Thanks - I had also missed the subtelty that monitor.itconsult.net shared servers with itconsult.net.
For testing, I have setup testmon.itconsult.net which is delegated in the same way (ie insecure) as mtgmon.itconsult.net. However, I get the same results, namely NOERROR for mtgmon and NXDOMAIN for testmon:- >; <<>> DiG 9.11.13 <<>> +norec +noadditional @dns3.mtgsy.com >doesnotexist.mtgmon.itconsult.net >; (2 servers found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38925 >;; flags: qr aa ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 4096 >;; QUESTION SECTION: >;doesnotexist.mtgmon.itconsult.net. IN A > >;; AUTHORITY SECTION: >mtgmon.itconsult.net. 86400 IN SOA dns0.mtgsy.com. >hostmaster.mtgmon.itconsult.net. 2016072809 3600 1200 1209600 3600 > >;; Query time: 102 msec >;; SERVER: 162.243.59.139#53(162.243.59.139) >;; WHEN: Mon Apr 06 11:23:01 BST 2020 >;; MSG SIZE rcvd: 143 and:- >; <<>> DiG 9.11.13 <<>> +norec +noadditional @dt01.itconsult.net >doesnotexist.testmon.itconsult.net >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53268 >;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 4096 >; COOKIE: aaca28581cfb0aee52c39f995e8b033847b494952922316b (good) >;; QUESTION SECTION: >;doesnotexist.testmon.itconsult.net. IN A > >;; AUTHORITY SECTION: >testmon.itconsult.net. 43200 IN SOA dt01.itconsult.net. >hostmaster.itconsult.net. 1 7200 900 1814400 43200 > >;; Query time: 1 msec >;; SERVER: 193.201.42.33#53(193.201.42.33) >;; WHEN: Mon Apr 06 11:23:53 BST 2020 >;; MSG SIZE rcvd: 143 This confirms that the difference in behaviour is not due to the sharing of DNS servers. Best wishes, Matthew ------ >From: Shumon Huque <shu...@gmail.com> >To: Stephane Bortzmeyer <bortzme...@nic.fr> >Cc: DNS Operations List <dns-operati...@dns-oarc.net> >Date: Fri, 3 Apr 2020 09:06:20 -0400 >Subject: Re: [dns-operations] NXDOMAIN vs NOERROR/no answers for non-existant >records >On Fri, Apr 3, 2020 at 8:20 AM Stephane Bortzmeyer <bortzme...@nic.fr> >wrote: > >> On Fri, Apr 03, 2020 at 07:48:16AM -0400, >> Shumon Huque <shu...@gmail.com> wrote >> a message of 98 lines which said: >> >> > The second one, doesnotexist.monitor.itconsult.net., does not appear >> to be >> > delegated from its parent. >> >> This is not what I see. Both are delegated from itconsult.net >> (source: their SOA). >> > >Ah, yes. The subtlety here (which I didn't notice at first) is that >monitor.itconsult.net is served by the same name servers as its parent. >Since most authority servers answer from their closest enclosing zone, most >iterative debugging tools like dig+trace etc won't see the delegation. > >Shumon. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
