Zones delegated to non-authoritative nameservers not handled properly doesn’t seem to handle names that are delegated back to the same nameserver in a loop properly - ie where that nameserver will always answer with a referral.

For example, gets a response with NOERROR and no records:

$ dig

; <<>> DiG 9.11.5-P4-5.1-Debian <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34783
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1452
; IN	A

;; Query time: 1 msec
;; SERVER: 2606:4700:4700::1111#53(2606:4700:4700::1111)
;; WHEN: Tue Mar 31 21:13:48 BST 2020
;; MSG SIZE  rcvd: 62

Testing against other nameservers locally (eg BIND, pdns-recursor, knot-resolver) these all return SERVFAIL, and other large public resolvers (eg do as well.

In practise, this causes intermittent failures resolving names that are delegated back to the original nameserver as well as some other nameservers - this was seen on

Just in case it makes a difference, this is the POP I’m hitting:

$ dig +short chaos txt id.server

Thanks for a detailed report! This should be resolved correctly now. It was originally added as a workaround as some domains never set AA flag, but it seems like it does more harm than good.

All looks good now - many thanks for the quick fix!