Question about Authority Section

Hi there, we just switched to using Cloudflare and have a question regarding the Authority section of a dig request. Why doesn’t a dig to the Cloudflare NS give back an Authority section? Shouldn’t they do that? They are the authoritative servers? Thanks for the explanations, just getting into DNS, would really like to understand it

dig cardmarket(dot)com (at)dan(dot)ns(dot)Cloudflare(dot)com

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> cardmarket(dot)com (at)dan(dot)ns(dot)Cloudflare(dot)com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61907
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cardmarket(dot)com. IN A

;; ANSWER SECTION:
cardmarket(dot)com. 300 IN A 85.214.176.56

;; Query time: 1 msec
;; SERVER: 173.245.59.108#53(173.245.59.108)
;; WHEN: Wed Jan 16 11:49:21 CET 2019
;; MSG SIZE rcvd: 59

(P.S., had to add the (dot) so it would let me post)

Cloudflare are indeed the authoritative nameservers for your domain.

That’s why, when your root zone delegates resolution for your domain, they will provide the authority records (and possibly also the glue records for them, if they’re under the same TLD or if they’re subdomains of the queried zone) to whomever is asking:

$ dig @a.gtld-servers.net cardmarket.com 

; <<>> DiG 9.13.5 <<>> @a.gtld-servers.net cardmarket.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38752
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cardmarket.com.                        IN      A

;; AUTHORITY SECTION:
cardmarket.com.         172800  IN      NS      dan.ns.Cloudflare.com.
cardmarket.com.         172800  IN      NS      lola.ns.Cloudflare.com.

;; ADDITIONAL SECTION:
dan.ns.Cloudflare.com.  172800  IN      A       173.245.59.108
dan.ns.Cloudflare.com.  172800  IN      AAAA    2400:cb00:2049:1::adf5:3b6c
lola.ns.Cloudflare.com. 172800  IN      A       173.245.58.132
lola.ns.Cloudflare.com. 172800  IN      AAAA    2400:cb00:2049:1::adf5:3a84

;; Query time: 148 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Wed Jan 16 13:04:31 IST 2019
;; MSG SIZE  rcvd: 182

You’re probably asking because you saw other DNS servers sending over their own details for a DNS query, which are of help to no one (as a resolver client, you already know Cloudflare are the authoritative nameservers - after all you recursed the DNS hierarchy until you managed to contact them) . Why do these DNS servers do that? I don’t know, maybe they like to waste bandwidth.

Thanks a lot for the fast and very interesting reply! This is greatly appreciated

One more note, though. The NS records that you were looking for are indeed part of the zone. On Cloudflare as well. If you run:

dig @dan.ns.Cloudflare.com ns cardmarket.com 

you will see them.

My quandary about other DNS servers was why do they send those NS records when you did not ASK for them (and they serve no purpose to you).

This topic was automatically closed after 31 days. New replies are no longer allowed.