bind 9.3.2 FORMERR CNAME Problem

Mark Andrews Mark_Andrews at isc.org
Fri Aug 25 20:58:44 UTC 2006 

> We'll probably have to wait for confirmation from Mark Andrews, but  
> this sounds to me like a bug in the credibility check - it maybe  
> can't handle an untrustworthy record in the answer section of an  
> authoritative answer. There's probably some factor related to having  
> the result come from two different subzones of the same zone that is  
> delegated to the authoritative name server.
> 
> I'm able to reproduce the results you report (works with BIND 9.2,  
> doesn't work with BIND 9.3), so it's not some transitory error on the  
> part of the authoritative name servers.
> 
> I don't have time to test, but if you want, you can check my  
> hypothesis above as follows:
> 
> - Create two subzones on your authoritative name server - subzones of  
> a zone delegated to your name server.
> - Create a CNAME record in one of these zones pointing to a name in  
> the other.
> - Query your BIND 9.3 resolving name server for an A record of the  
> same name as the alias - the authoritative name server should return  
> an auth answer containing the alias from subzone 1, the address from  
> subzone 2, and the authority records from subzone 2.
> 
> Chris Buxton
> Men & Mice

	The NS RRset if from the wrong zone.  If a NS RRset is added
	to the authority section it should be for zone the last qname
	is in and not the zone the first qname.  Also CNAME and NS
	records are illegal at the same node.  It also looks like there
	is some sort of wierd wildcard processing going on.
	*.thinkcrime.de generates NXDOMAIN but you get responses to
	random subdomains of thinkcrime.de.

	Basically  Garbage In - Garbage Out.

	Mark

drugs:bind9-gdib 06:48 {967} % dig any teltest2.thinkcrime.de @81.3.43.97

drugs:bind9-gdib 06:53 {981} % dig ns ljsdhjgsdkudsaiuoiogewdkjekljsglkgjslkjgfk.thinkcrime.de @81.3.43.97

; <<>> DiG 9.3.2 <<>> ns ljsdhjgsdkudsaiuoiogewdkjekljsglkgjslkjgfk.thinkcrime.de @81.3.43.97
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18346
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;ljsdhjgsdkudsaiuoiogewdkjekljsglkgjslkjgfk.thinkcrime.de. IN NS

;; ANSWER SECTION:
ljsdhjgsdkudsaiuoiogewdkjekljsglkgjslkjgfk.thinkcrime.de. 28800 IN NS ns1.domaindiscount24.net.
ljsdhjgsdkudsaiuoiogewdkjekljsglkgjslkjgfk.thinkcrime.de. 28800 IN NS ns2.domaindiscount24.net.
ljsdhjgsdkudsaiuoiogewdkjekljsglkgjslkjgfk.thinkcrime.de. 28800 IN NS ns3.domaindiscount24.net.

;; AUTHORITY SECTION:
ljsdhjgsdkudsaiuoiogewdkjekljsglkgjslkjgfk.thinkcrime.de. 28800 IN NS ns1.domaindiscount24.net.
ljsdhjgsdkudsaiuoiogewdkjekljsglkgjslkjgfk.thinkcrime.de. 28800 IN NS ns2.domaindiscount24.net.
ljsdhjgsdkudsaiuoiogewdkjekljsglkgjslkjgfk.thinkcrime.de. 28800 IN NS ns3.domaindiscount24.net.

;; Query time: 322 msec
;; SERVER: 81.3.43.97#53(81.3.43.97)
;; WHEN: Sat Aug 26 06:53:35 2006
;; MSG SIZE  rcvd: 190

drugs:bind9-gdib 06:53 {982} % 
> On Aug 24, 2006, at 12:45 PM, Gunnar S. wrote:
> 
> > Hi,
> >
> > I have a CNAME Problem with bind 9.3.2 (and higher) which does not  
> > exist
> > with bind 9.2.4.
> >
> > dig @127.0.0.1 teltest2.thinkcrime.de
> >
> > ; <<>> DiG 9.2.4 <<>> @127.0.0.1 teltest2.thinkcrime.de
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61894
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;teltest2.thinkcrime.de.                IN      A
> >
> > ;; Query time: 3223 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Thu Aug 24 21:17:14 2006
> > ;; MSG SIZE  rcvd: 40
> >
> > debug output:
> > [...]
> > 24-Aug-2006 20:56:59.590 fctx 0x8235a20(teltest2.thinkcrime.de/A'):  
> > try
> > 24-Aug-2006 20:56:59.590 fctx 0x8235a20(teltest2.thinkcrime.de/A'):  
> > query
> > 24-Aug-2006 20:56:59.591 resquery 0x82443e0 (fctx
> > 0x8235a20(teltest2.thinkcrime.de/A)): send
> > 24-Aug-2006 20:56:59.591 dispatch 0x8212f00 response 0x8237788
> > 81.3.43.97#53: attached to task 0x8213b98
> > 24-Aug-2006 20:56:59.591 resquery 0x82443e0 (fctx
> > 0x8235a20(teltest2.thinkcrime.de/A)): sent
> > 24-Aug-2006 20:56:59.591 resquery 0x82443e0 (fctx
> > 0x8235a20(teltest2.thinkcrime.de/A)): senddone
> > 24-Aug-2006 20:56:59.640 socket 0x8200f78: dispatch_recv:  event
> > 0x8202900 -> task 0x82013c0
> > 24-Aug-2006 20:56:59.640 socket 0x8200f78: internal_recv: task  
> > 0x82013c0
> > got event 0x8200fb8
> > 24-Aug-2006 20:56:59.640 socket 0x8200f78 81.3.43.97#53: packet  
> > received
> > correctly
> > 24-Aug-2006 20:56:59.640 socket 0x8200f78: processing cmsg 0x8201058
> > 24-Aug-2006 20:56:59.640 client 81.3.43.97#53: UDP request
> > 24-Aug-2006 20:56:59.641 client 81.3.43.97#53: next
> > 24-Aug-2006 20:56:59.641 client 81.3.43.97#53: endrequest
> > 24-Aug-2006 20:56:59.641 client @0x8201158: udprecv
> > 24-Aug-2006 20:56:59.641 socket 0x8200f78: socket_recv: event  
> > 0x8202900
> > -> task 0x82013c0
> > 24-Aug-2006 20:56:59.641 dispatch 0x8200dc0: got packet: requests 0,
> > buffers 2, recvs 0
> > 24-Aug-2006 20:56:59.641 dispatch 0x8200dc0: got valid DNS message
> > header, /QR 1, id 42269
> > 24-Aug-2006 20:56:59.641 dispatch 0x8200dc0: search for response in
> > bucket 3844: found
> > 24-Aug-2006 20:56:59.641 dispatch 0x8200dc0 response 0x8237788
> > 81.3.43.97#53: [a] Sent event 0x8237568 buffer 0x823bb58 len 4096 to
> > task 0x8213b98
> > 24-Aug-2006 20:56:59.641 resquery 0x82443e0 (fctx
> > 0x8235a20(teltest2.thinkcrime.de/A)): response
> > 24-Aug-2006 20:56:59.641 received packet:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  42269
> > ;; flags: qr aa ; QUESTION: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
> > ;; QUESTION SECTION:
> > ;teltest2.thinkcrime.de.                IN      A
> >
> > ;; ANSWER SECTION:
> > teltest2.thinkcrime.de. 28800   IN      CNAME   teltest.thinkcrime.de.
> > teltest.thinkcrime.de.  28800   IN      A       213.133.110.149
> >
> > ;; AUTHORITY SECTION:
> > teltest2.thinkcrime.de. 28800   IN      NS       
> > ns1.domaindiscount24.net.
> > teltest2.thinkcrime.de. 28800   IN      NS       
> > ns2.domaindiscount24.net.
> > teltest2.thinkcrime.de. 28800   IN      NS       
> > ns3.domaindiscount24.net.
> >
> >
> > 24-Aug-2006 20:56:59.641 fctx 0x8235a20(teltest2.thinkcrime.de/A'):
> > answer_response
> > 24-Aug-2006 20:56:59.641 fctx 0x8235a20(teltest2.thinkcrime.de/A'):
> > noanswer_response
> > 24-Aug-2006 20:56:59.641 fctx 0x8235a20(teltest2.thinkcrime.de/A'):
> > cancelquery
> > 24-Aug-2006 20:56:59.641 dispatch 0x8212f00 response 0x8237788
> > 81.3.43.97#53: detaching from task 0x8213b98
> > 24-Aug-2006 20:56:59.641 dispatch 0x8212f00: detach: refcount 4
> > 24-Aug-2006 20:56:59.641 fctx 0x8235a20(teltest2.thinkcrime.de/A'):  
> > add_bad
> > 24-Aug-2006 20:56:59.641 FORMERR resolving
> > 'teltest2.thinkcrime.de/A/IN': 81.3.43.97#53
> > 24-Aug-2006 20:56:59.642 fctx 0x8235a20(teltest2.thinkcrime.de/A'):  
> > try
> > 24-Aug-2006 20:56:59.642 fctx 0x8235a20(teltest2.thinkcrime.de/A'):
> > cancelqueries
> > [...]
> >
> > (AUTHORITY SECTION seems to be a little bit strange for me)
> >
> > Any idea what's going wrong?
> >
> > Thanks,
> >
> > Gunnar
> >
> >
> >
> 
> 
--
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP.  Email training at isc.org.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list