[dns-operations] NS records in Authority for NOERROR responses

Jan Včelák jan.vcelak at nic.cz
Fri Sep 4 10:19:37 UTC 2015

Paul Vixie wrote:
> Jan Včelák wrote:
>> Paul Vixie wrote:
>>> ...
>>> sure, but under what conditions would a validating resolver decide to
>>> query for the apex NS?
>> If the resolver doesn't know about the delegation and will query the
>> server for a name belonging to the child zone with DO bit set, it will
>> receive a response with RRSIGs containing the child-zone name in the
>> signer name field.
> and an NS RRset and a DS RRset.

Are we still talking about a server, which is authoritative both for a
parent and a child zone?

How could it get the DS RR set? The server will never send the
delegation in the response. The response will be always authoritative.
The only way how to get the DS RR set is to ask for it explicitly.

> the extra round trip per delegation-crossing you're proposing sounds
> expensive to me, compared with having the zone include its apex NS RRset
> as BIND does today.

Yes, it's one more RTT. It will get cached though...



More information about the dns-operations mailing list