[dns-operations] IPv6 & IPv4 addresses

Simon Munton Simon.Munton at communitydns.net
Fri Mar 18 10:59:22 UTC 2011


> The AA bit ( and/or the answer section,some naughty servers don't set the AA bit)
> proves the server is authoritative for QNAME.
>
> That means there is no need to requery for RRsets in the Additional section
> that have owner = QNAME, they can be taken as Authoritative.

yes, of course.

Further, if you include a verifiable RRSIG/AAAA (& for NODATA the 
NSEC/NSEC3 & RRSIG/NSEC(3)) the AA bit becomes pretty much irrelevant 
anyway as you have cryptographically proved this is authoritative data - 
and the RRSIG is more reliable, as the AA bit is unverifiable.

With NSEC this technique should mean little extra overhead as the NSEC 
is stored against the name, but with NSEC3 you will have a second search 
of the database for the hashed record, so you can include the NSEC3 RR.



More information about the dns-operations mailing list