must authority section be populated for a NOERROR response with the AA bit set?

Kevin Darcy kcd at
Thu Nov 18 23:23:29 UTC 2004

Irwin Tillman wrote:

>Can someone point me to the relevant RFC that covers this:
>When a nameserver authoritative for foo returns a (positive)
>NOERROR response for foo with the authoritative bit set,
>is the response required to include authority records?
>While the response typically does have authority records in this case,
>there's an application (lbnamed) that does not do so.  Here's an example:
>      % dig
>      ; <<>> DiG 9.3.0 <<>>
>      ;; global options:  printcmd
>      ;; Got answer:
>      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9
>      ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>      ;         IN      A
>  0       IN      CNAME   phoenix.Princeton.EDU.
>      phoenix.Princeton.EDU.  3600    IN      A
>      ;; Query time: 2 msec
>      ;; SERVER:
>      ;; WHEN: Thu Nov 18 13:59:32 2004
>      ;; MSG SIZE  rcvd: 111
>A customer tells me that under some circumstances, a BIND 9.3.0 nameserver
>attempting to resolve "" will produce the
>"multiple RRs of singleton type" error when confronted with the
>response above.  (I've not been able to reproduce the failure
>here, but it may require the BIND nameserver to be configured in some
>particular way.)
>I can't find a spot in the relevant RFCs that require the authority section
>to be populated in the response above.  Does anyone know if the RFCs 
>say so (and if so, where?).
A regular answer (i.e. NOERROR with RRs in the answer section) does not 
require a populated Authority Section, but may require RRs in the 
Additional Section if the RRs in the Answer Section cause Additional 
Section processing. Many of the AA=1 response examples in Section 6.2 of 
RFC 1034 have an empty Authority Section, so it must be legal.

But, I'm not sure what this has to do with a "multiple RRs of singleton 
type" error. That error will be triggered regardless of whether the 
offending RRs appear in the Answer Section or the Authority Section.

The response you show above doesn't have "multiple RRs of singleton 
type" (e.g. two CNAMEs or SOAs with the same owner name), by the way, 
and no configuration of BIND on the receiving side would make it think 
that it does.

I'd recommend getting the customer to reproduce the problem and 
capturing packets to see what response their nameserver is actually seeing.

- Kevin

More information about the bind-users mailing list