a configuration option or even a script I could put in place to
force the aa flag in the pdns-recursor response when in the


*Mike Steele*

*System Integrator*

*Broadband Services *

*Pioneer Telephone Coop.*

PO Box 539 » Kingfisher, OK 73750

o: 405.375.0542

mike.steele at pldtechs.net

ptci.com <http://www.ptci.com/> | WirelessPioneer.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20200423/dce7f088/attachment.htm>

More information about the Pdns-dev mailing list