Pollution

The authoritative server may be correct. dig may return the right record when you ask the authority directly. Yet the user still gets sent to the wrong address, and the same fake answer may appear immediately on different networks. When that happens, the problem is usually no longer in the zone file. It is in the resolution path itself, which has been raced and replaced.

DNS pollution looks like “DNS is misconfigured”, but the real problem is often not the authoritative data. It is that someone inserted a packet that looks like a DNS response into the lookup chain before the real answer arrived.