[dns-operations] NS answer inconsistency between implementations for delegated zone
Peter Koch
pk at DENIC.DE
Fri Mar 16 17:50:41 UTC 2012
On Fri, Mar 16, 2012 at 04:47:08PM +0000, Tony Finch wrote:
> The relevant text in RFC 2181 section 6.1 is:
>
> The NS records that indicate a zone cut are the
> property of the child zone created, as are any other records for the
> origin of that child zone, or any sub-domains of it. A server for a
> zone should not return authoritative answers for queries related to
> names in another zone, which includes the NS, and perhaps A, records
> at a zone cut, unless it also happens to be a server for the other
> zone.
>
> So the NS records returned by the parent cannot be an answer; they must be
> a referral, so must appear in the authority section.
that's only part of the story. The quote says "should not return authoritative
answers", which would not prohibit non-authoritative responses with the
NS RRSet in the answer section. However, section 5.4.1 of RFC 2181 gives
guidance how not to elevate the credibility level, i.e., not to elevate
non-authoritative data into the answer section. Historically, this all
became much more relevant after RFC 2181, in preparation of DNSSEC, where these
- necessarily unsigned - responses would break the validation.
-Peter
More information about the dns-operations
mailing list