[cifs-protocol] authority section return for unknown replies

[tridge at samba.org]

Windows DNS servers return an AUTHORITY section pointing at the
authoritative DNS server when looking up a name that doesn't
exist. We'd like to know if this is important for correct operation
with Windows clients.

For example, if I lookup unknown.v2.tridgell.net:

tridge at blu:~/$ dig @10.0.0.4 -t A unknown.v2.tridgell.net.

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29547
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;unknown.v2.tridgell.net.       IN      A

;; AUTHORITY SECTION:
v2.tridgell.net.        3600    IN      SOA     w2k8.v2.tridgell.net. hostmaster.v2.tridgell.net. 689 900 600 25200 3600


In the above, w2k8.v2.tridgell.net is a w2k8r2 DNS server and DC. 

A bind9 server, which we are using for DNS in Samba, doesn't do this,
and we would like to know if this will cause any problems.

We suspect this relates to how Windows clients find the DNS server to
do dynamic updates to. A windows client will first look for its own
name in the above manner, and seems to use the authority reply to
determine where to send the update. When we don't give the authority
reply, windows clients seem to fall back on a different mechanism, but
we would like to know that the alternative mechanism is reliable.

We suspect this is related to the way that Windows servers virtualise
the SOA record, so that each DC returns a SOA record pointing at
itself, even when the underlying LDAP record points at a different
server.

Is this SOA behaviour and AUTHORITY behaviour documented in WSPP
anywhere? We couldn't find it.

Cheers, Tridge