[dns-operations] NS answer inconsistency between implementations for delegated zone

paul vixie paul at redbarn.org
Fri Mar 16 16:45:11 UTC 2012

On 3/16/2012 4:36 PM, RijilV wrote:
> On 16 March 2012 06:54, Tony Finch <dot at dotat.at> wrote:
>> Remi Gacogne <listes+dns-operations at valombre.net> wrote:
>>> I noticed a difference in the behavior of bind, powerdns (using bind or
>>> MySQL backend) and nsd regarding the answer to an NS query for a
>>> delegated zone. Powerdns is responding to the query by putting
>>> corresponding NS RRs into the ANSWER section, whereas bind and nsd are
>>> putting them into the AUTHORITY section.
>>> I am not sure what the correct answer is, as I haven't found a clear
>>> specification on this case yet.
>> BIND and NSD are correct. See RFC 2181 section 6.1.
>> Tony.
> Could you help me understand how you understood that every answer
> containing the NS RRs for the query zone should be in the AUTHORITY
> rather than in the ANSWER regardless if it is the answer to the direct
> query?  ...

if you couldn't sign it in a dnssec signed zone, then you're not
authoritative for it.

if you're not authoritative for it, then it's in the child zone. (in
this case it's at the apex of same.)

if it's in the child zone, then you send a delegation, not an answer,
when someone queries you for it.

BIND4/BIND8 got this wrong. BIND9 and NSD are getting it right. verisign
"atlas" and neustar "ultradns" get it right but both had to make a
change a few years back from "the BIND4/BIND8 way" to "the BIND9 way".


More information about the dns-operations mailing list