Must be zero bit set on queries with multiple forwarders

Mark Andrews Mark_Andrews at isc.org
Mon Nov 29 20:05:12 UTC 2004 

> I have a problem with BIND.  It manifests in at least 9.2.1 and 9.2.3
> and involves forwarders.  The BIND software emits malformed queries.
> 
> I have not verified whether the issue is platform-specific.  We're
> running on Solaris 7.
> 
> I have packet traces that show that the BIND server is setting a bit
> within the must-be-zero bits within DNS queries going to the forwarders.
> 
> The behavior is consistent and reproducible and appears to affect
> every zone that uses multiple forwarders.
> 
> In the case at hand, we have a zone defined as type forward:
> 
> 	zone "245.141.in-addr.arpa" {
> 		type forward;
> 		forwarders {
> 			141.245.68.6;
> 			141.245.68.7;
> 			141.245.245.242;
> 			141.245.245.241;
> 		};
> 	};
> 
> >From my client, I query for a name within this zone
> 
> 	C:\> nslookup 141.245.1.14
> 
> The server queries its cache, comes up empty and forwards a query
> to each of the listed forwarders in turn.
> 
> The queries to the first three servers on the list are all malformed.
> They have one of the must-be-zero bits in the "Z" field set.  And they
contain a bizarre additional record.  The target servers drop the
> malformed query on the floor, the request times out and the next
> forwarder is tried.
> 
> The query to the fourth and last server on the list is properly formed,
> the target server responds and the result is passed back to the client.
> 
> If the order of the forwarders in the bind config file (/etc/named.conf)
> is changed, it is always the last listed server that gets the properly
> formed query and the preceding servers that get the malformed queries.
> 
> The malformed queries are identical to the properly formed query with
> the exception of the bit in the Z field, the value in the ARCOUNT field,
> the presence of an additional records section and, of course, the
> query ID.
> 
> Here is an example malformed query:
> 
> 13:59:03.695868 O 10.40.96.14.33437 > 141.245.68.6.53:  64734+ [b2&3=0x110] 
> [1au] PTR? 14.1.245.141.in-addr.arpa. (54)
> 
>     0000 fcde0110 00010000 00000001 02313401 .............14.
>     0010 31033234 35033134 3107696e 2d616464 1.245.141.in-add
>     0020 72046172 70610000 0c000100 00290800 r.arpa.......)..
>     0030 00008000 0000                       ...... 
> 
>    As I decode this packet, it's:
> 
>    ID = 0xfcde
>    QR = 0 (it's a query)
>    Opcode = 0 (standard query)
>    AA = 0
>    TC = 0
>    RD = 1 (recursion desired)
>    RA = 0   
>    Z = 1 (must be zero isn't)
>    RCODE = 0
>    QDCOUNT = 1 (One query)
>    ANCOUNT = 0
>    NSCOUNT = 0
>    ARCOUNT = 1 (An additional record in a query?)
>    Question section:
>      QNAME = 14.1.245.141.in-addr.arpa.
>      QTYPE = 12 (query for PTR records)
>      QCLASS = 1 (IN)
>    Additional record section:
>      QNAME = .
>      QTYPE = 41
>      QCLASS = 2048
>      TTL = 2048
>      RDLENGTH = 0
>      RDATA = ""
> 
> And here is the corresponding properly formed query:
> 
> 13:59:05.705929 O 10.40.96.14.33437 > 141.245.245.241.53:  3746+ PTR? 
> 14.1.245.1
> 41.in-addr.arpa. (43)
> 
>     0000 0ea20100 00010000 00000000 02313401 .............14.
>     0010 31033234 35033134 3107696e 2d616464 1.245.141.in-add
>     0020 72046172 70610000 0c0001            r.arpa.....     
> 
>    As I decode this packet, it's:
> 
>    ID = 0x0ea2
>    QR = 0 (it's a query)
>    Opcode = 0 (standard query)
>    AA = 0
>    TC = 0
>    RD = 1 (recursion desired)
>    RA = 0   
>    Z = 0 (must be zero is)
>    RCODE = 0
>    QDCOUNT = 1 (One query)
>    ANCOUNT = 0
>    NSCOUNT = 0
>    ARCOUNT = 0 (No additional records this time)
>    Question section:
>      QNAME = 14.1.245.141.in-addr.arpa.
>      QTYPE = 12 (query for PTR records)
>      QCLASS = 1 (IN)
> 
> I am working under the assumption that this is intended behavior and that
> BIND is trying do do some private negotiation to control the next-hop
> forwarder's behavior on forwarded queries.  I have been unable to locate
> a document describing this behavior.
> 
> Rudimentary testing shows that BIND is willing to respond to these
> "malformed" queries.  The name server software used on the forwarders
> for the 141.245 reverse zone is not so tolerant.
> 
> Be warned, if you try to reproduce this problem yourself using the
> servers mentioned above on the 141.245 reverse zone you'll encounter
> a different set of problems.  We're running split DNS and the servers
> and forwarders shown here are all on the company intranet.
> 
> 	John Briggs

	Please read the collection of RFC's in doc/rfc.  In particular
	RFC 2671 "Extension Mechanisms for DNS (EDNS0)" and RFC 2535
	"Domain Name System Security Extensions", Section 6.1 The AD
	and CD Header Bits.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list