Querying the nameserver for NS record of a domain results in a non-authoritative answer

user1720897

1/22/24, 1:27 PM

I was wondering why name server record need to be in the zone file, because the delegation is already done by the parent zone. I came across this answer. That answer makes sense, I suppose. Then I proceeded to query the "A" record for a domain with dig.

dig @ns-cloud-d1.googledomains.com. offensivelearning.com a

Great, I got a authoritative answer. However, when I attempt to query the "NS" record for the same domain, querying the name server:

dig @ns-cloud-d1.googledomains.com. offensivelearning.com ns

This time the answer is non-authoritative. Why? I thought all answers from the name server of the domain ought to be authoritative.

1 + 2

domain-name-system

nameserver

authoritative

dig

djdomi

1/22/24, 2:13 PM

there is additional possible: [this](https://serverfault.com/questions/740245/how-to-find-what-authoritative-name-server-provided-the-answer-using-dig?rq=1) or [this one](https://serverfault.com/questions/1088257/why-does-dig-not-show-the-authority-section-and-how-to-make-it-show-the-authorit?rq=1) that might be related to self-answer it ;-)

Patrick Mevzek

2/14/24, 11:08 PM

You got an `SOA` in the `AUTHORITY` section of your first query, and no ANSWER, because there are no `A` records at apex (try doing a query for AAAA or for any other record types without records, same answer), but the server helps with the `SOA` as its last value is called the "Negative TTL" and informs the client for how long to keep the information (that the record does not exists). For records existing the info is in the TTL part of the record returned itself. Note that you get a `NOERROR` where for the same query of a name below, like `foobar` you will get `NXDOMAIN` (and still a SOA)

Score:1

Server

Håkan Lindqvist

1/22/24, 2:29 PM

The question doesn't say exactly what the answer looks like, but I suspect that you are misinterpreting what you see rather than not getting an authoritative answer (which is indeed expected).
(If that is not the case, I would suspect that you are doing your tests in an environment where DNS queries are intercepted and sent to a local resolver instead of the nameserver at the destination address, or something like that.)

I get this answer, which is just like what one would expect:

$ dig @ns-cloud-d1.googledomains.com. offensivelearning.com NS +norec

; <<>> DiG 9.18.8 <<>> @ns-cloud-d1.googledomains.com. offensivelearning.com NS +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65042
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;offensivelearning.com.         IN      NS

;; ANSWER SECTION:
offensivelearning.com.  21600   IN      NS      ns-cloud-d3.googledomains.com.
offensivelearning.com.  21600   IN      NS      ns-cloud-d1.googledomains.com.
offensivelearning.com.  21600   IN      NS      ns-cloud-d2.googledomains.com.
offensivelearning.com.  21600   IN      NS      ns-cloud-d4.googledomains.com.

;; Query time: 14 msec
;; SERVER: 2001:4860:4802:32::6d#53(ns-cloud-d1.googledomains.com.) (UDP)
;; WHEN: Sun Jan 22 14:24:56 UTC 2023
;; MSG SIZE  rcvd: 168

$

Note the aa flag (authoritative answer).

+ 3

user1720897

1/22/24, 3:50 PM

I was indeed misinterpreting the response. I thought an authoritative answer would include an authoritative section. But why does `dig` not include the authority in the authority section when querying for "NS" records.

Håkan Lindqvist

1/22/24, 3:59 PM

@user1720897 Ok, knowing what the misunderstanding is, I may try to add a note on the different sections in the answer. The short version though: you asked for exactly these NS records, and you get the direct answer to your question in the ANSWER section. The AUTHORITY section contains information about the authority in contexts where that is needed as a byproduct of what you asked for, while the ADDITIONAL section sometimes contains additional related data that was not exactly what you asked for.

Patrick Mevzek

2/14/24, 11:01 PM

From question: "This time the answer is non-authoritative. " This can't come from observing the sections (AUTHORITY being there or not) but by looking at the `aa` flag in the header of answer. Presence of `aa` flag means the answer is authoritative (vs coming from a recursive namesever). How sections are filled is indeed a completely different problem.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Querying the nameserver for NS record of a domain results in a non-authoritative answer

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.