Weird DNS behaviour resolution issues when more labels are present in a zone

Prasanna Mathivanan (pmathiva) pmathiva at
Wed Dec 16 19:51:49 UTC 2020

Hi Tale,

Thanks for explaining 
We can close this query now.
Thanks team for helping me understand the issue.



On 17/12/20, 1:13 AM, "tale" <d.lawrence at> wrote:

    On Wed, Dec 16, 2020 at 3:48 AM Prasanna Mathivanan (pmathiva) via
    bind-users <bind-users at> wrote:
    > Whenever we have broken delegation as domain owners didn't follow proper RFC, the default behaviour of the query hits   " _.<label-sequence>"  which doesn’t exist.? And we get NXDOMAIN or SERVFAIL response.

    Going back to your original example,, qname
    minimisation first identifies that there is a delegation at .com for, and then asks the namesevers for   Typically this query would come
    back with either an NXDOMAIN answer, which means that the queried
    nameserver believes it is authoritative for all names within, or it comes back with a NOERROR answer that lists a
    delegation in the authority section.

    In the first case (NXDOMAIN), the resolver knows it can ask the same
    servers about and the cycle repeats.  In the latter
    case, the resolver is able to distinguish between whether there was a
    delegation for (and ask the new nameservers about or a delegation that's actually at
    (highly unusual, in which case, ask the original
    nameservers about

    Getting a SERVFAIL throws a wrench in all this.  It's the
    authoritative server basically saying, "I'm badly broken and can't
    tell you how."  Generally this means the resolver should ask the next
    server in the authoritative list.  If they're all giving SERVFAIL then
    the resolver can either try to work around the brokenness (for
    example, by querying the full name at its closest enclosing
    delegation) or just give up on the SERVFAIL.


    PS: While thinking about this I realized a weird case, which is if
    only a subset of the parent nameservers are authoritative for a
    subdomain.  That is, imagine is served by the four servers
    ns{1,2,34}, but is delegated only to
    ns{1,2}  If you ask ns1 or ns2 about,
    they'll give an authoritative answer and the fact that a delegation
    exists wouldn't be identified (absent DNSSEC), but asking ns3 or ns4
    would give the delegation to ns1 and ns2.  I can't think of how this
    might be a real problem for future queries though, outside of the
    usual type of brokenness that can happen even with full name queries
    (eg, a parent has a subdomain configured that it isn't actually
    delegated to it).

More information about the bind-users mailing list