[dns-operations] 1.1.1.1 omits EDNS OPT RR when serving "locally served zones"

Hunts Chen hunts at cloudflare.com
Fri Feb 20 18:06:03 UTC 2026 

Hi,

Public resolvers commonly avoid sending queries for locally served zones to
the "blackhole" servers (AS112), instead, they synthesize NXDOMAIN
responses directly.

We can see the same behavior from public DNS resolvers. The missing OPT RR
from 1.1.1.1 apparently is a bug that will be fixed soon.

$ dig @1.1.1.1 1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd +nostat
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11703
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa.         IN      PTR

$ dig @8.8.8.8 1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd +nostat
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9790
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa.         IN      PTR

$ dig @9.9.9.9 1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd +nostat
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54612
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa.         IN      PTR

On Fri, Feb 20, 2026 at 8:19 AM Tatsuya Jinmei via dns-operations <
dns-operations at dns-oarc.net> wrote:

>
>
>
> ---------- Forwarded message ----------
> From: Tatsuya Jinmei <jtatuya at infoblox.com>
> To: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
> Cc:
> Bcc:
> Date: Fri, 20 Feb 2026 07:07:47 +0000
> Subject: 1.1.1.1 omits EDNS OPT RR when serving "locally served zones"
> Hi dns-operators,
>
> I've recently noticed that 1.1.1.1 omits EDNS OPT RR in its response to
> certain queries, e.g.:
>
> % dig @1.1.1.1 1.0.0.10.in-addr.arpa ptr +edns
>
> ; <<>> DiG 9.18.20 <<>> @1.1.1.1 1.0.0.10.in-addr.arpa ptr +edns
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61776
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;1.0.0.10.in-addr.arpa. IN PTR
>
> ;; Query time: 2 msec
> ;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
> ;; WHEN: Thu Feb 19 22:51:21 PST 2026
> ;; MSG SIZE  rcvd: 39
>
> (It also omits SOA in the authority section). It includes OPT RR (and
> SOA in the case of NXDOMAIN) for other cases like x.root-servers.net
> (resulting in NXDOMAIN) or 4.0.41.198.in-addr.arpa/PTR.
>
> After trying various queries, it looks like this happens when the
> query name is listed in RFC6303.
>
> Is this a known behavior (I couldn't find any report on the net, thus
> asking here)? And, does anyone know the rationale of this behavior?
>
> Thanks,
>
> --
> jinmei
>
>
>
> ---------- Forwarded message ----------
> From: Tatsuya Jinmei via dns-operations <dns-operations at dns-oarc.net>
> To: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
> Cc:
> Bcc:
> Date: Fri, 20 Feb 2026 07:07:47 +0000
> Subject: [dns-operations] 1.1.1.1 omits EDNS OPT RR when serving "locally
> served zones"
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>


-- 


*Hunts Chen*  |  Systems Engineer
hunts at cloudflare.com
cell: +1 (626) 898-0153 <+16268980153>
Kirkland, WA
<https://www.cloudflare.com/>

1 888 99 FLARE  |  www.cloudflare.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20260220/9db5369e/attachment-0001.html>

More information about the dns-operations mailing list