RijilV <rij...@riji.lv> wrote:
>
> Could you help me understand how you understood that every answer
> containing the NS RRs for the query zone should be in the AUTHORITY
> rather than in the ANSWER regardless if it is the answer to the direct
> query?
Sure. Zone cuts are very subtle :-) The basic principle is that the parent
zone is not authoritative for any data at or below the cut, except for the
DNSSEC records (DS + RRSIG, NSEC + RRSIG).
The relevant text in RFC 2181 section 6.1 is:
The NS records that indicate a zone cut are the
property of the child zone created, as are any other records for the
origin of that child zone, or any sub-domains of it. A server for a
zone should not return authoritative answers for queries related to
names in another zone, which includes the NS, and perhaps A, records
at a zone cut, unless it also happens to be a server for the other
zone.
So the NS records returned by the parent cannot be an answer; they must be
a referral, so must appear in the authority section.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Viking, North Utsire: Southerly 6 to gale 8, becoming variable 4 later.
Moderate or rough, becoming very rough in Viking. Rain or showers. Good,
occasionally poor.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
