Re: about AUTHORITY SECTION

[Kevin Darcy]

On 7/7/2011 1:50 AM, Torinthiel wrote:
On 07/07/11 04:56, pa...@laposte.net wrote:
Hello,
I got two different forms of AUTHORITY SECTION from the dig, for example,

$ dig mydots.net @ns7.dnsbed.com

;<<>>  DiG 9.4.2-P2.1<<>>  mydots.net @ns7.dnsbed.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36520
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mydots.net. IN A

;; AUTHORITY SECTION:
mydots.net. 3600 IN SOA ns7.dnsbed.com. support.dnsbed.com. 6 10800 3600 604800 
3600
This one means that there's no such record. Your answer is empty. See,
you don't have answer section and RFCs state that authorative
nameservers should send SOA record in authority section if there's no data.

;; Query time: 90 msec
;; SERVER: 58.22.107.162#53(58.22.107.162)
;; WHEN: Thu Jul 7 09:54:07 2011
;; MSG SIZE rcvd: 86



$ dig www.mydots.net @ns7.dnsbed.com

;<<>>  DiG 9.4.2-P2.1<<>>  www.mydots.net @ns7.dnsbed.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3327
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.mydots.net. IN A

;; ANSWER SECTION:
www.mydots.net. 900 IN A 61.144.56.101

;; AUTHORITY SECTION:
mydots.net. 3600 IN NS ns7.dnsbed.com.
mydots.net. 3600 IN NS ns8.dnsbed.com.

And this one has correct answer, and the NS records are there just in
case - to notify you that you got your answer from authorative ns and
what other authorative ns'es are.
I think it's worth emphasizing that in the first case, the contents of 
the Authority Section were *mandatory* (see RFC 2308, Negative Caching), 
whereas in the second case the authoritative nameserver was *optionally* 
providing NS records in the Authority Section. It could have legally 
left the Authority Section completely empty, and in fact many 
load-balancers, pretending (to various degrees of competence) to be 
authoritative nameservers, will give responses that look like that.

                                                                        
                                                                        
                                - Kevin


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users