Kevin Darcy kcd at chrysler.com
Fri Jul 8 16:05:26 UTC 2011

On 7/8/2011 3:04 AM, Chris Buxton wrote:
> On Jul 7, 2011, at 6:32 PM, Feng He wrote:
>> 2011/7/8 Kevin Darcy<kcd at chrysler.com>:
>>> I think it's worth emphasizing that in the first case, the contents of the
>>> Authority Section were *mandatory* (see RFC 2308, Negative Caching), whereas
>>> in the second case the authoritative nameserver was *optionally* providing
>>> NS records in the Authority Section. It could have legally left the
>>> Authority Section completely empty, and in fact many load-balancers,
>>> pretending (to various degrees of competence) to be authoritative
>>> nameservers, will give responses that look like that.
>> In the second case I think the NS records should be there in the
>> Authority Section.
>> Consider this case:
>> example.com.  IN   NS    dns.example.com.
>> l2.example.com.  IN  NS   dns.example.com.
>> l3.l2.example.com.  IN  NS   dns.example.com.
>> When a query for example, dig l3.l2.example.com @dns.example.com, the
>> nameserver answser without the Authority Section, then the client
>> won't know the answer is in which authority zone.
> While that is correct, it is also unimportant. Everything will work as expected if the resolver never finds that out. Ditto if the resolver does discover it.
> As for Kevin's assertion that the SOA record in the authority section is required for a negative response, this is also incorrect. RFC 2308 is a proposed standard, not a standard.

OK, I stand corrected. It's mandatory per a Proposed Standard that 
hasn't had any major objections, reported flaws, or updates in years, 
and is implemented in virtually every authoritative nameserver -- 
including load-balancers, pretending to be auth nameservers, and which 
break a whole raft of other standards and/or best practices -- and resolver.

*Technically* a negative response can be given that does not conform to 
RFC 2308, and no RFC Police will show up at one's doorstep wielding an 
arrest warrant...
> Further, section 8 of this RFC does not say explicitly that an SOA must be included in a negative response, only that it must be cached (presumably only if present). We might ask the author, Mark Andrews, for clarification of this point.

Um, Section 8 talks about how resolvers deal with negative caching. 
Section 3 talks about responses from authoritative servers, and that was 
the subject of this thread. Section 3 is quite clear on the point:

"3 - Negative Answers from Authoritative Servers

  Name servers authoritative for a zone MUST include the SOA record of 
the zone in the authority section of the response when reporting an 
NXDOMAIN or indicating that no data of the requested type exists."

                                                         - Kevin

More information about the bind-users mailing list