Recursive servers that perform QNAME MINIMISATION are being deployed and they are exposing broken delegations like this one. % dig -x 142.136.234.134 ;; BADCOOKIE, retrying. ; <<>> DiG 9.15.0-dev+hotspot+add-prefetch+marka <<>> -x 142.136.234.134 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39443 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: d4d342d1c371c244772e3c725cd0e9163bc9f7112443be2b (good) ;; QUESTION SECTION: ;134.234.136.142.in-addr.arpa. IN PTR ;; Query time: 4140 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue May 07 12:10:30 AEST 2019 ;; MSG SIZE rcvd: 85 % Now you may think, so what? But when you do a dig +trace you find this at the end ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27732 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;134.234.136.142.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 136.142.in-addr.arpa. 86400 IN NS ns1.twcable.com. 136.142.in-addr.arpa. 86400 IN NS ns2.twcable.com. 136.142.in-addr.arpa. 10800 IN NSEC 137.142.in-addr.arpa. NS RRSIG NSEC 136.142.in-addr.arpa. 10800 IN RRSIG NSEC 5 4 10800 20190521003550 20190506233550 3402 142.in-addr.arpa. CErPYfRum0q2On4+XSc3avPzzqYa98oxYFp+8NRblUnbgAQ02Jta/FWS NcpBBvMnw6sTIfsVY0TqgAC6MCMj8ojHca3+IgVFqa2gSPISewvH1ajl rNLPAiIgiOjIwdQFe2FRd9UaKnl3XKGsYYLFmAe4yn3wL5aIRaVKjFAi y0w= ;; Query time: 373 msec ;; SERVER: 2001:67c:e0::10#53(2001:67c:e0::10) ;; WHEN: Tue May 07 12:11:46 AEST 2019 ;; MSG SIZE rcvd: 322 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59480 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;134.234.136.142.in-addr.arpa. IN PTR ;; ANSWER SECTION: 134.234.136.142.in-addr.arpa. 14400 IN PTR nce.mail.chartercom.com. ;; AUTHORITY SECTION: 234.136.142.in-addr.arpa. 500 IN NS cdp-wn-tm-5-01.inf.twcable.com. ;; Query time: 1009 msec ;; SERVER: 165.237.86.252#53(165.237.86.252) ;; WHEN: Tue May 07 12:11:47 AEST 2019 ;; MSG SIZE rcvd: 135 % And I’m pretty sure Charter/TWCable want email to be delivered to/from them. The reason for the failure is that cdp-wn-tm-5-01.inf.twcable.com does not exist and qname minimisation results in the recursive server discovering the NS record and as there is no A or AAAA records for this name the PTR lookup fails. % dig cdp-wn-tm-5-01.inf.twcable.com ;; BADCOOKIE, retrying. ; <<>> DiG 9.15.0-dev+hotspot+add-prefetch+marka <<>> cdp-wn-tm-5-01.inf.twcable.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48170 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: d39d81ee2cc4f57c8558cf475cd0eaa7f5079768e7dfb548 (good) ;; QUESTION SECTION: ;cdp-wn-tm-5-01.inf.twcable.com. IN A ;; AUTHORITY SECTION: twcable.com. 3600 IN SOA ns1.twcable.com. hostmaster.pblpdns01.twcable.com. 2019042503 14400 7200 604800 3600 ;; Query time: 610 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue May 07 12:17:11 AEST 2019 ;; MSG SIZE rcvd: 170 % -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org