Bennett, Steve wrote:

>Hi Kevin, thanks for the reply...
>
>
>
>>> 2b) find "nih.gov" nameservers:
>>> $dig @a.gov.zoneedit.com. ns nih.gov.
>>>
>>> ; <<>> DiG 9.3.0 <<>> @a.gov.zoneedit.com. ns nih.gov.
>>> ;; global options: printcmd
>>>
>>>Shouldn't 2b return the list of nameservers for the domain=20
>>>
>>>

>>"nih.gov"? If not, why not?
>>
>>
>>I assume, since you truncated the output, that you got some sort of=20
>>timeout for the 2b query. What happens if you try some of the other=20
>>nameservers for .gov? Do they all timeout? If so, look at your=20
>>networking/firewall configuration.
>>
>>

>
>No, I've not truncated the output, there's no timeout, and I don't
>believe that there's any problem with network or firewall configuration.
>I have the following in my .digrc to make the responses clearer:
> +nocomments
> +noquestion
> +noadditional
> +noauthority
> +nostats
>i.e. I want dig to just tell me the answer to the question. I think this
>is the point about the problem I think I can see in .gov
>
>
>
>>That query comes back just fine for me:
>>=20
>>% dig @a.gov.zoneedit.com ns nih.gov
>>=20
>>; <<>> DiG 9.2.2rc1 <<>> @a.gov.zoneedit.com ns nih.gov
>>;; global options: printcmd
>>;; Got answer:
>>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64671
>>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
>>
>>

> ^^^^^^^^^
>That's the point though: "ANSWER:0" - the .gov nameservers are not
>answering the question, they are just saying where to go to get the
>authoritative answer to the question.
>
>As I understand it, the .gov nameservers don't seem to have the glue
>entries to give the answer, and for some reason, BIND v9.3.0 (at least,
>the copy that I'm running) isn't picking up the answers in the
>"additional" section.
>

The .gov servers are giving referrals, the .net/.com servers are giving
answers. You should be prepared to deal with either form of response,
but that +noauthority directive is blinding you to the referral form.

- Kevin