Why do some parent NSs "lie" about delegation records?

Jim Reid jim at rfc1035.com
Wed Jan 7 14:34:58 UTC 2004

>>>>> "Len" == Len Conrad <LConrad at Go2France.com> writes:

    Len> While technically, the auth DNS answers 'aa' for the NS
    Len> query, in practice the non 'aa' NS records received the zone
    Len> parent are more accurate, and predominantly the records
    Len> actually used by resolvers) 

This is just plain wrong. A parent's "glue" by definition cannot ever
be more accurate or definitive than the info held by the child zone's
name servers. Even if the child zone contains garbage or the child's
servers are lame. That's what delegation means. Control for one part
of the name space gets transferred from one place (the parent) to
another (the child). By doing this, the parent is explicitly giving up
responsibility for the delegated zone. In essence the parent is saying
"I'm not and can't be a definitive source of data for this chunk of
the name space. These other guys are. Go ask them." The child zones
say which name servers answer for the zone. The glue in the parent is
little more than a hint on where to find the true set of authoritative
name servers for the child. 

It's a bit misleading to say that "glue" in the parent -- ie A and NS
records -- for a delegation is predominantly used by resolvers. A
properly functioning resolver will only use that glue to query get the
definitive set of name servers for the child zone.

More information about the bind-users mailing list