[dns-operations] NS answer inconsistency between implementations for delegated zone
Tony Finch
dot at dotat.at
Fri Mar 16 16:47:08 UTC 2012
RijilV <rijilv at riji.lv> wrote:
>
> Could you help me understand how you understood that every answer
> containing the NS RRs for the query zone should be in the AUTHORITY
> rather than in the ANSWER regardless if it is the answer to the direct
> query?
Sure. Zone cuts are very subtle :-) The basic principle is that the parent
zone is not authoritative for any data at or below the cut, except for the
DNSSEC records (DS + RRSIG, NSEC + RRSIG).
The relevant text in RFC 2181 section 6.1 is:
The NS records that indicate a zone cut are the
property of the child zone created, as are any other records for the
origin of that child zone, or any sub-domains of it. A server for a
zone should not return authoritative answers for queries related to
names in another zone, which includes the NS, and perhaps A, records
at a zone cut, unless it also happens to be a server for the other
zone.
So the NS records returned by the parent cannot be an answer; they must be
a referral, so must appear in the authority section.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Viking, North Utsire: Southerly 6 to gale 8, becoming variable 4 later.
Moderate or rough, becoming very rough in Viking. Rain or showers. Good,
occasionally poor.
More information about the dns-operations
mailing list