When I use dnspython to query an authoritative name server for NS records, it raises a NoAnswer exception, despite the fact that my packet capture shows that a proper response was received.
Example: ask j.gtld-servers.net (192.48.79.30) for NS records for stackoverflow.com
>>> import dns.resolver
>>> r = dns.resolver.Resolver()
>>> r.nameservers = ['192.48.79.30']
>>> for answer in r.query('stackoverflow.com', 'NS'):
... print answer.to_text()
...
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/dns/resolver.py", line 905, in query
raise_on_no_answer)
File "/usr/local/lib/python2.7/dist-packages/dns/resolver.py", line 142, in __init__
raise NoAnswer
dns.resolver.NoAnswer
>>>
Wireshark shows that an answer did, in fact, come back:
Frame 2: 157 bytes on wire (1256 bits), 157 bytes captured (1256 bits)
Ethernet II, Src: xxxxxxxxxxxxxx (xx:xx:xx:xx:xx:xx), Dst: xxxxxxxxxxxxx (xx:xx:xx:xx:xx:xx)
Internet Protocol Version 4, Src: 192.48.79.30 (192.48.79.30), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: domain (53), Dst Port: 55100 (55100)
Domain Name System (response)
[Request In: 1]
[Time: 0.278279000 seconds]
Transaction ID: 0xb6f5
Flags: 0x8100 (Standard query response, No error)
Questions: 1
Answer RRs: 0
Authority RRs: 2
Additional RRs: 2
Queries
Authoritative nameservers
stackoverflow.com: type NS, class IN, ns ns1.serverfault.com
stackoverflow.com: type NS, class IN, ns ns2.serverfault.com
Additional records
ns1.serverfault.com: type A, class IN, addr 198.252.206.80
ns2.serverfault.com: type A, class IN, addr 198.252.206.81
A query with dig @192.48.79.30 stackoverflow.com ns succeeds and provides the same answer shown in the packet capture above.
Interestingly, host -t NS stackoverflow.com 192.48.79.30 fails with a response "stackoverflow.com has no NS record" and in that case the packet capture, once again, shows that a response is being received.
Why isn't dnspython properly processing the response to this query?
Bob Halley (maintainer of dnspython) provided the following answer. It's not a bug. I should use dns.query.udp() instead.
You should probably use dns.query.udp() if you're querying an authoritative server. dns.resolver.Resolver's query is meant to go to a recursive server. From the resolver's standpoint, NoAnswer is the right thing to raise because the response is a delegation and not "the answer".
$ dig @192.48.79.30 stackoverflow.com. ns
; <<>> DiG 9.8.3-P1 <<>> @192.48.79.30 stackoverflow.com. ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31192
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;stackoverflow.com. IN NS
;; AUTHORITY SECTION:
stackoverflow.com. 172800 IN NS ns1.serverfault.com.
stackoverflow.com. 172800 IN NS ns2.serverfault.com.
;; ADDITIONAL SECTION:
ns1.serverfault.com. 172800 IN A 198.252.206.80
ns2.serverfault.com. 172800 IN A 198.252.206.81
;; Query time: 293 msec
;; SERVER: 192.48.79.30#53(192.48.79.30)
;; WHEN: Sat Dec 7 15:48:48 2013
;; MSG SIZE rcvd: 115