[dns-operations] NS records in Authority for NOERROR responses

Andrew Sullivan ajs at anvilwalrusden.com
Thu Sep 3 13:40:55 UTC 2015

On Thu, Sep 03, 2015 at 05:44:07AM -0700, Paul Vixie wrote:
> the credibility rules in RFC 2181 were written based on our experience
> with BIND 4. all versions of BIND follow those rules. the result is
> rapid replacement of unauthoritative NS RRsets with authoritative NS
> RRsets. since the above-delegation and below-delegation NS RRsets
> frequently differ, we consider that the below-delegation NS RRset is
> more likely to be correct.
> but no, it's not relied upon. the system will work without it. this adds
> robustness, no more.

I agree, but I'll note that RFC 5452 (in section 6) reiterates the
advice only to accept in-domain records.  If people follow that
advice, then the failure to include these NS records in NODATA answers
could actually result in more queries, because the server might decide
to check the NS set before accepting the answer.  I rather doubt
anyone would do this, but it is strictly what the advice implies.

Best regards,


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list