> How can you tell if a server is authoritative for a domain or not using dig?
>
> The best way I can figure is that if you ask it for the same domain twice,
> and it comes back with an "aa" flag BOTH times then it must be set up as
> authoritative for that domain, because it is not caching the answer it is
> giving you.
>
> Is there a better way, or is this thinking correct?
That's the way I usually use, however, it might not work with low TTL values,
e.g. 0.
A more reliable way would be to attempt a query of a type that *cannot* be
recursed, like an AXFR query. Note that RCODE=REFUSED in the response to an
AXFR request is ambiguous -- it could mean *either* that the zone transfer was
refused because of an allow-transfer restriction *or* that the server is
non-authoritative for the zone. But the AA bit should be reliable regardless.
- Kevin