[ISC-support #22588] BIND now returning SERVFAIL for attempted deletions of non-existent PTR/SRV records

A support customer reports a change in result from 9.16.37 to 9.18.18-S1 when attempting to remove nonexistent records:

9.16.37:

root@bdds-1:~# dpkg -l | grep bind
ii bind 9.16.37-bcn+95+1+bullseye amd64 Internet Domain Name Server
ii bind9-host 1:9.16.37-1~deb11u1 amd64 DNS Lookup Utility
ii bind9-libs:amd64 1:9.16.37-1~deb11u1 amd64 Shared Libraries used by BIND 9
ii python3-gi 3.38.0-2 amd64 Python 3 bindings for gobject-introspection libraries
ii python3-pycurl 7.43.0.6-5 amd64 Python bindings to libcurl (Python 3)
root@bdds-1:~# nsupdate -k /replicated/jail/named/var/tsig-keys/VIEW106751_ME4GC3CBQYOSAGZRP4S6STFTPU.key -d
Creating key...
Creating key...
namefromtext
keycreate
> update delete no-such-record.zone-1.com. 3600 SRV 3 5 23 zombie-1.zone-1.com.
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46781
;; flags: qr aa rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;no-such-record.zone-1.com. IN SOA

;; AUTHORITY SECTION:
zone-1.com. 0 IN SOA bdds-1.zone-1.com. postmaster.no.email.please. 711792954 3600 600 2592000 3600

Found zone name: zone-1.com
The master is: bdds-1.zone-1.com
Sending update to 10.244.95.156#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 8457
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
no-such-record.zone-1.com. 0 NONE SRV 3 5 23 zombie-1.zone-1.com.

;; TSIG PSEUDOSECTION:
view106751. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1692796815 300 16 n9txBLS3gO2aEi8gBMVCjw== 8457 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 8457
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;zone-1.com. IN SOA

;; TSIG PSEUDOSECTION:
view106751. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1692796815 300 16 BPNIYYVYTUQslvsqmdh8Yg== 8457 NOERROR 0

> 

9.18.18-S1:

root@bdds-1:~# dpkg -l | grep bind
ii bind 9.18.18-S1-bcn+95+1+bullseye amd64 Internet Domain Name Server
ii bind9-host 1:9.16.37-1~deb11u1 amd64 DNS Lookup Utility
ii bind9-libs:amd64 1:9.16.37-1~deb11u1 amd64 Shared Libraries used by BIND 9
ii python3-gi 3.38.0-2 amd64 Python 3 bindings for gobject-introspection libraries
ii python3-pycurl 7.43.0.6-5 amd64 Python bindings to libcurl (Python 3)
root@bdds-1:~# nsupdate -k /replicated/jail/named/var/tsig-keys/VIEW106751_ME4GC3CBQYOSAGZRP4S6STFTPU.key -d
Creating key...
Creating key...
namefromtext
keycreate
> update delete no-such-record.zone-1.com. 3600 SRV 3 5 23 zombie-1.zone-1.com.
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14715
;; flags: qr aa rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;no-such-record.zone-1.com. IN SOA

;; AUTHORITY SECTION:
zone-1.com. 0 IN SOA bdds-1.zone-1.com. postmaster.no.email.please. 711792954 3600 600 2592000 3600

Found zone name: zone-1.com
The primary is: bdds-1.zone-1.com
Sending update to 10.244.95.156#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 47705
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
no-such-record.zone-1.com. 0 NONE SRV 3 5 23 zombie-1.zone-1.com.

;; TSIG PSEUDOSECTION:
view106751. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1692797003 300 16 T/NI+8KZQ/cWn7adNq2CUA== 47705 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 47705
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;zone-1.com. IN SOA

;; TSIG PSEUDOSECTION:
view106751. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1692797003 300 16 aPcl6r8CeNK3o0/Ywfl6hQ== 47705 NOERROR 0

>

Appears to be limited to PTR and SRV records when the RDATA is fully-specified. When using a wildcard for these record types, no SERVFAIL.

Assuming this is likely the same in 9.18.18, as this doesn't seem to be associated with -S features. Therefore, putting this under the open-source BIND project.