Re: [DNSOP] RFC 1035 vs. mandatory NS at apex?

Mukund Sivaraman <> Thu, 07 February 2019 16:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DE85E12008F for <>; Thu, 7 Feb 2019 08:03:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EZXa0iX5rJJ7 for <>; Thu, 7 Feb 2019 08:03:57 -0800 (PST)
Received: from ( [IPv6:2a01:4f8:151:2016::99]) by (Postfix) with ESMTP id 735B41228B7 for <>; Thu, 7 Feb 2019 08:03:57 -0800 (PST)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 738365A40C3C; Thu, 7 Feb 2019 16:03:54 +0000 (GMT)
Date: Thu, 7 Feb 2019 21:33:50 +0530
From: Mukund Sivaraman <>
To: Ted Lemon <>
Cc: Tony Finch <>, "" <>
Message-ID: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <>
Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Feb 2019 16:04:00 -0000

On Thu, Feb 07, 2019 at 09:40:24AM -0500, Ted Lemon wrote:
> On Feb 7, 2019, at 9:16 AM, Tony Finch <> wrote:
> > But in this scenario things soon go wrong, because RFC 2181 says the
> > NODATA reply replaces the delegation records in the resolver's cache. This
> > means that if a client explicitly asks for the NS records of a zone that
> > lacks them, resolution for other records in the zone will subsequently
> > fail.
> Ah, there you have it.  So then it _is_ required.  Kevin’s point also
> points in that direction.
> Is there somewhere in a later spec where this is stated explicitly, then?

Though RFC 1034/1035 are a point for DNS that obsoleted some preceding
RFCs and other documentation and they are quite comprehensive, there are
things that they have missed. Something that comes to mind is the
definition of hostnames. Remember that DNS evolved to RFC 1034/1035. It
didn't begin there, so if something is not clear, there are documents
preceding it which may be obsolete but can contain useful information
and justification.

For this topic of NS at apex, there is some mention of it in RFC 883:

      Note that there is one special case that requires consideration
      when a name server is implemented.  A node that contains a SOA RR
      denoting a start of zone will also have NS records that identify
      the name servers that are expected to have a copy of the zone.

(The word "will" cannot be strictly assumed to have RFC 2119 meaning,
 but it's clear that it's expected.)

There's mention of it in RFC 882 where it says an NS record is necessary
because an authority for the zone is expected to answer for a query for
NS information of the zone.

If all else fails in explaining something, there's also the old saying -
"Do what BIND does". :-)