[dns-operations] NS records in Authority for NOERROR responses

Jan Včelák jan.vcelak at nic.cz
Fri Sep 4 09:36:31 UTC 2015

Paul Vixie wrote:
> Jan Včelák wrote:
>> Mark Andrews wrote:
>>> Returning NS records also helps when the parent servers also serve
>>> the child zone and the two sets of servers differ.  Without NS
>>> records being returned you would never ask any server but the parent
>>> servers.
>> I agree. But again, this applies to insecure zones. With DNSSEC, you
>> would find out easily that there is a zone cut.
> sure, but under what conditions would a validating resolver decide to
> query for the apex NS?

If the resolver doesn't know about the delegation and will query the
server for a name belonging to the child zone with DO bit set, it will
receive a response with RRSIGs containing the child-zone name in the
signer name field.

This signer name clearly indicates that there is a delegation. And as
the server doesn't know anything about the delegation, it should fetch
all the missing information. And I think the complete information about
the delegation consists of DS, DNSKEY, and NS records.

In most cases it will work with the NS from the parent zone. But I
believe the resolver should ensure that it's asking true authoritative
servers for that zone. So it should query for the NS record and validate

Did I miss something?



More information about the dns-operations mailing list