What is the difference between a query for a TXT record and a query for a TXT record against a particular name server?

For the purpose of implementing an email server, I want to be able to look up a domain's DKIM record. What is the difference between these two sets of DNS queries? Which should I choose to implement for my email server and why? Approach 1

> nslookup -q=txt m1._domainkey.amazon.com
Server:     10.0.11.162
Address:    10.0.11.162#53

Non-authoritative answer:
m1._domainkey.amazon.com    text = "v=DKIM1\;k=rsa\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAiSCfuVglLVcKGSFDAPmf1fg/bwnQkgxVkLdTIc1pIOS/K88Pl7p16oS0SW/h2reFQw0QzTEdCNxeXFLXvuoQbwp5lIn5dObz08zRKO3Fc8EOOCrpMq88MARY7glZPsb4l2DnJqwBtqGI1etN2trLbucmzSS9V89VQKmo0jiU7wIDAQAB"

Approach 2

> nslookup -q=ns amazon.com
Server:     10.0.11.162
Address:    10.0.11.162#53

Non-authoritative answer:
amazon.com  nameserver = ns1.amzndns.net.
amazon.com  nameserver = ns2.amzndns.org.
amazon.com  nameserver = ns2.amzndns.co.uk.
amazon.com  nameserver = ns1.amzndns.org.
amazon.com  nameserver = ns2.amzndns.com.
amazon.com  nameserver = ns2.amzndns.net.
amazon.com  nameserver = ns1.amzndns.co.uk.
amazon.com  nameserver = ns1.amzndns.com.

Authoritative answers can be found from:

> nslookup -q=txt m1._domainkey.amazon.com ns1.amzndns.net
Server:     ns1.amzndns.net
Address:    156.154.65.10#53

m1._domainkey.amazon.com    text = "v=DKIM1\;k=rsa\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAiSCfuVglLVcKGSFDAPmf1fg/bwnQkgxVkLdTIc1pIOS/K88Pl7p16oS0SW/h2reFQw0QzTEdCNxeXFLXvuoQbwp5lIn5dObz08zRKO3Fc8EOOCrpMq88MARY7glZPsb4l2DnJqwBtqGI1etN2trLbucmzSS9V89VQKmo0jiU7wIDAQAB"

EDIT 1: I am also wondering if I go with approach #2, should I query every name server? What if it is missing from one?

Amazon, in order to be fail-safe, is running eight copies of its name server. The master would seem to be yet another server:

> nslookup -type=SOA amazon.com

Non-authoritative answer:
amazon.com
        primary name server = dns-external-master.amazon.com
        responsible mail addr = root.amazon.com
        serial  = 2010176184
        refresh = 180 (3 mins)
        retry   = 60 (1 min)
        expire  = 3024000 (35 days)
        default TTL = 60 (1 min)

So we can guess that all eight of the name servers specified are actually replicas of the master specified as the Start Of Authority.

Functionally, there is little difference in your two options. Because they are all replicas, it should make no difference which of the eight you query. Your first option asks your local DNS relay to report on whichever of those eight it has most recently asked for a domainkey record, or failing that, pick one arbitrarily and report that. The second asks your local DNS to ask for the list of name servers, and you then pick one of them yourself and ask that one for the domainkey record that it holds. In the end, you'll get the same response, but your first option is far simpler for you to implement, and probably makes better use of the cached nature of DNS queries.

The main difference between the two will be speed. Both methods achieve the same thing, but method 2) would mean that for every query you'd need to be making an external DNS query to the authoritative name server.

Method 1) would let your local DNS server do what it's there for, eg handle asking the authoritative server for the result once, and then for every future request for that information while the TTL of the record remains, return the result from the local cache, which is a LOT faster.

Of course in reality the time difference between the two is in milliseconds, probably single digits for your local DNS server, and double digits (at least) for the authoritative server. But if you're getting hundreds/thousands of messages from a particular domain per hour, which isn't beyond the realms of possibility with some large providers (think gmail.com, amazon.com etc) then that small difference in time can add up into significant delays. And since the DKIM records you're retrieving will rarely if ever change, there's little or no benefit to be gained from that delay.

DKIM records are generally available through global DNS. There's no need to query an authoritative NS. All queries should give the same result (like in your case).