On Fri, Mar 16, 2012 at 04:47:08PM +0000, Tony Finch wrote: > The relevant text in RFC 2181 section 6.1 is: > > The NS records that indicate a zone cut are the > property of the child zone created, as are any other records for the > origin of that child zone, or any sub-domains of it. A server for a > zone should not return authoritative answers for queries related to > names in another zone, which includes the NS, and perhaps A, records > at a zone cut, unless it also happens to be a server for the other > zone. > > So the NS records returned by the parent cannot be an answer; they must be > a referral, so must appear in the authority section.
that's only part of the story. The quote says "should not return authoritative answers", which would not prohibit non-authoritative responses with the NS RRSet in the answer section. However, section 5.4.1 of RFC 2181 gives guidance how not to elevate the credibility level, i.e., not to elevate non-authoritative data into the answer section. Historically, this all became much more relevant after RFC 2181, in preparation of DNSSEC, where these - necessarily unsigned - responses would break the validation. -Peter _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
