[dns-operations] NS records in Authority for NOERROR responses

Jan Včelák jan.vcelak at nic.cz
Fri Sep 4 08:06:49 UTC 2015

Peter van Dijk wrote:
> PowerDNS Auth has never* added the auth NSset to negative (or even
> positive!) responses. I am not aware of any reports of trouble.

Thank you for confirmation. I'm glad to hear that.

Anand Buddhdev wrote:
> On 03/09/15 19:42, Peter van Dijk wrote:
>> On a sidetone, I don’t see an AUTHORITY section in `dig +norec mx
>> www.isc.org @ord.sns-pb.isc.org` either, suggesting BIND may also have
>> stopped doing it on nodata and nxdomain?
> Perhpas you were getting responses from a BIND server that has/had
> "minimal-responses" set to "yes". Enabling this option in BIND makes it
> emit record in the authority section only for responses that need it,
> like delegations and negative responses.

The "minimal-responses" option has no effect on the NS inclusion in
Authority. I know it because in the Knot DNS test suite, we compare
answers sent by Knot DNS with answers sent by BIND. And this is where we
differ even with minimal-responses.

> I do get records in the authority section for that query, so either ISC
> has reconfigured something, or we're talking to different servers.

Peter's original query was for the MX record, which gives NODATA
response. And in this case, the authority section contains SOA record
and no NS record.

$ dig +norec mx www.isc.org @ord.sns-pb.isc.org

But if you you ask for the A record, the situation we discuss appears.
The authority will contain NS records and the additional section will
contain A/AAAA records for the name servers.

$ dig +norec A www.isc.org @ord.sns-pb.isc.org



More information about the dns-operations mailing list