Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)

[Stephane Bortzmeyer]

On Wed, Dec 13, 2023 at 05:29:02PM +0100,
 Michel Diemer via bind-users <bind-users at lists.isc.org> wrote 
 a message of 1723 lines which said:

> another virtual machine that uses the first one as ics dhcp and dns
> server.

An important thing about DNS: there are two types of DNS servers, very
different. Resolvers and authoritative. They use the same protocol,
and BIND can do both, but they have very different properties.

> I have disabled IPv6 by setting link-local: [] in netplan's setting.

Too bad. This is 2023, not the 20th century.

> The name of the network (dns zone) is "reseau1.lan". When I "dig -4
> reseau1.lan" the AUTHORITY bit is set to 1. 

You mean AA (authoritative answer)?

> Why or when should the AUTHORITY bit set to 1 ? What does it take
> for nslookup to give me an authoritative answer ? 

nslookup is an old and not very satisfying program. I would suggest
using dig instead.

> If I "ping xxx.reseau1.lan" I get an NXDOMAIN answer. Why NXDOMAIN
> and not NOERROR (NODATA) ? The domain "reseau1.lan" exists and my
> dns server is authoritative for this zone (SOA record) but the
> computer "xxx" on this domain does not. Should I use a wildcard dns
> record ?

Adding an entry for the "xxx" subdomain seems simpler.

> I have tryed to empty the list of forwarders and disable the dns
> cache ... should I configure a dns-resolver only for the domain
> reseau1.lan and then a dns forwared for external dns queries ? Or
> maybe configure the resolver for the lan network interface and the
> forwarder on the internet network interface on the dns server ?

I strongly suggest to separate resolver and authoritative. You
normally have authoritative answers from the authoritative servers
(surprise!) and non-authoritative from the resolvers, at least when
their cache is warm.