[dns-operations] NS records in Authority for NOERROR responses

Jan Včelák jan.vcelak at nic.cz
Thu Sep 3 17:00:36 UTC 2015

I forgot to mention that my question is about authoritative servers.

And also that I mean the final authoritative answer (no delegation).

On 3.9.2015 14:44, Paul Vixie wrote:
>> In Knot DNS 2.0.1, we have decided to remove NS records from the
>> Authority section for NOERROR responses. The reason why we were adding
>> these records into the responses was to be consistent with BIND and NSD.
>> AFAIK no RFC requires those records to be included. Obviously, the
>> answers are smaller now because the NS records and glue are gone.
> the most important limit in networking is packets per second. bits per
> second is secondary.

Right. Till you start doing fancy stuff like online DNSSEC signing which
is expensive as for the processing time.

>> Robert Edmonds had a great remark, that the presence of NS records
>> speeds up the propagation of updated NS records, due to trust ranking
>> rules in RFC 2181 section 5.4.1.
>> I find this very single-purposed. Why NS and not any other RR type?
> it was thought that if you reached an authority server via delegation,
> that you ought to replace your unauthoritative NS RRset from the parent
> with an authoritative NS RRset from the child. this the apex NS RRset
> from the apex is almost always included.
>> Is this really a valid use? Is it used in the wild? And does anyone rely
>> on this functionality?
> the credibility rules in RFC 2181 were written based on our experience
> with BIND 4. all versions of BIND follow those rules. the result is
> rapid replacement of unauthoritative NS RRsets with authoritative NS
> RRsets. since the above-delegation and below-delegation NS RRsets
> frequently differ, we consider that the below-delegation NS RRset is
> more likely to be correct.
> but no, it's not relied upon. the system will work without it. this adds
> robustness, no more.

Thank you for explanation, Paul.

I think all this made sense in the times of BIND 4. Modern resolvers
will do the DNSSEC validation. And the resolver will ask for the NS and
DNSKEY for the child zone right away after receiving the delegation. So
adding the NS record into authority is redundant most of the time.



More information about the dns-operations mailing list