Thanks, a good - and reasonably brief - read that: http://prefetch.net/blog/index.php/2016/09/28/the-subtleties-between-the-nxd... that you referenced. :-)
And indeed, is wee bit more CHAOS data out there: $ (for d in version.bind hostname.bind server-id.bind id.server bind. server.; do dig +noall +answer +norecurse @ns1.balug.org. "$d" ANY CHAOS; done) | sort -u hostname.bind. 0 CH NS hostname.bind. hostname.bind. 86400 CH SOA hostname.bind. hostmaster.hostname.bind. 0 28800 7200 604800 86400 id.server. 0 CH NS id.server. id.server. 86400 CH SOA id.server. hostmaster.id.server. 0 28800 7200 604800 86400 version.bind. 0 CH NS version.bind. version.bind. 86400 CH SOA version.bind. hostmaster.version.bind. 0 28800 7200 604800 86400 $
So ... maybe I check further in future if there's reasonable way to cleanly disable all that ... but not high on the task/priority list at present - it's at least "good enough for now". My "todo" list is only 5,848 lines long ... and I'm sure I've forgotten to include many items and details.
From: "Rick Moen" rick@linuxmafia.com Subject: Re: [BALUG-Talk] [BALUG-Admin] balug.org DNS review ... CHAOS ; -> ... Date: Wed, 27 Sep 2017 22:36:16 -0700
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
$ dig +noall +answer +norecurse +comments @ns1.balug.org. version.bind TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49907 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig +noall +answer +norecurse +comments @ns1.balug.org. hostname.bind TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27923 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig +noall +answer +norecurse +comments @ns1.balug.org. id.server TXT CHAOS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43870 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ Hmmmm... I might've expected NXDOMAIN ... but ... close enough.
Au contraire. There's a point about that. RCODE NOERROR with ANSWER: 0 means there are _other_ RRs for that FQDN, and this is subtly different from RCODE 'NXDOMAIN'[1], as explained on this useful page, one I found just today while trying to finally learn the difference: http://prefetch.net/blog/index.php/2016/09/28/the-subtleties-between-the-nxd...
So what does NOERROR with an ANSWER of 0 actually represent? It means one or more resource records exist for this domain but there isn't a record matching the resource record type (A, AAAA, MX, etc.). This was a useful clarification for me and helped me isolate and fix the issue I was debugging. Sometimes the devil is in the details.
Worth reading.