[dns-operations] NS answer inconsistency between implementations for delegated zone

Tony Finch dot at dotat.at
Fri Mar 16 16:47:08 UTC 2012

RijilV <rijilv at riji.lv> wrote:
> Could you help me understand how you understood that every answer
> containing the NS RRs for the query zone should be in the AUTHORITY
> rather than in the ANSWER regardless if it is the answer to the direct
> query?

Sure. Zone cuts are very subtle :-) The basic principle is that the parent
zone is not authoritative for any data at or below the cut, except for the

The relevant text in RFC 2181 section 6.1 is:

                  The NS records that indicate a zone cut are the
   property of the child zone created, as are any other records for the
   origin of that child zone, or any sub-domains of it.  A server for a
   zone should not return authoritative answers for queries related to
   names in another zone, which includes the NS, and perhaps A, records
   at a zone cut, unless it also happens to be a server for the other

So the NS records returned by the parent cannot be an answer; they must be
a referral, so must appear in the authority section.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Viking, North Utsire: Southerly 6 to gale 8, becoming variable 4 later.
Moderate or rough, becoming very rough in Viking. Rain or showers. Good,
occasionally poor.

More information about the dns-operations mailing list