rfc1034 & bind9 cache - cached glue A RR not available to any clients, even with +norec

[Jonathan de Boyne Pollard]

LV> Why bind9 doesn't provide A RRs, which were received as a
LV> referral even to the +norec clients.

One possible reason why is that it isn't actually useful for proxy DNS 
servers (and it is your proxy DNS server that you queried here, not the 
actual content DNS servers themselves) to perform such "additional" 
section processing; since DNS Client libraries generally only look for 
the answer to the exact question that they asked and ignore additional 
data, and thus it is largely pointless and consumptive of both bandwidth 
and processing to eke out and to supply those data.

Another possible reason why is that by setting the RD bit to zero, 
you've told your proxy DNS server to not issue any back-end queries to 
other DNS servers, and essentially to do the bare minimum amount of 
processing in order to generate a response.  Notice that BIND has 
returned no more than the minimum information necessary to let you 
distinguish the response as being a partial answer ending in a referral, 
instead of a complete answer denoting an empty resource record set in 
the form of type 3 response.

LV> $ dig a fake1.ladislav.name.ae. +norec

Now query your content DNS server directly with

	dig @fake1.ladislav.name.ae. a fake1.ladislav.name.ae. +norec

and consider that, conversely, it is not only useful but necessary for 
content DNS servers to perform "additional" section processing.