Hi Tale, Thanks for explaining We can close this query now. Thanks team for helping me understand the issue.
-- Thanks Prasanna On 17/12/20, 1:13 AM, "tale" <d.lawre...@salesforce.com> wrote: On Wed, Dec 16, 2020 at 3:48 AM Prasanna Mathivanan (pmathiva) via bind-users <bind-users@lists.isc.org> wrote: > Whenever we have broken delegation as domain owners didn't follow proper RFC, the default behaviour of the query hits " _.<label-sequence>" which doesn’t exist.? And we get NXDOMAIN or SERVFAIL response. Going back to your original example, a.b.c.example.com, qname minimisation first identifies that there is a delegation at .com for example.com, and then asks the example.com namesevers for _.c.example.com. Typically this _.c.example.com query would come back with either an NXDOMAIN answer, which means that the queried nameserver believes it is authoritative for all names within c.example.com, or it comes back with a NOERROR answer that lists a delegation in the authority section. In the first case (NXDOMAIN), the resolver knows it can ask the same servers about _.b.c.example.com and the cycle repeats. In the latter case, the resolver is able to distinguish between whether there was a delegation for c.example.com (and ask the new nameservers about _.b.c.example.com) or a delegation that's actually at _.c.example.com (highly unusual, in which case, ask the original example.com nameservers about _.b.c.example.com). Getting a SERVFAIL throws a wrench in all this. It's the authoritative server basically saying, "I'm badly broken and can't tell you how." Generally this means the resolver should ask the next server in the authoritative list. If they're all giving SERVFAIL then the resolver can either try to work around the brokenness (for example, by querying the full name at its closest enclosing delegation) or just give up on the SERVFAIL. -- tale PS: While thinking about this I realized a weird case, which is if only a subset of the parent nameservers are authoritative for a subdomain. That is, imagine example.com is served by the four servers ns{1,2,34}.example.com, but c.example.com is delegated only to ns{1,2}.example.com. If you ask ns1 or ns2 about _.c.example.com, they'll give an authoritative answer and the fact that a delegation exists wouldn't be identified (absent DNSSEC), but asking ns3 or ns4 would give the delegation to ns1 and ns2. I can't think of how this might be a real problem for future queries though, outside of the usual type of brokenness that can happen even with full name queries (eg, a parent has a subdomain configured that it isn't actually delegated to it). _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users