[dns-operations] NS records in Authority for NOERROR responses

Paul Vixie paul at redbarn.org
Fri Sep 4 10:40:42 UTC 2015

Jan Včelák wrote:
> Paul Vixie wrote:
>> Jan Včelák wrote:
>>> Paul Vixie wrote:
>>>> ...
>>>> sure, but under what conditions would a validating resolver decide to
>>>> query for the apex NS?
>>> If the resolver doesn't know about the delegation and will query the
>>> server for a name belonging to the child zone with DO bit set, it will
>>> receive a response with RRSIGs containing the child-zone name in the
>>> signer name field.
>> and an NS RRset and a DS RRset.
> Are we still talking about a server, which is authoritative both for a
> parent and a child zone?

no, i was referring to the general case.

> How could it get the DS RR set? The server will never send the
> delegation in the response. The response will be always authoritative.
> The only way how to get the DS RR set is to ask for it explicitly.


>> the extra round trip per delegation-crossing you're proposing sounds
>> expensive to me, compared with having the zone include its apex NS RRset
>> as BIND does today.
> Yes, it's one more RTT. It will get cached though...

does any validating recursive server detect this condition and do the
extra query today?

Paul Vixie

More information about the dns-operations mailing list