Re: rfc1034 & bind9 cache - cached glue A RR not available to any clients, even with +norec

LV> Why bind9 doesn't provide A RRs, which were received as a
LV> referral even to the +norec clients.

One possible reason why is that it isn't actually useful for proxy DNS
servers (and it is your proxy DNS server that you queried here, not the
actual content DNS servers themselves) to perform such "additional"
section processing; since DNS Client libraries generally only look for
the answer to the exact question that they asked and ignore additional
data, and thus it is largely pointless and consumptive of both bandwidth
and processing to eke out and to supply those data.

Another possible reason why is that by setting the RD bit to zero,
you've told your proxy DNS server to not issue any back-end queries to
other DNS servers, and essentially to do the bare minimum amount of
processing in order to generate a response. Notice that BIND has
returned no more than the minimum information necessary to let you
distinguish the response as being a partial answer ending in a referral,
instead of a complete answer denoting an empty resource record set in
the form of type 3 response.

LV> $ dig a fake1.ladislav.name.ae. +norec

Now query your content DNS server directly with

dig @fake1.ladislav.name.ae. a fake1.ladislav.name.ae. +norec

and consider that, conversely, it is not only useful but necessary for
content DNS servers to perform "additional" section processing.