[dns-operations] NS records in Authority for NOERROR responses

Paul Vixie paul at redbarn.org
Fri Sep 4 09:50:06 UTC 2015

Jan Včelák wrote:
> Paul Vixie wrote:
>> ...
>> sure, but under what conditions would a validating resolver decide to
>> query for the apex NS?
> If the resolver doesn't know about the delegation and will query the
> server for a name belonging to the child zone with DO bit set, it will
> receive a response with RRSIGs containing the child-zone name in the
> signer name field.

and an NS RRset and a DS RRset.

> This signer name clearly indicates that there is a delegation. And as
> the server doesn't know anything about the delegation, it should fetch
> all the missing information. And I think the complete information about
> the delegation consists of DS, DNSKEY, and NS records.

it will have received a non-authoritative NS RRset, even with DO=1. why
would it query the child for this?

> In most cases it will work with the NS from the parent zone. But I
> believe the resolver should ensure that it's asking true authoritative
> servers for that zone. So it should query for the NS record and validate
> them.
> Did I miss something?

the extra round trip per delegation-crossing you're proposing sounds
expensive to me, compared with having the zone include its apex NS RRset
as BIND does today.
Paul Vixie

More information about the dns-operations mailing list