The SOA record in the no data response should be for openwrt.pool.ntp.org rather than pool.ntp.org as that is the zone that delegated zone. This configuration error is detected and logged by named regularly as it is now doing QNAME minimisation using NS queries and the resolver learns the NS RRset for openwrt.pool.ntp.org.
(added spaces to avoid stupid link counting software, at the very minimum remove any link that ends in pool. ntp. org. from the count. It shouldn’t be this hard to report an issue.)
Hi Mark! Apologies the spam stuff in discourse made it hard to make this post. It should be better now when the system knows you are not a robot or spammer. (Email or the GitHub issue tracker works, too). I removed some of the spaces from the post to make it easier to read.
Thanks for reporting this!
The misconfiguration is having NS’es on openwrt.pool.ntp.org. Internally it’s an alias for pool.ntp.org, but obviously I didn’t think that through! I changed sometime recently (in the last year or two) it new zones aren’t split in the numeric sub-parts as all new deployments should use pool in their ntpd software (or they are sntp clients that don’t care).
I’ll fix the bug in the software one of the next weekends so it’ll return the right SOA records in this scenario (and also the misconfiguration so it doesn’t have to).
Thanks again, @marka. I’ve updated a couple of servers (147.75.202.161 / 2604:1380:1001:d605::161:1 and 103.127.121.22 / 2404:1fc0:1000:400::0 ) and we will update the rest over the next week or two assuming no new issues come up.
As I understand it, the problem was specifically for negative DNS replies, such as for querying AAAA for 0.openwrt.pool.ntp.org, where the zone of the SOA provided in the negative reply did not match the zone of the NS records queried for the same name. Since only 2.*.pool.ntp.org zones provide AAAA records, it’s important to check for such a negative response in 0, 1, 3, or “bare” *.pool.ntp.org domains.
The SOA and NS responses now provide matching zones so that QNAME minimization will work with @Ask’s GeoDNS software used for pool.ntp.org, as I understand it.
My logs are still filled with Name pool.ntp.org (SOA) not subdomain of zone debian.pool.ntp.org, though:
named[79078]: DNS format error from 2a03:b0c0:1:d0::fef:d001#53 resolving 3.debian.pool.ntp.org/AAAA for *.*.*.*#56014: Name pool.ntp.org (SOA) not subdomain of zone debian.pool.ntp.org -- invalid response
named[79078]: FORMERR resolving '3.debian.pool.ntp.org/AAAA/IN': 2a03:b0c0:1:d0::fef:d001#53
named[79078]: DNS format error from 178.215.228.40#53 resolving 3.debian.pool.ntp.org/AAAA for *.*.*.*#56014: Name pool.ntp.org (SOA) not subdomain of zone debian.pool.ntp.org -- invalid response
named[79078]: FORMERR resolving '3.debian.pool.ntp.org/AAAA/IN': 178.215.228.40#53
named[79078]: DNS format error from 185.120.22.23#53 resolving 3.debian.pool.ntp.org/AAAA for *.*.*.*#56014: Name pool.ntp.org (SOA) not subdomain of zone debian.pool.ntp.org -- invalid response
named[79078]: FORMERR resolving '3.debian.pool.ntp.org/AAAA/IN': 185.120.22.23#53
named[79078]: DNS format error from 2001:67c:25dc:c::c#53 resolving 3.debian.pool.ntp.org/AAAA for *.*.*.*#56014: Name pool.ntp.org (SOA) not subdomain of zone debian.pool.ntp.org -- invalid response
named[79078]: FORMERR resolving '3.debian.pool.ntp.org/AAAA/IN': 2001:67c:25dc:c::c#53
named[79078]: DNS format error from 2a03:7900:104:1::2#53 resolving 3.debian.pool.ntp.org/AAAA for *.*.*.*#56014: Name pool.ntp.org (SOA) not subdomain of zone debian.pool.ntp.org -- invalid response
named[79078]: FORMERR resolving '3.debian.pool.ntp.org/AAAA/IN': 2a03:7900:104:1::2#53
And trying to solve this, every place in the internet is basically telling me to complain here.
It’s debian instead of openwrt, but as I understand, that doesn’t really matter here.
(Email or the GitHub issue tracker works, too). I removed some of the spaces from the post to make it easier to read.