[dns-operations] NS answer inconsistency between implementations for delegated zone

RijilV rijilv at riji.lv
Fri Mar 16 16:36:27 UTC 2012

On 16 March 2012 06:54, Tony Finch <dot at dotat.at> wrote:
> Remi Gacogne <listes+dns-operations at valombre.net> wrote:
>> I noticed a difference in the behavior of bind, powerdns (using bind or
>> MySQL backend) and nsd regarding the answer to an NS query for a
>> delegated zone. Powerdns is responding to the query by putting
>> corresponding NS RRs into the ANSWER section, whereas bind and nsd are
>> putting them into the AUTHORITY section.
>> I am not sure what the correct answer is, as I haven't found a clear
>> specification on this case yet.
> BIND and NSD are correct. See RFC 2181 section 6.1.
> Tony.

Could you help me understand how you understood that every answer
containing the NS RRs for the query zone should be in the AUTHORITY
rather than in the ANSWER regardless if it is the answer to the direct
query?  The relevant text taken from section 6.1 of RFC 2181 says:

   The authoritative servers for a zone are enumerated in the NS records
   for the origin of the zone, which, along with a Start of Authority
   (SOA) record are the mandatory records in every zone.  Such a server
   is authoritative for all resource records in a zone that are not in
   another zone.

I just don't see where that says what you're saying - that section is
about what records a nameserver can claim authority over, not how it
chooses to respond to questions.  To me putting the answer to my query
in the ANSWER section is the correct behaviour regardless of what
record type it is.

Personally were I the maintainer of a DNS authority I'd read that RFC
and make a determination for myself before changing the way that
software worked.



More information about the dns-operations mailing list