[dns-operations] NS answer inconsistency between implementations for delegated zone

RijilV rijilv at riji.lv
Fri Mar 16 18:31:36 UTC 2012


On 16 March 2012 09:47, Tony Finch <dot at dotat.at> wrote:
> RijilV <rijilv at riji.lv> wrote:
>>
>> Could you help me understand how you understood that every answer
>> containing the NS RRs for the query zone should be in the AUTHORITY
>> rather than in the ANSWER regardless if it is the answer to the direct
>> query?
>
> Sure. Zone cuts are very subtle :-) The basic principle is that the parent
> zone is not authoritative for any data at or below the cut, except for the
> DNSSEC records (DS + RRSIG, NSEC + RRSIG).
>
> The relevant text in RFC 2181 section 6.1 is:
>
>                  The NS records that indicate a zone cut are the
>   property of the child zone created, as are any other records for the
>   origin of that child zone, or any sub-domains of it.  A server for a
>   zone should not return authoritative answers for queries related to
>   names in another zone, which includes the NS, and perhaps A, records
>   at a zone cut, unless it also happens to be a server for the other
>   zone.
>
> So the NS records returned by the parent cannot be an answer; they must be
> a referral, so must appear in the authority section.
>
> Tony.

Okay, I think I see where I went astray.  I missed the part about the
delegated zone not also being on the same nameserver.  For example, I
would expect dig ns com @a.gtld-servers.net. to return the NS records
in the answer section as those nameservers are the authority for the
.com zone.  Perhaps that was what I was trying to get at - not that a
nameserver should return as an answer data outside of their authority,
but rather that nameservers should return as answers data that they
are the authority for regardless of the qtype.

Thanks for helping me through that :)

.r'



More information about the dns-operations mailing list