about AUTHORITY SECTION
kcd at chrysler.com
Fri Jul 8 16:05:26 UTC 2011
On 7/8/2011 3:04 AM, Chris Buxton wrote:
> On Jul 7, 2011, at 6:32 PM, Feng He wrote:
>> 2011/7/8 Kevin Darcy<kcd at chrysler.com>:
>>> I think it's worth emphasizing that in the first case, the contents of the
>>> Authority Section were *mandatory* (see RFC 2308, Negative Caching), whereas
>>> in the second case the authoritative nameserver was *optionally* providing
>>> NS records in the Authority Section. It could have legally left the
>>> Authority Section completely empty, and in fact many load-balancers,
>>> pretending (to various degrees of competence) to be authoritative
>>> nameservers, will give responses that look like that.
>> In the second case I think the NS records should be there in the
>> Authority Section.
>> Consider this case:
>> example.com. IN NS dns.example.com.
>> l2.example.com. IN NS dns.example.com.
>> l3.l2.example.com. IN NS dns.example.com.
>> When a query for example, dig l3.l2.example.com @dns.example.com, the
>> nameserver answser without the Authority Section, then the client
>> won't know the answer is in which authority zone.
> While that is correct, it is also unimportant. Everything will work as expected if the resolver never finds that out. Ditto if the resolver does discover it.
> As for Kevin's assertion that the SOA record in the authority section is required for a negative response, this is also incorrect. RFC 2308 is a proposed standard, not a standard.
OK, I stand corrected. It's mandatory per a Proposed Standard that
hasn't had any major objections, reported flaws, or updates in years,
and is implemented in virtually every authoritative nameserver --
including load-balancers, pretending to be auth nameservers, and which
break a whole raft of other standards and/or best practices -- and resolver.
*Technically* a negative response can be given that does not conform to
RFC 2308, and no RFC Police will show up at one's doorstep wielding an
> Further, section 8 of this RFC does not say explicitly that an SOA must be included in a negative response, only that it must be cached (presumably only if present). We might ask the author, Mark Andrews, for clarification of this point.
Um, Section 8 talks about how resolvers deal with negative caching.
Section 3 talks about responses from authoritative servers, and that was
the subject of this thread. Section 3 is quite clear on the point:
"3 - Negative Answers from Authoritative Servers
Name servers authoritative for a zone MUST include the SOA record of
the zone in the authority section of the response when reporting an
NXDOMAIN or indicating that no data of the requested type exists."
More information about the bind-users