From 10e438d7b9311fd7d3b5bce8bc422248a9516419 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arkadiusz=20Mis=CC=81kiewicz?= <arekm@maven.pl>
Date: Fri, 24 Apr 2026 14:57:38 +0200
Subject: [PATCH] dns: set AA flag on responses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

challtestsrv is authoritative for every name it answers and synthesizes
its own SOA in the AUTHORITY section, so replies must have the AA bit
set per RFC 1035 §4.1.1. Without it, AA=0 + an authoritative SOA is an
internally inconsistent response that DNSSEC validators and strict test
harnesses can flag.
---
 dns.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dns.go b/dns.go
index 40c806e..a8b5062 100644
--- a/dns.go
+++ b/dns.go
@@ -432,6 +432,9 @@ func (s *ChallSrv) dnsHandlerInner(w writeMsg, r *dns.Msg, userAgent string) {
 	m := new(dns.Msg)
 	m.SetReply(r)
 	m.Compress = false
+	// AA: challtestsrv is the authoritative server for every name it answers
+	// (RFC 1035 §4.1.1).
+	m.Authoritative = true
 
 	// For each question, add answers based on the type of question
 	for _, q := range r.Question {