[dns-operations] why does that domain resolve?

Anand Buddhdev anandb at ripe.net
Fri Jun 4 16:47:14 UTC 2021

On 04/06/2021 17:52, A. Schulze wrote:

Hi Andreas,

> we found the domain "xn--80atcidr8i.xn--p1ai." in one of our logs.
> the TLD "xn--p1ai." delegate "xn--80atcidr8i.xn--p1ai." to two working nameservers.
> But these nameserver choose to announce "ns1.example.com" and "ns2.example.com" as authoritative.
> These names are garbage.
> But most resolver do not fail to give an answer for "xn--80atcidr8i.xn--p1ai. /A"
> So I wonder, why do so many resolver [1] obviously do only follow a
> delegation and ignore authoritative data?
> Is it really some sort of "Hey, you asked for $domain/A, the setup
> is so broken, but I tried really my best: here as an answer..." ?

This depends on whether the resolver is parent-centric or child-centric.
My observation is that these days, the majority of resolvers are
parent-centric, meaning that they will query the NS records found in a
delegation, rather than the NS records returned by a child.

This practice is becoming more common, as authoritative servers return
minimal responses, meaning that the child NS records are not added to an
answer. A resolver will only get those child NS records if a client
queries for them explicitly, and even then, the resolver may not cache
them for future queries.


More information about the dns-operations mailing list