[dns-operations] NS records in Authority for NOERROR responses

Shane Kerr shane at time-travellers.org
Thu Sep 3 14:45:53 UTC 2015


On Thu, 03 Sep 2015 05:44:07 -0700
Paul Vixie <paul at redbarn.org> wrote:

> Jan Včelák wrote:
> > Hello list,
> >
> > I'm looking for opinions on the following topic:
> >
> > In Knot DNS 2.0.1, we have decided to remove NS records from the
> > Authority section for NOERROR responses. The reason why we were adding
> > these records into the responses was to be consistent with BIND and NSD.
> > AFAIK no RFC requires those records to be included. Obviously, the
> > answers are smaller now because the NS records and glue are gone.
> the most important limit in networking is packets per second. bits per
> second is secondary.

True, although CPU does matter, especially on busy resolvers. This is
especially a waste since stub clients don't have any purpose for this
data. (I don't think Jan's question is about resolvers, but anyway...)

There's a certain amount of time building these larger packets - looking up
the extra data in the in-memory tree and doing name compression on the

> > Is this really a valid use? Is it used in the wild? And does anyone rely
> > on this functionality?
> the credibility rules in RFC 2181 were written based on our experience
> with BIND 4. all versions of BIND follow those rules. the result is
> rapid replacement of unauthoritative NS RRsets with authoritative NS
> RRsets. since the above-delegation and below-delegation NS RRsets
> frequently differ, we consider that the below-delegation NS RRset is
> more likely to be correct.
> but no, it's not relied upon. the system will work without it. this adds
> robustness, no more.

We *could* include RRSIG and then we could (sometimes) rely on these
answers. ;) (I vaguely recall discussions of caching unasked-for data
on dnsext, but I wasn't part of them.)



More information about the dns-operations mailing list