[dns-operations] NS answer inconsistency between implementations for delegated zone

David C Lawrence tale at akamai.com
Fri Mar 16 16:50:30 UTC 2012

RijilV writes:
> Could you help me understand how you understood that every answer
> containing the NS RRs for the query zone should be in the AUTHORITY
> rather than in the ANSWER regardless if it is the answer to the direct
> query?  The relevant text taken from section 6.1 of RFC 2181 says:
>    The authoritative servers for a zone are enumerated in the NS records
>    for the origin of the zone, which, along with a Start of Authority
>    (SOA) record are the mandatory records in every zone.  Such a server
>    is authoritative for all resource records in a zone that are not in
>    another zone.
> I just don't see where that says what you're saying - that section is
> about what records a nameserver can claim authority over, not how it
> chooses to respond to questions.  To me putting the answer to my query
> in the ANSWER section is the correct behaviour regardless of what
> record type it is.

You actually cut off the relevant text, which is the rest of that

   The NS records that indicate a zone cut are the property of the
   child zone created, as are any other records for the origin of that
   child zone, or any sub-domains of it.  A server for a zone should
   not return authoritative answers for queries related to names in
   another zone, which includes the NS, and perhaps A, records at a
   zone cut, unless it also happens to be a server for the other zone.

That combined with the text of RFC 1035 4.1 makes it pretty clear:

  The answer section contains RRs that answer the question; the
  authority section contains RRs that point toward an authoritative name
  server; the additional records section contains RRs which relate to
  the query, but are not strictly answers for the question.

The parent zone is not authoritative for the NS records pointing to
the child (that is, above the "zone cut"); the child is authoritative
for them at its apex, below the zone cut.

So when querying the parent for the child's NS records explicitly, the
parent returns an answer without the Authoritative Answer flag set and
with NS records in Authority saying "Hey, those records you want, you
should be getting them from the child." per the synthesis of rules in
1035 4.1 and 2181 6.1.  When querying the child, it returns the NS
records in Answer with AA set because it is the real authority.

More information about the dns-operations mailing list