What are all the flags in a dig response?

Solution 1:

I am using RFC 1035 as source, keeping to the sequence from there, regardless if you already mentioned it in your question.

  • QR specifies whether this message is a query (0), or a response (1)
  • OPCODE A four bit field, only valid values: 0,1,2
  • AA Authoritative Answer
  • TC TrunCation (truncated due to length greater than that permitted on the transmission channel)
  • RD Recursion Desired
  • RA Recursion Available
  • Z Reserved for future use. Must be zero

There were two more DNSSEC-related flags introduced in RFC 4035:

  • CD (Checking Disabled): indicates a security-aware resolver should disable signature validation (that is, not check DNSSEC records)
  • AD (Authentic Data): indicates the resolver believes the responses to be authentic - that is, validated by DNSSEC

Solution 2:

From: http://www.perdisci.com/useful-links/dig-info

DIG response header:

AA = Authoritative Answer

TC = Truncation

RD = Recursion Desired (set in a query and copied into the response if recursion is supported)

RA = Recursion Available (if set, denotes recursive query support is available)

AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated)

CD = Checking Disabled (DNSSEC only; disables checking at the receiving server)

Response code:

0 = NOERR, no error

1 = FORMERR, format error (unable to understand the query)

2 = SERVFAIL, name server problem

3= NXDOMAIN, domain name does not exist

4 = NOTIMPL, not implemented

5 = REFUSED (e.g., refused zone transfer requests)