Menu
Article

No record, NOERROR, no NXDOMAIN, no problem

Matt

Matt

• 2 min read

CircleCI's currently having a sad:

% dig app.circleci.com
; <<>> DiG 9.10.6 <<>> app.circleci.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10705
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;app.circleci.com.		IN	A
;; AUTHORITY SECTION:
circleci.com.		181	IN	SOA	ns-1572.awsdns-04.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; Query time: 89 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Mar 11 15:43:15 EST 2021
;; MSG SIZE  rcvd: 129

The response that comes back shows NOERROR as a status, but there's no A record returned like I asked for. Instead, there's an unsolicited SOA record. Why is there an SOA record? And why NOERROR instead of NXDOMAIN like I'd expect?

It turns out that NXDOMAIN means the record (app.circleci.com here) doesn't exist. In this case, though, apparently it does exist; it just doesn't have an A record.

A missing A record is kind of a weird case; this all makes more sense with, say, an MX record:

% dig -t MX www.google.com

; <<>> DiG 9.10.6 <<>> -t MX www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60708
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.com.			IN	MX

;; AUTHORITY SECTION:
google.com.		60	IN	SOA	ns1.google.com. dns-admin.google.com. 362007607 900 900 1800 60

;; Query time: 75 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Mar 11 18:07:13 EST 2021
;; MSG SIZE  rcvd: 93

Of course www.google.com exists, so returning an NXDOMAIN in response to our query asking for an MX record would be incorrect. Instead, the response shows ANSWER: 0 because there are no MX records to return, and ADDITIONAL: 1 for the unsolicited SOA record. Because the query completed successfully, the status is set to NOERROR.

The same thing is happening with CircleCI's broken DNS when we try to find an address record. Arguably, the lack of an A record for a production website is a big error, but the DNS server cannot prognosticate about the state of the world. It's been incorrectly told that app.circleci.com exists, but doesn't have an A record, and the response reflects that.

Share
Show Comments