SERVFAIL

Paul Vixie vixie at isc.org
Wed Sep 10 17:04:51 UTC 2008 

i believe that the hard part of the traversal for www.flickr.com is:

	; <<>> DiG 9.4.1-P1 <<>> @ns3.yahoo.com www.flickr.vip.mud.yahoo.com
	; (1 server found)
	;; global options:  printcmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41226
	;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
	;; WARNING: recursion requested but not available
	
	;; QUESTION SECTION:
	;www.flickr.vip.mud.yahoo.com.  IN      A
	
	;; ANSWER SECTION:
	www.flickr.vip.mud.yahoo.com. 900 IN    A       68.142.214.24
	
	;; AUTHORITY SECTION:
	mud.yahoo.com.          172800  IN      NS      ns1.yahoo.com.
	mud.yahoo.com.          172800  IN      NS      ns2.yahoo.com.
	mud.yahoo.com.          172800  IN      NS      ns3.yahoo.com.
	mud.yahoo.com.          172800  IN      NS      ns4.yahoo.com.
	mud.yahoo.com.          172800  IN      NS      ns5.yahoo.com.
	
	;; ADDITIONAL SECTION:
	ns1.yahoo.com.          172800  IN      A       66.218.71.63
	ns2.yahoo.com.          172800  IN      A       68.142.255.16
	ns3.yahoo.com.          172800  IN      A       217.12.4.104
	ns4.yahoo.com.          172800  IN      A       68.142.196.63
	ns5.yahoo.com.          1800    IN      A       119.160.247.124
	
	;; Query time: 153 msec
	;; SERVER: 217.12.4.104#53(217.12.4.104)
	;; WHEN: Wed Sep 10 16:58:43 2008
	;; MSG SIZE  rcvd: 232

because this is a yahoo.com nameserver which is simultaneously answering
and delegating.  this is a sensible thing for it to do since it's
authoritative for both yahoo.com and mud.yahoo.com, but it's also an
insensible thing for it to do since the downward referral trumps the
non-empty answer section.  (it would also trump a non-empty answer
section which would otherwise be seen as a NODATA response.)  i'm not
throwing stones, since this is ambiguous in the spec, and for all i know
it's what BIND9 would do.  but my own toy traversal tool spake thusly:

	response from 217.12.4.104 (ns3.yahoo.com) is NOERROR (1 1 5 5) (AA)
	down-referral
	downward referral trumps nonempty ANSWER
	cache modified by AUTHORITY
	cache unmodified by ADDITIONAL
	upstream transaction complete (tryagain)
	requires iteration (#3)

and the complexity thus revealed may behoove yahoo to put the mud.yahoo.com
zone separate nameservers (or separate views) from the yahoo.com zone.
-- 
Paul Vixie

More information about the bind-users mailing list