Resolver should ask for `DS` right after delegation `NS` is received and `DS` is not in the `AUTHORITY` section.
In case the parent and child zone is hosted at the same server, the delegation NS query returns only NS
in the ANSWER
section (instead of AUTHORITY
). See example from nic.cz
vs sury.cz
:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4713
;; Flags: qr aa rd; QUERY: 1; ANSWER: 4; AUTHORITY: 0; ADDITIONAL: 13
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION:
;; nic.cz. IN NS
;; ANSWER SECTION:
nic.cz. 1800 IN NS a.ns.nic.cz.
nic.cz. 1800 IN NS b.ns.nic.cz.
nic.cz. 1800 IN NS d.ns.nic.cz.
nic.cz. 1800 IN RRSIG NS 13 2 1800 20170202003914 20170119215003 53569 nic.cz. +eiUp1ZxK1WH9+So5TmDtxIegeRmVcaxLPEauxAWVHbs4H8qSu6LILPZONj+B8iN3mMa3nJrsiMVb88+jSUj6g==
;; ADDITIONAL SECTION:
a.ns.nic.cz. 1800 IN A 194.0.12.1
a.ns.nic.cz. 1800 IN RRSIG A 13 4 1800 20170202145140 20170119215003 53569 nic.cz. 6aCe1zhyPIDgrHpM3kImovkRZ53FwSeD4ByiTsGopTs6fkyiAvIUJagHjjwBr89krTX3LXVd1nNUM4XJRBSe5Q==
b.ns.nic.cz. 1800 IN A 194.0.13.1
b.ns.nic.cz. 1800 IN RRSIG A 13 4 1800 20170202045948 20170119215003 53569 nic.cz. ftVQuQpJSumxw7UgNJV9WMPq07fKeyUyo0DvXtEQux5jgJkB2nmtlefMFBS7/ZAH8TEWltzcOX6cw2/mgjnKPg==
d.ns.nic.cz. 1800 IN A 193.29.206.1
d.ns.nic.cz. 1800 IN RRSIG A 13 4 1800 20170202161830 20170119215003 53569 nic.cz. YKcDKUPSJWQuuKRIPt+WKHi6/BItA8bRQYrUyFRUK+we4111UBYKt2aO8LWIL5RlHKLnPr4Zmu71Ol1LKIYXaw==
a.ns.nic.cz. 1800 IN AAAA 2001:678:f::1
a.ns.nic.cz. 1800 IN RRSIG AAAA 13 4 1800 20170202151241 20170119215003 53569 nic.cz. ujW2zr1GOcqp6RDATgn30PuxIfiicFFaGG/+7/XoiycCi2OR1XIwMHlLznv8qPYYnNyrOZPEVTnCDog1uSvBiw==
b.ns.nic.cz. 1800 IN AAAA 2001:678:10::1
b.ns.nic.cz. 1800 IN RRSIG AAAA 13 4 1800 20170202011018 20170119215003 53569 nic.cz. Ho+Mdn0jP04LkjwwE41eArn9ePCV2HaWRkjT89d2rSRGXcx31rUYQo8FT+lKg5hJX/k18ZbSGZwDly3ktaPNWw==
d.ns.nic.cz. 1800 IN AAAA 2001:678:1::1
d.ns.nic.cz. 1800 IN RRSIG AAAA 13 4 1800 20170202002553 20170119215003 53569 nic.cz. a4akrH95iu3YSU6Y2Eis8Bx4Ko6BzIw0S/A9n0tI72C1T8iQjVgUxwikKtf55ZN6ylqb+dsPscfUxZOL6LWiKg==
;; Received 932 B
;; Time 2017-01-23 13:21:09 CET
;; From 2001:678:f::1@53(UDP) in 0.8 ms
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14000
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 4
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: Unused
;; QUESTION SECTION:
;; sury.cz. IN NS
;; AUTHORITY SECTION:
sury.cz. 18000 IN NS trubka.network.cz.
sury.cz. 18000 IN NS master.dns.rocks.
sury.cz. 18000 IN DS 44950 8 2 7D1FEF31405513CD00CD41A2A7107C3B7A949F0A05158264F06665C5E33393F4
sury.cz. 18000 IN RRSIG DS 10 2 18000 20170204123925 20170123103958 58211 cz. qllrV+THBIRutS0VfRJgp1tKictj73PHSPn3YOjlk/Mk6PbPsEIfcoTVFDp1cmOIG4gD+JNdMCDSDV4v5gjKlrwksDbH47ri3otZja0Uhd1RS5D+y9neXVtwJiSq22a/yGEp7xVWaoZNnxOp4J+Lva8LHW3q5/YF3RBmC7Uc7Vk=
;; ADDITIONAL SECTION:
trubka.network.cz. 18000 IN A 81.91.84.116
trubka.network.cz. 18000 IN AAAA 2001:1568:b::145
trubka.network.cz. 18000 IN AAAA 2001:1568:b:145::1
;; Received 377 B
;; Time 2017-01-23 13:21:27 CET
;; From 2001:678:f::1@53(UDP) in 0.7 ms
In such case and when the parent zone is secure (e.g. signed and valid), the logic should re-query for DS
records first (instead of turning off QNAME minimization):
[14667][iter] 'www.nic.cz.' type 'A' id was assigned, parent id 0
[14667][resl] => querying: '2001:678:1::1' score: 11 zone cut: 'cz.' m12n: 'nIC.Cz.' type: 'NS' proto: 'udp'
[14667][iter] <= rcode: NOERROR
[14667][iter] <= found cut, retrying with non-minimized name
[14667][resl] <= server: '2001:678:1::1' rtt: 0 ms
This is an optimalization and not a critical bugfix, so assigning it to 1.3.0 release.