How to tell a DNS no data reply from a lame delegation
When you query an authoritative nameserver for a record that doesn't
exist, what you get back is a reply with status NOERROR, the
aa bit set, no ANSWER section, and the zone's
SOA record as
the sole record in the AUTHORITY section. (And no ADDITIONAL section.)
When you query a nameserver for a record in a zone that it doesn't serve, what you get back is a reply with status NOERROR, no ANSWER section, some zone's NS records, and some A records for the NSes in the ADDITIONAL section. Which zone you get depends; generally it is the closest zone to your target zone that the nameserver knows about, eg if you query for foo.bar.org, you may get the root NSes, the .org NSes, or even the bar.org NSes if the nameserver knows them.
(You do not necessarily get A records for all of the NS targets, just the ones that the nameserver knows. I believe that there are circumstances where you can get no A records at all.)
If the nameserver you are querying is listed in an NS record for the zone, such a reply is a 'lame delegation'; the NS record is pointing to a nameserver that is not actually a nameserver for that zone. In some situations the NS records such a lame delegation returns will include the very nameserver you are querying, for example if you are making a nonrecursive query to an informal secondary that has cached NS information but not the record you're looking for.
(A secondary server that doesn't have a copy of the zone data will not be seen as a lame delegation, because such a server returns a SERVFAIL answer instead of NOERROR plus NS records.)
Note that not all nameservers even return replies for zones that they don't serve. Some will just drop your queries on the floor.