>> > Well, one would, in fact, expect a delegation to be a >> > non-authoritative answer: >> >> Yes, but one would presume that before any of the two above >> queries were sent, the recursive resolver already have cached the >> delegation for jshsos.ksyunv5.com. > > It doesn't matter, there can be multiple layers of delegations, and a > response with aa=0, ancount=0, no SOA in the authority section and some > NS records there is definitely what a delegation looks like.
Hm, I think I disagree slightly. Let me explain why: For just the name jshsos.ksyunv5.com there cannot be "multiple layers of delegations". Seen in context of the example from this thread, the recursive resolver has already learned this delegation via an earlier query with an AA=0 ;; AUTHORITY SECTION: jshsos.ksyunv5.com. 86395 IN NS ns4.bpldns.com. jshsos.ksyunv5.com. 86395 IN NS ns3.bpldns.com. response. When querying one of these name servers via: dig @ns4.bpldns.com. lzd.jshsos.ksyunv5.com. aaaa there are basically two valid response categories, depending on whether the "lzd" name is a part of the "jshsos.ksyunv5.com" zone or not: 1) If the "lzd" is a part of the parent zone, the parent zone authoritative name servers had better flag any responses with AA=1, be that either with an RRset of the queried-for name, a NODATA response, or an NXDOMAIN response. (From the example we already know that the name exists, so that rules out NXDOMAIN as a valid response, but a recursive resolver doesn't at that time necessarily know that (though it could have already cached data about that).) 2) If the "lzd" name is not a part of the parent zone, it implies that "lzd.jshsos.ksyunv5.com" is the name of a child zone. a) if the queried name server isn't also authoritative for the child zone, it should respond with an AA=0 delegation for the child zone, "lzd.jshsos.ksyunv5.com". b) if the queried name server is also authoritative for the child zone, ... "see #1", and a delegation response would be wrong. What's *not* valid, IMHO, is to respond with an AA=0 delegation which points back to the zone whose name servers we are already querying: ;; AUTHORITY SECTION: jshsos.ksyunv5.com. 86395 IN NS ns4.bpldns.com. jshsos.ksyunv5.com. 86395 IN NS ns3.bpldns.com. as is what's happening here. And I think you agree, since... > When it is non-productive, it is LAME. ...and this delegation response is "non-productive" because it does not bring the recursive resolver any closer to getting an answer. For a delegation to be "productive", it has to reply with a delegation for a name which includes at least "one more" label of the query. >> Therefore, posting a question about a name in that zone to one of >> the name servers supposedly serving that zone > > It needn't be authoritative for all names in the zone, it can issue > further delegations, and sure appears to do just that, only with a > delegation to itself. Well, either the queried-for name is part of the zone (at which point answers had better have AA=1), or it's part of a child zone, at which point it might be OK to respond with an AA=0 delegation. What I disagree with in the above is that a name server "needn't be authoritative for all names in the zone", since names in a child zone by definition isn't part of the parent zone. If what you said was true, the whole concept of "a zone" would be invalidated. >> And secondly, do we have any inkling whether all or most of these CDNs >> use a common codebase, or is it all truly "roll your own"? And if >> there is a dominant codebase, do we have an inkling what it is? > > I don't know, but there does seem to be some commonality of behaviour. Indeed. I see Mark had a guess. Rgards, - HÃ¥vard _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop