Why is my Droplet receiving Authoritative Answer flag errors?

As of 21 April, 2020, our DNS recursive servers now enforce the Authoritative Answer (AA) flag in DNS responses. This is a common security measure that ensures that DNS responses are authoritative and have not been compromised.

This means that if your Droplet makes a DNS query for a hostname and the response from the hostname’s DNS nameserver doesn’t include the AA flag, our recursive server will drop the response and your Droplet won’t be able to resolve the hostname. This can cause connection issues to hostnames whose DNS records are hosted by providers that have not implemented the AA flag.

If your domain’s records are hosted on DigitalOcean DNS, your DNS responses already meet the AA flag standardization and no action is required.

If your Droplet is receiving AA flag errors hostnames outside of DigitalOcean, you can determine whether the hostname is using AA flags and take steps to help resolve the issue if the hostname is not.

Check the Hostname

You can check to see if a domain is not using the AA flag in its response by using the DNS Viz tool. If you enter a hostname into the search field and receive an error similar to this, the hostname’s DNS provider has not implemented the AA flag in its responses:

sub.example.com/A: The Authoritative Answer (AA) flag was not set in the response. (192.0.2.25, 192.0.2.110, 203.0.113.113, 203.0.113.212, UDP_-_EDNS0_4096_D_K)`

If you receive an AA flag error, you can

Solutions

Solutions vary depending on your circumstances and whether you own the problematic hostname or not.

I own the hostname

  1. Contact Your DNS Provider: If you own the hostname and have control over the hostname’s DNS records, contact your DNS provider and ask them to implement the AA flag in your hostname’s DNS responses.

  2. Change DNS Providers: If your DNS provider cannot implement the AA flag, you can consider moving your DNS records to a new provider who has implemented the AA flag, such as DigitalOcean.

I don’t own the hostname

If you don’t own the hostname, you need to work with the owner of the hostname to get their DNS provider to meet the latest security standards.

Hostnames are usually owned by whoever registered the domain name you are trying to query. If you do not have a direct relationship with a domain owner, you can use ICANN’s website to lookup the contact information for the domain.

Conclusion

Working with your DNS provider to meet the latest security standards is the best way to resolve this issue. While it is possible to set up your own recursive server with more lenient rules or configure a Droplet to resolve its DNS queries using more lenient nameservers, we highly recommend against this as it undermines the overall security of your Droplets and infrastructure.