Stuart MacIntosh wrote:
Quick question, hopefully. How common is it for DNS server admins to manipulate TTLs of NS records, on their recursive/customer-facing servers?
As Simon said, generally it's not that common.
Also, when seeing a reply from a caching server (query A-type) NS is returned correctly but not the A record. Why is this (typically)?
Because DNS caching isn't as straightforward as it seems, especially where delegations and "additional" data are concerned. A glue record handed to a forwarding (caching) name server is not actually part of the answer, merely a hint to save the forwarder from having to explicitly ask for the glue A record in another query. As such it's returned in the additional section of the response, and not the authority section, and shouldn't really be used for anything except processing the immediate query response. There are a lot of subtleties (read: "cache poisoning vectors") in caching additional data. The safest approach is not to bother. Note that additional data may be returned if it has found its way into the cache as a response to an explicit query. -- don