Correct response to NS request in case of dual delegation when one delegation returns REFUSED

[Tony Finch]

Ondřej Surý <ondrej at isc.org> wrote:
>
> > 1) client asks Bind: what is NS for "cluster"?
> > 2) Bind seems to issue requests to both "storage1" and "storage2" for "NS cluster", one of which always returns "REFUSED"
> > 3) Answer of Bind to client does not contain the one that was "refused".
>
> no, I think it’s different problem.
>
> Both storage1 and storage2 need to return the full set of NS for the
> cluster query because the NS set from child zone will override the
> delegation from the parent.

And, Marki, if you need a pointer to where this behaviour is specified,
look at https://www.rfc-editor.org/rfc/rfc2181#section-5.4.1

In particular,

     + The authoritative data included in the answer section of an
       authoritative reply.

In your case this is the single-record NS answer from one of the clusters,
and it outranks:

     + Additional information from an authoritative answer,
       Data from the authority section of a non-authoritative answer,
       Additional information from non-authoritative answers.

In your case this is the two-record NS in the referral from your parent
zone.

If these devices allow you to configure DNS servers for readiness checks
separately from general-purpose DNS, then you might be able to work around
the problem by pointing the readiness checks at an authoritative-only
server, if the devices are willing to find their answer in the AUTHORITY
section of the response. If. Maybe.

-- 
Tony Finch  <fanf at isc.org>  (he/they)  Cambridge, England
Trafalgar: In southeast, northerly, but easterly in far southeast, 4
to 6, increasing 7, perhaps gale 8 later, near gibraltar strait. In
northwest, variable 2 to 4, becoming northerly 5 later in southeast.
In southeast, moderate, occasionally rough. in northwest, rough
becoming moderate. In southeast, fair. In northwest, showers later. In
southeast, good. In northwest, good.