--- Begin Message ---
> Public resolvers commonly avoid sending queries for locally served zones to
> the "blackhole" servers (AS112), instead, they synthesize NXDOMAIN responses
> directly.
Thank you for the prompt response. Yes, I know the practice of synthesizing
NXDOMAIN. That's all about RFC6303.
My question was about the missing EDNS OPT RR in the synthesized response. It's
good to know that it's juse likely a bug.
--
jinmei
________________________________
From: Hunts Chen <[email protected]>
Sent: Friday, February 20, 2026 10:06 AM
To: Tatsuya Jinmei <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: [dns-operations] 1.1.1.1 omits EDNS OPT RR when serving "locally
served zones"
Hi, Public resolvers commonly avoid sending queries for locally served zones to
the "blackhole" servers (AS112), instead, they synthesize NXDOMAIN responses
directly. We can see the same behavior from public DNS resolvers. The missing
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
Hi,
Public resolvers commonly avoid sending queries for locally served zones to the
"blackhole" servers (AS112), instead, they synthesize NXDOMAIN responses
directly.
We can see the same behavior from public DNS resolvers. The missing OPT RR from
1.1.1.1 apparently is a bug that will be fixed soon.
$ dig
@1.1.1.1<https://urldefense.com/v3/__http://1.1.1.1__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukLbyI5iPA$>
1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd +nostat
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11703
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa. IN PTR
$ dig
@8.8.8.8<https://urldefense.com/v3/__http://8.8.8.8__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukIGY0Fmmg$>
1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd +nostat
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9790
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa. IN PTR
$ dig
@9.9.9.9<https://urldefense.com/v3/__http://9.9.9.9__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKtSg70AA$>
1.0.0.10.in-addr.arpa ptr +edns +dnssec +nocmd +nostat
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54612
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa. IN PTR
On Fri, Feb 20, 2026 at 8:19 AM Tatsuya Jinmei via dns-operations
<[email protected]<mailto:[email protected]>> wrote:
---------- Forwarded message ----------
From: Tatsuya Jinmei <[email protected]<mailto:[email protected]>>
To: "[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Cc:
Bcc:
Date: Fri, 20 Feb 2026 07:07:47 +0000
Subject: 1.1.1.1 omits EDNS OPT RR when serving "locally served zones"
Hi dns-operators,
I've recently noticed that 1.1.1.1 omits EDNS OPT RR in its response to certain
queries, e.g.:
% dig
@1.1.1.1<https://urldefense.com/v3/__http://1.1.1.1__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukLbyI5iPA$>
1.0.0.10.in-addr.arpa ptr +edns
; <<>> DiG 9.18.20 <<>>
@1.1.1.1<https://urldefense.com/v3/__http://1.1.1.1__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukLbyI5iPA$>
1.0.0.10.in-addr.arpa ptr +edns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61776
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa. IN PTR
;; Query time: 2 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Feb 19 22:51:21 PST 2026
;; MSG SIZE rcvd: 39
(It also omits SOA in the authority section). It includes OPT RR (and
SOA in the case of NXDOMAIN) for other cases like
x.root-servers.net<https://urldefense.com/v3/__http://x.root-servers.net__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukI07mVeow$>
(resulting in NXDOMAIN) or 4.0.41.198.in-addr.arpa/PTR.
After trying various queries, it looks like this happens when the
query name is listed in RFC6303.
Is this a known behavior (I couldn't find any report on the net, thus
asking here)? And, does anyone know the rationale of this behavior?
Thanks,
--
jinmei
---------- Forwarded message ----------
From: Tatsuya Jinmei via dns-operations
<[email protected]<mailto:[email protected]>>
To: "[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Cc:
Bcc:
Date: Fri, 20 Feb 2026 07:07:47 +0000
Subject: [dns-operations] 1.1.1.1 omits EDNS OPT RR when serving "locally
served zones"
_______________________________________________
dns-operations mailing list
[email protected]<mailto:[email protected]>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations<https://urldefense.com/v3/__https://lists.dns-oarc.net/mailman/listinfo/dns-operations__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKkUE3lww$>
--
Hunts Chen | Systems Engineer
[email protected]<mailto:[email protected]>
cell: +1 (626) 898-0153<tel:+16268980153>
Kirkland, WA
<https://urldefense.com/v3/__https://www.cloudflare.com/__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKfhHizbg$>
1 888 99 FLARE |
www.cloudflare.com<https://urldefense.com/v3/__https://www.cloudflare.com/__;!!JYsgTRAg6ZQ!I1fBhzZJe-khpUMUisOpPXDWRV9SZF_sy9-nFl1GgPHngaGWMlO8cbI-GxWvjPtrDvlw1Y23ukKfhHizbg$>
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
