<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<span class="elementToProof">> Public resolvers commonly avoid sending queries for locally served zones to the "blackhole" servers (AS112), instead, they synthesize NXDOMAIN responses directly.

</span></div>

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<br>

</div>

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<span class="elementToProof">Thank you for the prompt response. Yes, I know the practice of synthesizing NXDOMAIN. That's all about RFC6303.</span></div>

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<span class="elementToProof">My question was about the missing EDNS OPT RR in the synthesized response. It's good to know that it's juse likely a bug.</span></div>

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<br>

</div>

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<span class="elementToProof">--</span></div>

<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">

<span class="elementToProof">jinmei</span></div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Hunts Chen <hunts@cloudflare.com><br>

<b>Sent:</b> Friday, February 20, 2026 10:06 AM<br>

<b>To:</b> Tatsuya Jinmei <jtatuya@infoblox.com><br>

<b>Cc:</b> dns-operations@dns-oarc.net <dns-operations@dns-oarc.net><br>

<b>Subject:</b> Re: [dns-operations] 1.1.1.1 omits EDNS OPT RR when serving "locally served zones"</font>

<div> </div>

</div>

<style>

<!--

#x_pfptBannerkb6w54q

        {display:block!important;

        visibility:visible!important;

        opacity:1!important;

        background-color:#d0d8dc!important;

        max-width:none!important;

        max-height:none!important}

html:root, html:root > div

        {display:block!important;

        visibility:visible!important;

        opacity:1!important}

-->

</style>

<div>

<div style="display:none!important; display:none; visibility:hidden; font-size:1px; color:#ffffff; line-height:1px; max-height:0px; opacity:0; overflow:hidden">

Hi, Public resolvers commonly avoid sending queries for locally served zones to the "blackhole" servers (AS112), instead, they synthesize NXDOMAIN responses directly. We can see the same behavior from public DNS resolvers. The missing</div>

<div style="display:none!important; display:none; visibility:hidden; font-size:1px; color:#ffffff; line-height:1px; max-height:0px; opacity:0; overflow:hidden">

ZjQcmQRYFpfptBannerStart</div>

<div dir="ltr" lang="en" id="x_pfptBannerkb6w54q" style="display:block!important; text-align:left!important; margin:0 0 10px 0!important; padding:7px 16px 8px 16px!important; border-radius:4px!important; min-width:200px!important; background-color:#d0d8dc!important; background-color:#d0d8dc; border-top:4px solid #90a4ae!important; border-top:4px solid #90a4ae">

<div id="x_pfptBannerkb6w54q" style="float:left!important; display:block!important; margin:1px 0 1px 0!important; max-width:600px!important">

<div id="x_pfptBannerkb6w54q" style="display:block!important; visibility:visible!important; background-color:#d0d8dc!important; color:#000000!important; color:#000000; font-family:'Arial',sans-serif!important; font-family:'Arial',sans-serif; font-weight:bold!important; font-weight:bold; font-size:14px!important; line-height:1.29!important; line-height:1.29">

This Message Is From an External Sender </div>

<div id="x_pfptBannerkb6w54q" style="display:block!important; visibility:visible!important; background-color:#d0d8dc!important; color:#000000!important; color:#000000; font-weight:normal; font-family:'Arial',sans-serif!important; font-family:'Arial',sans-serif; font-size:12px!important; line-height:1.5!important; line-height:1.5; margin-top:2px!important">

This message came from outside your organization. </div>

</div>

<div style="clear:both!important; display:block!important; visibility:hidden!important; line-height:0!important; font-size:0.01px!important; height:0px">

 </div>

</div>

<div style="display:none!important; display:none; visibility:hidden; font-size:1px; color:#ffffff; line-height:1px; max-height:0px; opacity:0; overflow:hidden">

ZjQcmQRYFpfptBannerEnd</div>

<div dir="ltr">Hi,

<div><br>

</div>

<div>Public resolvers commonly avoid sending queries for locally served zones to the "blackhole" servers (AS112), instead, they synthesize NXDOMAIN responses directly.

<div>

<div><br>

</div>

<div>We can see the same behavior from public DNS resolvers. The missing OPT RR from 1.1.1.1 apparently is a bug that will be fixed soon.<br>

<div><br>

</div>

<div>$ dig @<a href="https://urldefense.com/v3/__http://1.1.1.1__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukLbyI5iPA$">1.1.1.1</a> 1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd <a class="x_gmail_plusreply" id="x_plusReplyChip-0">+nostat</a><br>

;; Got answer:<br>

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11703<br>

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0<br>

<br>

;; QUESTION SECTION:<br>

;1.0.0.10.in-addr.arpa.         IN      PTR<br>

<br>

$ dig @<a href="https://urldefense.com/v3/__http://8.8.8.8__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukIGY0Fmmg$">8.8.8.8</a> 1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd <a class="x_gmail_plusreply" id="x_gmail-plusReplyChip-0">+nostat</a><br>

;; Got answer:<br>

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9790<br>

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br>

<br>

;; OPT PSEUDOSECTION:<br>

; EDNS: version: 0, flags: do; udp: 512<br>

;; QUESTION SECTION:<br>

;1.0.0.10.in-addr.arpa.         IN      PTR<br>

<br>

$ dig @<a href="https://urldefense.com/v3/__http://9.9.9.9__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKtSg70AA$">9.9.9.9</a> 1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd <a class="x_gmail_plusreply" id="x_gmail-plusReplyChip-0">+nostat</a><br>

;; Got answer:<br>

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54612<br>

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br>

<br>

;; OPT PSEUDOSECTION:<br>

; EDNS: version: 0, flags: do; udp: 1232<br>

;; QUESTION SECTION:<br>

;1.0.0.10.in-addr.arpa.         IN      PTR<br>

</div>

</div>

</div>

</div>

</div>

<br>

<div class="x_gmail_quote x_gmail_quote_container">

<div dir="ltr" class="x_gmail_attr">On Fri, Feb 20, 2026 at 8:19 AM Tatsuya Jinmei via dns-operations <<a href="mailto:dns-operations@dns-oarc.net">dns-operations@dns-oarc.net</a>> wrote:<br>

</div>

<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">

<div class="x_msg-1290096445357613463"><br>

<br>

<br>

---------- Forwarded message ----------<br>

From: Tatsuya Jinmei <<a href="mailto:jtatuya@infoblox.com" target="_blank">jtatuya@infoblox.com</a>><br>

To: "<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>" <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>

Cc: <br>

Bcc: <br>

Date: Fri, 20 Feb 2026 07:07:47 +0000<br>

Subject: 1.1.1.1 omits EDNS OPT RR when serving "locally served zones"<br>

<div dir="ltr">

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Hi dns-operators,</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>I've recently noticed that 1.1.1.1 omits EDNS OPT RR in its response to certain queries, e.g.:</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>% dig @<a href="https://urldefense.com/v3/__http://1.1.1.1__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukLbyI5iPA$" target="_blank">1.1.1.1</a> 1.0.0.10.in-addr.arpa ptr +edns</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>; <<>> DiG 9.18.20 <<>> @<a href="https://urldefense.com/v3/__http://1.1.1.1__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukLbyI5iPA$" target="_blank">1.1.1.1</a> 1.0.0.10.in-addr.arpa ptr +edns</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>; (1 server found)</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>;; global options: +cmd</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>;; Got answer:</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61776</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>;; QUESTION SECTION:</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>;1.0.0.10.in-addr.arpa.       IN    PTR</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>;; Query time: 2 msec</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>;; WHEN: Thu Feb 19 22:51:21 PST 2026</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>;; MSG SIZE  rcvd: 39</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>(It also omits SOA in the authority section). It includes OPT RR (and</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>SOA in the case of NXDOMAIN) for other cases like <a href="https://urldefense.com/v3/__http://x.root-servers.net__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukI07mVeow$" target="_blank">

x.root-servers.net</a></span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>(resulting in NXDOMAIN) or 4.0.41.198.in-addr.arpa/PTR.</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>After trying various queries, it looks like this happens when the</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>query name is listed in RFC6303.</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>Is this a known behavior (I couldn't find any report on the net, thus</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>asking here)? And, does anyone know the rationale of this behavior?</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>Thanks,</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>--</span></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<span>jinmei</span></div>

</div>

<br>

<br>

<br>

---------- Forwarded message ----------<br>

From: Tatsuya Jinmei via dns-operations <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>

To: "<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>" <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>

Cc: <br>

Bcc: <br>

Date: Fri, 20 Feb 2026 07:07:47 +0000<br>

Subject: [dns-operations] 1.1.1.1 omits EDNS OPT RR when serving "locally served zones"<br>

_______________________________________________<br>

dns-operations mailing list<br>

<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>

<a href="https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKkUE3lww$" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>

</div>

</blockquote>

</div>

<div><br clear="all">

</div>

<div><br>

</div>

<span class="x_gmail_signature_prefix">-- </span><br>

<div dir="ltr" class="x_gmail_signature">

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<p style="font-family:Helvetica; font-size:12px; color:rgb(64,64,64)"><br>

</p>

<p style="font-family:Helvetica; font-size:12px; color:rgb(64,64,64)"><b>Hunts Chen</b>  |  Systems Engineer<br>

<a href="mailto:hunts@cloudflare.com" target="_blank" style="color:rgb(47,123,191)">hunts@cloudflare.com</a><br>

cell: <a href="tel:+16268980153" target="_blank" style="color:rgb(47,123,191)">+1 (626) 898-0153</a><br>

Kirkland, WA</p>

<a href="https://urldefense.com/v3/__https://www.cloudflare.com/__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKfhHizbg$" target="_blank" style="font-family:Times; font-size:medium">

<div style="background-image:url("https://www.cloudflare.com/img/signature-cloud.png"); width:200px; height:30px; margin-right:20px; margin-top:20px">

</div>

</a>

<p style="font-family:Helvetica; font-size:12px; color:rgb(64,64,64)">1 888 99 FLARE  |  <a href="https://urldefense.com/v3/__https://www.cloudflare.com/__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKfhHizbg$" target="_blank" style="color:rgb(47,123,191)">www.cloudflare.com</a></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</body>

</html>