about AUTHORITY SECTION

Kevin Darcy kcd at chrysler.com
Thu Jul 7 17:44:24 UTC 2011 

On 7/7/2011 1:50 AM, Torinthiel wrote:
> On 07/07/11 04:56, pangj at laposte.net wrote:
>> Hello,
>>
>> I got two different forms of AUTHORITY SECTION from the dig, for example,
>>
>> $ dig mydots.net @ns7.dnsbed.com
>>
>> ;<<>>  DiG 9.4.2-P2.1<<>>  mydots.net @ns7.dnsbed.com
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36520
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;mydots.net. IN A
>>
>> ;; AUTHORITY SECTION:
>> mydots.net. 3600 IN SOA ns7.dnsbed.com. support.dnsbed.com. 6 10800 3600 604800 3600
> This one means that there's no such record. Your answer is empty. See,
> you don't have answer section and RFCs state that authorative
> nameservers should send SOA record in authority section if there's no data.
>
>> ;; Query time: 90 msec
>> ;; SERVER: 58.22.107.162#53(58.22.107.162)
>> ;; WHEN: Thu Jul 7 09:54:07 2011
>> ;; MSG SIZE rcvd: 86
>>
>>
>>
>> $ dig www.mydots.net @ns7.dnsbed.com
>>
>> ;<<>>  DiG 9.4.2-P2.1<<>>  www.mydots.net @ns7.dnsbed.com
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3327
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;www.mydots.net. IN A
>>
>> ;; ANSWER SECTION:
>> www.mydots.net. 900 IN A 61.144.56.101
>>
>> ;; AUTHORITY SECTION:
>> mydots.net. 3600 IN NS ns7.dnsbed.com.
>> mydots.net. 3600 IN NS ns8.dnsbed.com.
>
> And this one has correct answer, and the NS records are there just in
> case - to notify you that you got your answer from authorative ns and
> what other authorative ns'es are.
I think it's worth emphasizing that in the first case, the contents of 
the Authority Section were *mandatory* (see RFC 2308, Negative Caching), 
whereas in the second case the authoritative nameserver was *optionally* 
providing NS records in the Authority Section. It could have legally 
left the Authority Section completely empty, and in fact many 
load-balancers, pretending (to various degrees of competence) to be 
authoritative nameservers, will give responses that look like that.

                                                                         
                                                                         
                                 - Kevin

More information about the bind-users mailing list