queries for just a few domains fail (NXDOMAIN) for a bind 9.18 non-forwarding config ; forwarding does fix it. problem with 'my' config, or 'their' DNS ?

[Mark Andrews]

> On 26 Oct 2022, at 11:25, PGNet Dev <pgnet.dev at gmail.com> wrote:
> 
>> QNAME minimisation is a good idea.  It comes in two flavours, relaxed
>> and strict.  Relaxed tries to cope with some breakages like NXDOMAIN
>> being returned from ENTs.  Strict doesn’t.
> 
> switch to 'relaxed' does, in fact, 'solve' the issue. insofar as, it appears, i no longer require the forward-zome workarounds.
> 
> that said, do i understand correctly that the Amazon et al responses are, in fact, 'breakages'?
> and, if so, that i have probly zero-chance of getting them to fix themselves in the next century or so?
> i.e., is 'relaxed' recommended for the real-world?

AWS are aware of the issue and are just taking a long time to address it.
NXDOMAIN for ENTs can also be result of not adding delegating NS records
to the parent zone when both parent and child zones are served by the same
server.  QNAME minimisation exposes lots of errors as it make queries that
aren’t seen without it.  The best way to do QNAME minimisation is to make
NS queries as then you can cache non-existence of the NS RRset at intermediate
nodes but then you run up against toy DNS servers / firewalls that only handle
A and AAAA lookups.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org