RijilV writes: > Could you help me understand how you understood that every answer > containing the NS RRs for the query zone should be in the AUTHORITY > rather than in the ANSWER regardless if it is the answer to the direct > query? The relevant text taken from section 6.1 of RFC 2181 says: > > The authoritative servers for a zone are enumerated in the NS records > for the origin of the zone, which, along with a Start of Authority > (SOA) record are the mandatory records in every zone. Such a server > is authoritative for all resource records in a zone that are not in > another zone. > > I just don't see where that says what you're saying - that section is > about what records a nameserver can claim authority over, not how it > chooses to respond to questions. To me putting the answer to my query > in the ANSWER section is the correct behaviour regardless of what > record type it is.
You actually cut off the relevant text, which is the rest of that paragraph: The NS records that indicate a zone cut are the property of the child zone created, as are any other records for the origin of that child zone, or any sub-domains of it. A server for a zone should not return authoritative answers for queries related to names in another zone, which includes the NS, and perhaps A, records at a zone cut, unless it also happens to be a server for the other zone. That combined with the text of RFC 1035 4.1 makes it pretty clear: The answer section contains RRs that answer the question; the authority section contains RRs that point toward an authoritative name server; the additional records section contains RRs which relate to the query, but are not strictly answers for the question. The parent zone is not authoritative for the NS records pointing to the child (that is, above the "zone cut"); the child is authoritative for them at its apex, below the zone cut. So when querying the parent for the child's NS records explicitly, the parent returns an answer without the Authoritative Answer flag set and with NS records in Authority saying "Hey, those records you want, you should be getting them from the child." per the synthesis of rules in 1035 4.1 and 2181 6.1. When querying the child, it returns the NS records in Answer with AA set because it is the real authority. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
