Bailiwick and "Sibling domain" definition

domain-name-system

If I do the following command dig allcosts.net @g.gtld-servers.net, I will get:

;; QUESTION SECTION:
;allcosts.net.          IN  A

;; AUTHORITY SECTION:
allcosts.net.       172800  IN  NS  ns-22.awsdns-02.com.
allcosts.net.       172800  IN  NS  ns-912.awsdns-50.net.
allcosts.net.       172800  IN  NS  ns-1834.awsdns-37.co.uk.
allcosts.net.       172800  IN  NS  ns-1233.awsdns-26.org.

;; ADDITIONAL SECTION:
ns-912.awsdns-50.net.   172800  IN  A   205.251.195.144

According to amazon (link here) ".net customers actually get the benefit of two in-bailiwick glue records", meaning the ADDITIONAL is considered as in-bailiwick.

I'm trying to understand why "ns-912.awsdns-50.net." is in-bailiwick here.

The RFC 8499 show an example if a similar situation:

   Delegation |Parent|Name Server Name  | Type
   -----------+------+------------------+-----------------------------
   example.org| org  |ns.ietf.org       |in-bailiwick / sibling domain

The delegation is for allcosts.net, the parent is net and the name server ns-912.awsdns-50.net.. Following the example from the RFC, that would mean it is a sibling domain.

Here is the definition of a sibling domain:

Sibling domain: a name server's name that is either subordinate
         to or (rarely) the same as the zone origin and not subordinate
         to or the same as the owner name of the NS resource records.
         Glue records for sibling domains are allowed, but not
         necessary.

If I understand, they both have the same zone origin (net) and not subordinate/same owner (allcosts.net vs ns-912.awsdns-50.net), making them sibling. Did I make correct assumptions here?


I'm trying to understand why "ns-912.awsdns-50.net." is in-bailiwick here.

Because it is under .net TLD and you are asking for a .net domain name.

But even then, as the RFC states, the glues are not strictly necessary because the nameserver name, while under .net is under a different domain name than the one you queried for. There is hence no logical problem in doing another query to retrieve this nameserver IP address, but the authoritative nameserver is trying to be helpful by providing it to you immediately in ADDITIONAL section.

This may not be similar in other TLDs.

Your assumptions are correct, except maybe this part which is unclear at least:

meaning the ADDITIONAL is considered as in-bailiwick.

It is not because something is in ADDITIONAL that it is in-bailiwick or not.

ADDITIONAL section was designed to carry whatever useful extra data the resolver wish to send without having it considered authoritative (and not signed by DNSSEC). Lot of things could be there, but past events showed that recursive nameservers should be very cautious to take information from that section, so it should be used only when strictly necessary because no other path, which means basically this is for glues (in-bailiwick and not sibling). So glues will be in ADDITIONAL section, but not everything in ADDITIONAL section is necessarily glues all the time.

Related

Separating DNS records into multiple zones for the same domain
What are the reasons to use a firewall in transparent mode?
UFW port not accessible from public web despite rule explicitely allowing it
bash does not show prompt (prompt missing)
Connecting to a wireguard peer through a VPS
/proc/meminfo shows MemFree greater than MemAvailable - Does it make sense?
Change ip address link to be http instead of https
Two mail providers for the same domain
How to override ansible playbook variable?
Nginx block for multiple domains to redirect all traffic to https?
How to change a string into uppercase
Can I write a CSS selector selecting elements NOT having a certain class or attribute?