1

Does DNSSEC require that my NS1 and NS2 stored at the registrar be authoritative, or just that they answer for the domain? Can they be non-authoritative DNS servers answer the query?

Does anything specify what happens at that point in time?

From the BIND DNSSEC Guide,

enter image description here

What happens in the above circumstance if the fbi.gov name server that is written in the ns1 at the registrar is non-authoritative but has all the appropriate records?

Evan Carroll
  • 28,578
  • 45
  • 164
  • 290

1 Answers1

3

DNSSEC doesn't add any restriction on this, but NS records are supposed to point to authoritative servers.

Authoritative Server A server that knows the content of a DNS zone from local knowledge, and thus can answer queries about that zone without needing to query other servers.

RFC 2182 Section 2

Can they be non-authoritative DNS servers answer the query?

Authoritative servers and resolvers can answer DNSSEC queries as long as the answer they provide has valid DNSSEC records (assuming the client checks)

Community
  • 1
Torin
  • 1,643
  • 1
  • 8
  • 16
  • Your quote defines an *"Authoritative Server" but it doesn't say that the NS records are supposed to point to one. – Evan Carroll May 16 '19 at 14:40
  • 1
    [RFC 1035](https://www.rfc-editor.org/rfc/rfc1035.html#section-3.3.11) states that the RDATA of an NS record should contain `A which specifies a host which should be authoritative for the specified class and domain`. There are valid cases for a NS record to point to a non authoritative server, but usually this is not what you want. – Torin May 16 '19 at 18:48