[dns-operations] NS records in Authority for NOERROR responses

Paul Vixie paul at redbarn.org
Thu Sep 3 12:44:07 UTC 2015

Jan Včelák wrote:
> Hello list,
> I'm looking for opinions on the following topic:
> In Knot DNS 2.0.1, we have decided to remove NS records from the
> Authority section for NOERROR responses. The reason why we were adding
> these records into the responses was to be consistent with BIND and NSD.
> AFAIK no RFC requires those records to be included. Obviously, the
> answers are smaller now because the NS records and glue are gone.

the most important limit in networking is packets per second. bits per
second is secondary.

> Robert Edmonds had a great remark, that the presence of NS records
> speeds up the propagation of updated NS records, due to trust ranking
> rules in RFC 2181 section 5.4.1.
> I find this very single-purposed. Why NS and not any other RR type?

it was thought that if you reached an authority server via delegation,
that you ought to replace your unauthoritative NS RRset from the parent
with an authoritative NS RRset from the child. this the apex NS RRset
from the apex is almost always included.

> Is this really a valid use? Is it used in the wild? And does anyone rely
> on this functionality?

the credibility rules in RFC 2181 were written based on our experience
with BIND 4. all versions of BIND follow those rules. the result is
rapid replacement of unauthoritative NS RRsets with authoritative NS
RRsets. since the above-delegation and below-delegation NS RRsets
frequently differ, we consider that the below-delegation NS RRset is
more likely to be correct.

but no, it's not relied upon. the system will work without it. this adds
robustness, no more.

Paul Vixie

More information about the dns-operations mailing list