[dns-operations] NS records in Authority for NOERROR responses

Robert Edmonds edmonds at mycre.ws
Thu Sep 3 20:26:15 UTC 2015

Jan Včelák wrote:
> I think all this made sense in the times of BIND 4. Modern resolvers
> will do the DNSSEC validation. And the resolver will ask for the NS and
> DNSKEY for the child zone right away after receiving the delegation. So
> adding the NS record into authority is redundant most of the time.

I agree that it's redundant to add the NS RRset the vast majority of the
time; if this is a tunable, it should probably default to not adding
such records.  But even with validating DNSSEC resolvers that explicitly
query for type NS, if you did not have the capability to add the NS
RRset to outgoing responses for non-NS queries, you would still be
limited to "slow" (once per TTL) updates.

As far as relying on this functionality, the DNS protocol doesn't rely
on "non-minimal" answers for correctness, but it's easy to imagine
operational scenarios where you may need to redirect queries away from
overloaded nameservers in a hurry.  I've heard anecdotally about DNSBLs
making use of this capability (the "-A" flag to rbldnsd).

Maybe you have to keep a BIND server around alongside your Knot fleet in
case you want to retain this capability ;-)

Robert Edmonds

More information about the dns-operations mailing list