4

In DNS response messages, I'm confused about the difference between NS records that appear in the Answer Section (the section containing records referred to by the ANCOUNT number), and the NS records which appear in the Authority Section (the NSCOUNT number).

This answer explains the purpose of the Authority Section:

The Authority section indicates the server(s) that are the ultimate authority for answering DNS queries about that domain.

But I'm not understanding how this is different from the NS records which may appear in the Answer Section.

Community
  • 1
  • 1
Siler
  • 8,976
  • 11
  • 64
  • 124

2 Answers2

1

When you query a record type, that is NOT bound with the domain (Example: Query a TLSA record type for www.google.com), then the nameserver would just reference you to the "authoritative nameservers" for that zone in the AUTHORITY section.

On the other hand, if the record type can be fetched from recursive queries (Example: Query a AAAA record type for www.google.com), you get the response in ANSWER section.

Manish Maheshwari
  • 4,045
  • 2
  • 15
  • 25
  • RFC1034, Sec 4.3.2, 3b: _If a match would take us out of the authoritative data, we have a referral. This happens when we encounter a node with NS RRs marking cuts along the bottom of a zone._ _Copy the NS RRs for the subzone into the authority section of the reply. Put whatever addresses are available into the additional section, using glue RRs if the addresses are not available from authoritative data or the cache._ – ozmo Sep 26 '22 at 23:00
0

My answer is based on pure observation, not on reading RFCs. And makes sense only for NS records.

If the recursive DNS server receive response in Authority section, it will repeat the query to the servers which were returned in the Authority section.

If the recursive DNS server receive response in Answer section, it will return results in Answer section directly without asking them.

Tomas
  • 1,531
  • 1
  • 16
  • 22