[dns-operations] NS answer inconsistency between implementations for delegated zone

Peter Koch pk at DENIC.DE
Fri Mar 16 17:50:41 UTC 2012

On Fri, Mar 16, 2012 at 04:47:08PM +0000, Tony Finch wrote:

> The relevant text in RFC 2181 section 6.1 is:
>                   The NS records that indicate a zone cut are the
>    property of the child zone created, as are any other records for the
>    origin of that child zone, or any sub-domains of it.  A server for a
>    zone should not return authoritative answers for queries related to
>    names in another zone, which includes the NS, and perhaps A, records
>    at a zone cut, unless it also happens to be a server for the other
>    zone.
> So the NS records returned by the parent cannot be an answer; they must be
> a referral, so must appear in the authority section.

that's only part of the story.  The quote says "should not return authoritative
answers", which would not prohibit non-authoritative responses with the
NS RRSet in the answer section.  However, section 5.4.1 of RFC 2181 gives
guidance how not to elevate the credibility level, i.e., not to elevate
non-authoritative data into the answer section. Historically, this all
became much more relevant after RFC 2181, in preparation of DNSSEC, where these
- necessarily unsigned - responses would break the validation.


More information about the dns-operations mailing list