On 5/2/23 17:52, Joe Abley wrote:
On Tue, May 2, 2023 at 11:09, Peter Thomassen <pe...@desec.io <mailto:On Tue, May 2, 2023
at 11:09, Peter Thomassen <<a href=>> wrote:
If one of the NS answers non-authoritatively, then it doesn't serve a proper NS
RRset, so it's not possible for that server's response to agree / be identical
with that on the parent side. As a result, the delegation (to that server) is
lame, isn't it?
A nameserver can answer authoritatively for a particular query without being
listed in any zone's NS RRSet.
A response from a server doesn't necessarily include an NS RRSet anyway.
Sure, but to compare to the delegation's NS RRset (as Paul was arguing), you'll
have to ask the authoritative nameserver for the NS RRset, in which case the
response should contain that RRset and the AA bit.
Paul said that even if the AA bit was missing, that would not be lame, as long
as the RDATA agree. I was trying to say that if the child's answer is indeed
non-authoritative, that's not a proper situation because the two servers make
conflicting authority claims. What the parent and the child nameserver say
w.r.t. the NS hosts' authority is not identical; as a result, I would call it
lame. (Apologies for the loose wording in my earlier post; I really should be
more careful.)
Another case would be where the name server responds with REFUSED, which, depending on the reader's
DNS expertise, could be construed as a "answering non-authoritatively", although it's not
answer (only a response). Is this meant to be included in the "lame" definition?
(It is not clear whether the verb "answering" is meant to require the presence of answer RRs, but I suppose
so. Further, the distinction between "answer" and "response" may not be obvious to someone reading
about "lame delegations" when debugging an issue, so it may be worth clarifying what's meant, e.g. by
referring to the RCODE.)
Best,
Peter
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
