Delegation NS-records when zones share an authority server

[Havard Eidnes]

> I suspect you don't need the NS records in challenge.state.ak.us and
> if you remove them then the records in challenge.state.ak.us are
> simply part of the state.ak.us zone since they're served off of the
> same server.

Unfortunately "not quite".

While a publishing name server will respond with data from the most
specific zone available to it when queried (e.g. for the NS records
for challenge.state.ak.us), this "overriding" or "leakage" does not
happen when you do a zone transfer of the parent zone (state.ak.us).

So ... if you have a publishing name server which is a name server for
state.ak.us and not for challenge.state.ak.us, it will *not* have the
delegation NS RRset for challenge.state.ak.us, and if a recursor
happens to query this particular publishing name server as part of the
process of resolving a name in challenge.state.ak.us, it will get an
apparently-spurious NXDOMAIN response.

I understand this isn't the case right now, but this is a problem
which might come and bite your behind if you later decide to change
the NS RRsets so that they are no longer equal for the two zones.

So the long and short of my advice: do the delegations properly by
copying the NS RRset from the child to the parent, plus any required
address glue records, and this particular problem will not become an
issue.

Best regards,

- Håvard