[dns-operations] 1.1.1.1 omits EDNS OPT RR when serving "locally served zones"

Tatsuya Jinmei jtatuya at infoblox.com
Fri Feb 20 19:36:00 UTC 2026 

> Public resolvers commonly avoid sending queries for locally served zones to the "blackhole" servers (AS112), instead, they synthesize NXDOMAIN responses directly.

Thank you for the prompt response. Yes, I know the practice of synthesizing NXDOMAIN. That's all about RFC6303.
My question was about the missing EDNS OPT RR in the synthesized response. It's good to know that it's juse likely a bug.

--
jinmei
________________________________
From: Hunts Chen <hunts at cloudflare.com>
Sent: Friday, February 20, 2026 10:06 AM
To: Tatsuya Jinmei <jtatuya at infoblox.com>
Cc: dns-operations at dns-oarc.net <dns-operations at dns-oarc.net>
Subject: Re: [dns-operations] 1.1.1.1 omits EDNS OPT RR when serving "locally served zones"

Hi, Public resolvers commonly avoid sending queries for locally served zones to the "blackhole" servers (AS112), instead, they synthesize NXDOMAIN responses directly. We can see the same behavior from public DNS resolvers. The missing
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd
Hi,

Public resolvers commonly avoid sending queries for locally served zones to the "blackhole" servers (AS112), instead, they synthesize NXDOMAIN responses directly.

We can see the same behavior from public DNS resolvers. The missing OPT RR from 1.1.1.1 apparently is a bug that will be fixed soon.

$ dig @1.1.1.1<https://urldefense.com/v3/__http://1.1.1.1__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukLbyI5iPA$> 1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd +nostat
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11703
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa.         IN      PTR

$ dig @8.8.8.8<https://urldefense.com/v3/__http://8.8.8.8__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukIGY0Fmmg$> 1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd +nostat
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9790
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa.         IN      PTR

$ dig @9.9.9.9<https://urldefense.com/v3/__http://9.9.9.9__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKtSg70AA$> 1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd +nostat
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54612
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa.         IN      PTR

On Fri, Feb 20, 2026 at 8:19 AM Tatsuya Jinmei via dns-operations <dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>> wrote:



---------- Forwarded message ----------
From: Tatsuya Jinmei <jtatuya at infoblox.com<mailto:jtatuya at infoblox.com>>
To: "dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>" <dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>>
Cc:
Bcc:
Date: Fri, 20 Feb 2026 07:07:47 +0000
Subject: 1.1.1.1 omits EDNS OPT RR when serving "locally served zones"
Hi dns-operators,

I've recently noticed that 1.1.1.1 omits EDNS OPT RR in its response to certain queries, e.g.:

% dig @1.1.1.1<https://urldefense.com/v3/__http://1.1.1.1__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukLbyI5iPA$> 1.0.0.10.in-addr.arpa ptr +edns

; <<>> DiG 9.18.20 <<>> @1.1.1.1<https://urldefense.com/v3/__http://1.1.1.1__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukLbyI5iPA$> 1.0.0.10.in-addr.arpa ptr +edns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61776
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa.       IN    PTR

;; Query time: 2 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Feb 19 22:51:21 PST 2026
;; MSG SIZE  rcvd: 39

(It also omits SOA in the authority section). It includes OPT RR (and
SOA in the case of NXDOMAIN) for other cases like x.root-servers.net<https://urldefense.com/v3/__http://x.root-servers.net__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukI07mVeow$>
(resulting in NXDOMAIN) or 4.0.41.198.in-addr.arpa/PTR.

After trying various queries, it looks like this happens when the
query name is listed in RFC6303.

Is this a known behavior (I couldn't find any report on the net, thus
asking here)? And, does anyone know the rationale of this behavior?

Thanks,

--
jinmei



---------- Forwarded message ----------
From: Tatsuya Jinmei via dns-operations <dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>>
To: "dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>" <dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>>
Cc:
Bcc:
Date: Fri, 20 Feb 2026 07:07:47 +0000
Subject: [dns-operations] 1.1.1.1 omits EDNS OPT RR when serving "locally served zones"
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations<https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKkUE3lww$>


--


Hunts Chen  |  Systems Engineer
hunts at cloudflare.com<mailto:hunts at cloudflare.com>
cell: +1 (626) 898-0153<tel:+16268980153>
Kirkland, WA

<https://urldefense.com/v3/__https://www.cloudflare.com/__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKfhHizbg$>

1 888 99 FLARE  |  www.cloudflare.com<https://urldefense.com/v3/__https://www.cloudflare.com/__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKfhHizbg$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20260220/cb6145fd/attachment-0001.html>

More information about the dns-operations mailing list