[NOTABUG] Negative responses for domains with broken delegations might SERVFAIL with NS-based QNAME minimization
This is not a BIND 9 bug; it is protocol-compliant behavior for broken authoritative name servers.
After !6267 (merged)/!8066 (merged) (i.e. for BIND 9.19.15+ & 9.18.17+), SERVFAIL responses might be observed instead of NODATA responses for names in domains with broken delegation chains.
Example: openwrt.pool.ntp.org/AAAA
There is a delegation for openwrt.pool.ntp.org
in the pool.ntp.org
zone, but the authoritative server set is identical for both of those
domains; when queried for non-existing records in
openwrt.pool.ntp.org
, these servers respond with an SOA record for the
parent zone (pool.ntp.org
), despite a delegation being present further
down in the DNS tree (openwrt.pool.ntp.org
).
Until named
used _.<domain>/A
queries for QNAME minimization, this
type of breakage could go unnoticed because the NS RRset at
openwrt.pool.ntp.org
was not directly queried for by named
and
therefore not cached1. However, since QNAME minimization now uses NS
queries, that NS RRset ends up in the cache, indicating a delegation
from pool.ntp.org
into openwrt.pool.ntp.org
that is not consistent
with the SOA record present in negative responses for
openwrt.pool.ntp.org
.
Click to expand/collapse dig
output
$ dig @a0.org.afilias-nst.info. pool.ntp.org. NS +norec +noall +auth
ntp.org. 3600 IN NS ns1.everett.org.
ntp.org. 3600 IN NS anyns.pch.net.
ntp.org. 3600 IN NS ns3.p20.dynect.net.
ntp.org. 3600 IN NS dns2.udel.edu.
ntp.org. 3600 IN NS dns1.udel.edu.
ntp.org. 3600 IN NS ns2.p20.dynect.net.
ntp.org. 3600 IN NS ns1.p20.dynect.net.
ntp.org. 3600 IN NS ns4.p20.dynect.net.
$ dig @ns1.p20.dynect.net. pool.ntp.org. NS +norec +noall +auth
pool.ntp.org. 604800 IN NS a.ntpns.org.
pool.ntp.org. 604800 IN NS e.ntpns.org.
pool.ntp.org. 604800 IN NS h.ntpns.org.
pool.ntp.org. 604800 IN NS g.ntpns.org.
pool.ntp.org. 604800 IN NS b.ntpns.org.
pool.ntp.org. 604800 IN NS i.ntpns.org.
pool.ntp.org. 604800 IN NS d.ntpns.org.
pool.ntp.org. 604800 IN NS f.ntpns.org.
pool.ntp.org. 604800 IN NS c.ntpns.org.
$ dig @a.ntpns.org. pool.ntp.org. NS +norec +noall +ans
pool.ntp.org. 86400 IN NS b.ntpns.org.
pool.ntp.org. 86400 IN NS c.ntpns.org.
pool.ntp.org. 86400 IN NS h.ntpns.org.
pool.ntp.org. 86400 IN NS f.ntpns.org.
pool.ntp.org. 86400 IN NS e.ntpns.org.
pool.ntp.org. 86400 IN NS i.ntpns.org.
pool.ntp.org. 86400 IN NS d.ntpns.org.
pool.ntp.org. 86400 IN NS a.ntpns.org.
pool.ntp.org. 86400 IN NS g.ntpns.org.
$ dig @a.ntpns.org. openwrt.pool.ntp.org. NS +norec +noall +ans
openwrt.pool.ntp.org. 86400 IN NS b.ntpns.org.
openwrt.pool.ntp.org. 86400 IN NS c.ntpns.org.
openwrt.pool.ntp.org. 86400 IN NS h.ntpns.org.
openwrt.pool.ntp.org. 86400 IN NS f.ntpns.org.
openwrt.pool.ntp.org. 86400 IN NS e.ntpns.org.
openwrt.pool.ntp.org. 86400 IN NS i.ntpns.org.
openwrt.pool.ntp.org. 86400 IN NS d.ntpns.org.
openwrt.pool.ntp.org. 86400 IN NS a.ntpns.org.
openwrt.pool.ntp.org. 86400 IN NS g.ntpns.org.
$ dig @a.ntpns.org. openwrt.pool.ntp.org. AAAA +norec +noall +auth
pool.ntp.org. 1500 IN SOA b.ntpns.org. hostmaster.pool.ntp.org. 1689666021 5400 5400 1209600 3600
-
unless an explicit query for
openwrt.pool.ntp.org/NS
arrived at the resolver, in which case SERVFAIL responses would be served foropenwrt.pool.ntp.org/AAAA
even with the old QNAME minimization logic in effect↩