I am using RFC 1035 as source, keeping to the sequence from there, regardless if you already mentioned it in your question.
- QR specifies whether this message is a query (0), or a response (1)
- OPCODE A four bit field, only valid values: 0,1,2
- AA Authoritative Answer
- TC TrunCation (truncated due to length greater than that permitted on the
transmission channel) - RD Recursion Desired
- RA Recursion Available
- Z Reserved for future use. Must be zero
There were two more DNSSEC-related flags introduced in RFC 4035:
- CD (Checking Disabled): indicates a security-aware resolver should
disable signature validation (that is, not check DNSSEC records) - AD (Authentic Data): indicates the resolver believes the responses to be authentic – that is, validated by DNSSEC