== How not to set up your DNS (part 17)

Here is an interesting one that caused me to go digging into the
moderate depths of DNS arcana:

 ; sdig ns just-dust.com
 dns1.name-services.com.
 dns2.name-services.com.
 dns3.name-services.com.
 dns4.name-services.com.
 dns5.name-services.com.
 ; dig mx servidor134.just-dust.com
 [...]
 ;; [...] status: SERVFAIL, [...]

This isn't for any simple reason, such as the servers refusing to answer
us or not being authoritative or whatnot. Instead, they have managed to
get the [['no such record' reply NoDataVsLameDelegation]] wrong; instead
of returning a SOA record for just-dust.com, they return what looks like
a lame delegation response (pointing at themselves), except that it has
the [[_aa_ bit DNSAnswersFlags]] set.

What may be going on is that name-services.com seems to be running a
very peculiar nameserver that has the moral equivalent of a wildcard
CNAME record for just-dust.com, *but only for A record queries*; if you
ask directly for a CNAME for foo.bar.just-dust.com, you get a normal 'no
such data' reply, but if you ask for the A record for that you get back
a reply with a CNAME plus an A record. Presumably as a result of this,
almost all queries for MX records of names inside the just-dust.com zone
get these lame delegation replies.

(Not all MX queries; just-dust.com MXes to mail.just-dust.com, and
name-services.com will return an MX record for that.)