[GH-ISSUE #2404] Unexpected ANSWER and RCODE for non-existent SOA query #980

New issue

Open

opened 2026-03-16 01:09:51 +03:00 by kerem · 2 comments

kerem commented

2026-03-16 01:09:51 +03:00

Owner

Originally created by @PRRIN on GitHub (Sep 2, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2404

What happened:

When querying for a non-existent SOA record, the ANSWER section should be empty. However, the SOA record is incorrectly returned in ANSWER section, and the RCODE incorrectly returns NOERROR instead of NXDOMAIN.

How to reproduce it (as minimally and precisely as possible):

Using the following zone file (a.zone):

a.           500 IN SOA b.c.d. e.f.d. 3 604800 86400 2419200 604800 
a.           500 IN NS  g.

and this zone config (zone.toml):

[[zones]]
zone = "a"
zone_type = "Primary"
file = "a.zone"

Response for querying <b.a., SOA>:

root@6755885182dd:/app/hickory-dns# dig @127.0.0.1 -p 24141 b.a. SOA

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 -p 24141 b.a. SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52070
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;b.a.                           IN      SOA

;; ANSWER SECTION:
a.                      2419200 IN      SOA     b.c.d. e.f.d. 3 604800 86400 2419200 604800

;; AUTHORITY SECTION:
a.                      500     IN      NS      g.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#24141(127.0.0.1) (UDP)
;; WHEN: Sun Sep 01 09:14:40 UTC 2024
;; MSG SIZE  rcvd: 93

What you expected to happen:

The RCODE should not be NOERROR, and the ANSWER section should not include the a. SOA record.

It's caused by the last match expression in InMemoryAuthority::search:

match record_type {
    RecordType::SOA => {
        self.lookup(self.origin(), record_type, lookup_options)
            .await
    }
    RecordType::AXFR => { ... }
    // A standard Lookup path
    _ => self.lookup(lookup_name, record_type, lookup_options).await,
}

The lookup for the SOA branch should use the same parameters as the standard lookup path.

Environment:

the virsion of hickory-dns: v0.24.1, 6334a01
rustc version: 1.69.0

Bind9 behavior under the same setup: the RCODE is NXDOMAIN, and the AUTHORITY section is a. SOA.

Originally created by @PRRIN on GitHub (Sep 2, 2024). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2404 **What happened:** When querying for a non-existent SOA record, the ANSWER section should be empty. However, the SOA record is incorrectly returned in ANSWER section, and the RCODE incorrectly returns `NOERROR` instead of `NXDOMAIN`. **How to reproduce it (as minimally and precisely as possible):** Using the following zone file (`a.zone`): ``` a. 500 IN SOA b.c.d. e.f.d. 3 604800 86400 2419200 604800 a. 500 IN NS g. ``` and this zone config (`zone.toml`): ``` [[zones]] zone = "a" zone_type = "Primary" file = "a.zone" ``` Response for querying `<b.a., SOA>`: ``` root@6755885182dd:/app/hickory-dns# dig @127.0.0.1 -p 24141 b.a. SOA ; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 -p 24141 b.a. SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52070 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;b.a. IN SOA ;; ANSWER SECTION: a. 2419200 IN SOA b.c.d. e.f.d. 3 604800 86400 2419200 604800 ;; AUTHORITY SECTION: a. 500 IN NS g. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#24141(127.0.0.1) (UDP) ;; WHEN: Sun Sep 01 09:14:40 UTC 2024 ;; MSG SIZE rcvd: 93 ``` **What you expected to happen:** The RCODE should not be `NOERROR`, and the ANSWER section should not include the `a. SOA` record. It's caused by the last `match` expression in `InMemoryAuthority::search`: ```rust match record_type { RecordType::SOA => { self.lookup(self.origin(), record_type, lookup_options) .await } RecordType::AXFR => { ... } // A standard Lookup path _ => self.lookup(lookup_name, record_type, lookup_options).await, } ``` The lookup for the `SOA` branch should use the same parameters as the standard lookup path. **Environment:** - the virsion of hickory-dns: `v0.24.1, 6334a01` - rustc version: 1.69.0 **Bind9 behavior under the same setup:** the RCODE is `NXDOMAIN`, and the AUTHORITY section is `a. SOA`.

kerem added the

bug

compliance

labels

2026-03-16 01:09:51 +03:00

kerem commented

2026-03-16 01:10:02 +03:00

Author

Owner

@djc commented on GitHub (Sep 2, 2024):

Thanks for the report! Would you be able to submit a PR to fix this?

@djc commented on GitHub (Sep 2, 2024): Thanks for the report! Would you be able to submit a PR to fix this?

kerem commented

2026-03-16 01:10:07 +03:00

Author

Owner

@PRRIN commented on GitHub (Sep 3, 2024):

Thanks for the report! Would you be able to submit a PR to fix this?

Thanks for your recognition! I think it would be better to have a more thorough testing process before making this change. However, I am currently tied up with other tasks and unable to fix this bug at this time.

@PRRIN commented on GitHub (Sep 3, 2024): > Thanks for the report! Would you be able to submit a PR to fix this? Thanks for your recognition! I think it would be better to have a more thorough testing process before making this change. However, I am currently tied up with other tasks and unable to fix this bug at this time.

kerem referenced this issue

2026-03-16 02:28:55 +03:00

[PR #982] [MERGED] Support MX record pointing to root label, meaning no service available. #1836