Troubleshoot Authoritative Answer Flag Errors

Adding a domain you own to your DigitalOcean account lets you manage the domain's DNS records with the control panel and API. Domains you manage on DigitalOcean also integrate with DigitalOcean Load Balancers and Spaces to streamline automatic SSL certificate management.

As of 21 April, 2020, our DNS recursive servers now enforce the Authoritative Answer (AA) flag in DNS responses. This is a common security measure that ensures that DNS responses are authoritative and have not been compromised.

This means that if your Droplet makes a DNS query for a hostname and the response from the hostname's DNS nameserver doesn’t include the AA flag, our recursive server will drop the response and your Droplet won't be able to resolve the hostname. This can cause connection issues to hostnames whose DNS records are hosted by providers that have not implemented the AA flag.

If your domain's records are hosted on DigitalOcean DNS, your DNS responses already meet the AA flag standardization and no action is required.

Check the Hostname

You can check to see if a domain is not using the AA flag in its response by using this tool. If you enter a hostname and receive an error similar to this, the hostname’s DNS provider has not implemented the AA flag in its responses.:

sub.example.com/A: The Authoritative Answer (AA) flag was not set in the response. (192.0.2.25, 192.0.2.110, 203.0.113.113, 203.0.113.212, UDP_-_EDNS0_4096_D_K)`

How you address this will depend on whether you own the hostname.

Solutions

Solutions vary depending on your circumstances and whether you own the problematic hostname or not.

I own the hostname

  1. Contact Your DNS Provider: If you own the hostname and have control over the hostname’s DNS records, contact your DNS provider and ask them to implement the AA flag in your hostname’s DNS responses.

  2. Change DNS Providers: If your DNS provider cannot implement the AA flag, you can consider moving your DNS records to a new provider who has implemented the AA flag, such as DigitalOcean.

I don’t own the hostname

If you don’t own the hostname, you need to work with the owner of the hostname to get their DNS to meet the latest security standards.

Hostnames are usually owned by whoever registered the domain name you are trying to query. If you do not have a direct relationship with a domain owner, you can use ICANN's website to lookup the contact information for the domain.

Conclusion

Working with your DNS provider to meet the latest security standards is the best way to resolve this issue. While it is possible to set up your own recursive server with more lenient rules or configure a Droplet to resolve its DNS queries using more lenient name servers, we highly recommend against this as it undermines the overall security of your Droplets and infrastructure.