Hi Stefan,

Maybe I'm overlooking something, but do you have the dynamic.estada.ch zone configured?
Cannot you simply remove `dynamic.estada.ch. NS dynamic.estada.ch.` delegation?

Daniel

On 6/5/26 17:53, Stefan Estada wrote:
> Hi all
>
> I am having trouble forwarding a subdomain since I upgraded to the latest knot.
> For a couple of years I have been running a custom DNS server under dynamic.estada.ch <http://dynamic.estada.ch> that the clients find via my regular infrastructure.
>
> On my primary zone I have these records, but knot appears to answer weirdly:
> *estada.ch.zone*
> dynamic.estada.ch <http://dynamic.estada.ch>. 3600 A     185.194.239.135
> dynamic.estada.ch <http://dynamic.estada.ch>. 3600 AAAA  2a0a:51c0::12b
> dynamic.estada.ch <http://dynamic.estada.ch>. 3600 NS dynamic.estada.ch <http://dynamic.estada.ch>.
>
>
>
> kdig AAAA dynamic.estada.ch <http://dynamic.estada.ch> @ns1.estada.ch <http://ns1.estada.ch>
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 29173
> ;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 3
>
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
>
> ;; QUESTION SECTION:
> ;; dynamic.estada.ch <http://dynamic.estada.ch>. INAAAA
>
> ;; AUTHORITY SECTION:
> dynamic.estada.ch <http://dynamic.estada.ch>. 3600INNSdynamic.estada.ch <http://dynamic.estada.ch>.
>
> ;; ADDITIONAL SECTION:
> dynamic.estada.ch <http://dynamic.estada.ch>. 3600INA185.194.239.135
> dynamic.estada.ch <http://dynamic.estada.ch>. 3600INAAAA2a0a:51c0::12b
>
>
> But public servers don't get the glue records:
> kdig AAAA dynamic.estada.ch <http://dynamic.estada.ch> @9.9.9.9 <http://9.9.9.9>
> ;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 63899
> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
>
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
>
> ;; QUESTION SECTION:
> ;; dynamic.estada.ch <http://dynamic.estada.ch>. INAAAA
>
> The trouble is that most resolvers are now unable to resolve the domain as the AAAA and A queries still get answered with NS + additional A+AAAA.
> Is there a configuration option to tell knot to actually respond with the A or AAAA record when asked?
>
> Also ANY, TXT, or CAA queries behave the same as NS queries:
> kdig ANY dynamic.estada.ch <http://dynamic.estada.ch> @ns1.estada.ch <http://ns1.estada.ch>
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14419
> ;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 3
>
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
>
> ;; QUESTION SECTION:
> ;; dynamic.estada.ch <http://dynamic.estada.ch>. INANY
>
> ;; AUTHORITY SECTION:
> dynamic.estada.ch <http://dynamic.estada.ch>. 3600INNSdynamic.estada.ch <http://dynamic.estada.ch>.
>
> ;; ADDITIONAL SECTION:
> dynamic.estada.ch <http://dynamic.estada.ch>. 3600INA185.194.239.135
> dynamic.estada.ch <http://dynamic.estada.ch>. 3600INAAAA2a0a:51c0::12b
>
> I am happy for any pointers you may have.
>
> Cheers,
> Stefan
>
> --