Technitium returns invalid NS target for apex NS query

[rsingha108]

Description

When querying the NS record at the zone apex, Technitium returns an incorrect and nonsensical NS target (4670e52f3002.) that does not exist in the zone file. This violates DNS semantics, as the server must return the configured NS RRSet for the queried name. Other implementations (e.g., CoreDNS) correctly return the expected NS record, indicating a clear deviation in Technitium’s behavior.

Steps to Reproduce

1. Configure the following zone:

campus.edu.               500  IN  SOA     ns1.campus.edu. hostmaster.campus.edu. 2026013101 7200 3600 1209600 3600
campus.edu.               500  IN  NS      ns1.campus.edu.
ns1.campus.edu.           500  IN  A       192.0.2.53
ns1.campus.edu.           500  IN  AAAA    2001:db8::53
campus.edu.               500  IN  A       192.0.2.10
campus.edu.               500  IN  RRSIG   A 13 2 500 20300101000000 20260101000000 12345 campus.edu. FAKEA==
campus.edu.               500  IN  DNSKEY  257 3 13 AwEAAc...
campus.edu.               500  IN  MX      10 mail.campus.edu.
mail.campus.edu.          500  IN  A       192.0.2.25
mail.campus.edu.          500  IN  AAAA    2001:db8::25
mail.campus.edu.          500  IN  RRSIG   A 13 3 500 20300101000000 20260101000000 12345 campus.edu. FAKEA==
mail.campus.edu.          500  IN  RRSIG   AAAA 13 3 500 20300101000000 20260101000000 12345 campus.edu. FAKEA==
alias.campus.edu.         500  IN  CNAME   target.campus.edu.
target.campus.edu.        500  IN  A       192.0.2.88
child.campus.edu.         500  IN  NS      ns1.child.campus.edu.
ns1.child.campus.edu.     5    IN  A       192.0.2.100
ns1.child.campus.edu.     5    IN  AAAA    2001:db8::100
child.campus.edu.         500  IN  DS      12345 13 2 ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789
dname.campus.edu.         500  IN  DNAME   redirected.campus.edu.
x.redirected.campus.edu.  500  IN  A       192.0.2.200
_sip._tcp.campus.edu.     500  IN  SRV     0 5 5060 sipserver.campus.edu.
sipserver.campus.edu.     500  IN  A       192.0.2.60
sipserver.campus.edu.     500  IN  AAAA    2001:db8::60

2. Query:

• Name: campus.edu.
• Type: NS

Buggy Behavior

Technitium returns:

• rcode NOERROR
• An NS record with target 4670e52f3002.

This target does not exist in the zone and is not configured, indicating incorrect or corrupted response generation.

Expected Behavior

The server should return:

• rcode NOERROR
• The correct NS RRSet:

[Hemsby]

I also replicated this, and it works as expected.

[ShreyasZare]

Thanks for the post. Not able to reproduce this too.

[rsingha108]

Hi, I am providing the exact steps I followed, please let me know if I am making any mistake.

1. Start the Technitium DNS Server Container (the image was built using the latest github repo)

docker run -d \
  --name technitium_test \
  -p 9000:5380/tcp \
  -p 9001:53/udp \
  technitium/dns-server:latest

2. Create a file zone.txt with the following contents:

campus.edu.               500  IN  SOA     ns1.campus.edu. hostmaster.campus.edu. 2026013101 7200 3600 1209600 3600
campus.edu.               500  IN  NS      ns1.campus.edu.
ns1.campus.edu.           500  IN  A       192.0.2.53
ns1.campus.edu.           500  IN  AAAA    2001:db8::53
campus.edu.               500  IN  A       192.0.2.10
campus.edu.               500  IN  RRSIG   A 13 2 500 20300101000000 20260101000000 12345 campus.edu. FAKEA==
campus.edu.               500  IN  DNSKEY  257 3 13 AwEAAc...
campus.edu.               500  IN  MX      10 mail.campus.edu.
mail.campus.edu.          500  IN  A       192.0.2.25
mail.campus.edu.          500  IN  AAAA    2001:db8::25
mail.campus.edu.          500  IN  RRSIG   A 13 3 500 20300101000000 20260101000000 12345 campus.edu. FAKEA==
mail.campus.edu.          500  IN  RRSIG   AAAA 13 3 500 20300101000000 20260101000000 12345 campus.edu. FAKEA==
alias.campus.edu.         500  IN  CNAME   target.campus.edu.
target.campus.edu.        500  IN  A       192.0.2.88
child.campus.edu.         500  IN  NS      ns1.child.campus.edu.
ns1.child.campus.edu.     5    IN  A       192.0.2.100
ns1.child.campus.edu.     5    IN  AAAA    2001:db8::100
child.campus.edu.         500  IN  DS      12345 13 2 ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789
dname.campus.edu.         500  IN  DNAME   redirected.campus.edu.
x.redirected.campus.edu.  500  IN  A       192.0.2.200
_sip._tcp.campus.edu.     500  IN  SRV     0 5 5060 sipserver.campus.edu.
sipserver.campus.edu.     500  IN  A       192.0.2.60
sipserver.campus.edu.     500  IN  AAAA    2001:db8::60

3. Log In and Obtain an API Token

import requests

API = "http://localhost:9000"
r = requests.post(f"{API}/api/user/login", params={
    "user": "admin",
    "pass": "admin",
    "includeInfo": "false"
})
token = r.json()["token"]

4. Create the Zone

requests.post(f"{API}/api/zones/create", params={
    "token": token,
    "zone": "campus.edu.",
    "type": "Primary"
})

5. Import the Zone File via /api/zones/import

zone_text = open("zone.txt").read()

r = requests.post(f"{API}/api/zones/import", params={
    "token": token,
    "zone": "campus.edu.",
    "overwrite": "true"
}, data={"records": zone_text})

print(r.json())

6. Observe the Error Response

The API returns HTTP 200 with a JSON error body:

{
  "status": "error",
  "errorMessage": "The zone file parser failed to parse 'rdata' field on line # 6: ...",
  "innerErrorMessage": "The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters."
}

Stack trace (from innerError):

at System.Convert.FromBase64String(String s)
at TechnitiumLibrary.Net.Dns.ZoneFile.ReadZoneFileFromAsync(TextReader tR, ...) in ZoneFile.cs:line 596

7. Query the Zone

import dns.resolver
r = dns.resolver.resolve("campus.edu.", "A")

Technitium returns:

opcode QUERY
rcode NOERROR
flags QR AA RA
;QUESTION
campus.edu. IN NS
;ANSWER
campus.edu. 14400 IN NS 767b8972a004.
;AUTHORITY
;ADDITIONAL

---

Expected Behavior

• The /api/zones/import endpoint should successfully import the zone, and return the correct records.
• When I used the same zone for CoreDNS and it worked correctly and reponds with this answer campus.edu. 500 IN NS ns1.campus.edu.

Actual Behavior

• The /api/zones/import endpoint returns a error and aborts the entire import at the first RRSIG or DNSKEY record whose Base64 value is deemed invalid by System.Convert.FromBase64String().
• Technitium responds with campus.edu. 14400 IN NS 767b8972a004.

[ShreyasZare]

Thanks for the details. Since the zone file has issues and there was an error indicating the same, the import API did not complete and no records were imported. The output of the query you see is the NS record that was added in the zone when you created it. The 767b8972a004 name in the output is your docker container's hostname.