[dns-operations] why does that domain resolve?

Benno Overeinder benno at NLnetLabs.nl
Mon Jun 7 12:29:43 UTC 2021

On 04/06/2021 18:22, Anthony Lieuallen via dns-operations wrote:
> On Fri, Jun 4, 2021 at 11:58 AM A. Schulze <sca at andreasschulze.de 
> <mailto:sca at andreasschulze.de>> wrote:
>     So I wonder, why do so many resolver [1] obviously do only follow a
>     delegation and ignore authoritative data?
> This is a question of being parent- vs. child- centric.  The parents in 
> the DNS tree delegate correctly.  The fact that the children delegate 
> incorrectly can be a small or non-issue depending on resolver.  Google 
> Public DNS uses only parent delegations ( 
> https://developers.devsite.corp.google.com/speed/public-dns/docs/troubleshooting/domains#delegation 
> <https://developers.devsite.corp.google.com/speed/public-dns/docs/troubleshooting/domains#delegation> 
> ).  Largely for issues like this: the child delegations can be wrong, 
> but for the domain to work at all, the parent delegations must be 
> correct.  (Resolvers that choose to use child delegations will likely in 
> this case discover that these delegations are bogus, and be left with 
> only the valid delegations, from the parent.)

Unbound prefers the child side name servers, but if they do not answer, 
tries to use the parent-side name servers.

A little more detail, Unbound would on first resolve use the parent side 
servers.  On the second resolve, Unbound has the child-side name server 
data, and lookups ns1.example.com and gets an answer from the IANA 
example servers.  Then tries to send packets to them, getting failure 
answers.  Then tries the parent-side names servers as fall back.

-- Benno

Benno J. Overeinder
NLnet Labs

More information about the dns-operations mailing list