Intermittent NXDOMAIN, (possibly) Bind or PowerDNS problem?
Ian B
porjo38 at yahoo.com.au
Mon Feb 8 01:19:47 UTC 2010
The Bigpond nameserver server would now appear to be returning 'correct' data for the 'authority section'. Dig to my recursor gives:
$ dig dreamteam.afl.com.au
; <<>> DiG 9.3.4-P1 <<>> dreamteam.afl.com.au
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24819
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dreamteam.afl.com.au. IN A
;; ANSWER SECTION:
dreamteam.afl.com.au. 14 IN CNAME afl.virtualsports.com.au.
afl.virtualsports.com.au. 2997 IN A 174.120.186.226
afl.virtualsports.com.au. 2997 IN A 174.120.187.106
afl.virtualsports.com.au. 2997 IN A 174.120.186.242
afl.virtualsports.com.au. 2997 IN A 174.120.186.250
afl.virtualsports.com.au. 2997 IN A 174.120.187.114
afl.virtualsports.com.au. 2997 IN A 174.120.187.122
afl.virtualsports.com.au. 2997 IN A 174.120.187.138
afl.virtualsports.com.au. 2997 IN A 174.120.187.146
afl.virtualsports.com.au. 2997 IN A 174.120.186.218
afl.virtualsports.com.au. 2997 IN A 174.120.186.234
afl.virtualsports.com.au. 2997 IN A 174.120.187.10
afl.virtualsports.com.au. 2997 IN A 174.120.187.130
;; Query time: 1 msec
;; SERVER: 203.161.127.1#53(203.161.127.1)
;; WHEN: Mon Feb 8 09:15:24 2010
;; MSG SIZE rcvd: 262
Dig off the authoratative nameserver for afl.com.au:
$ dig dreamteam.afl.com.au @ns1bpc.bigpond.com
; <<>> DiG 9.6.1-P2 <<>> dreamteam.afl.com.au @ns2bpc.bigpond.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33750
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;dreamteam.afl.com.au. IN A
;; ANSWER SECTION:
dreamteam.afl.com.au. 30 IN CNAME afl.virtualsports.com.au.
;; AUTHORITY SECTION:
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
;; Query time: 53 msec
;; SERVER: 61.9.170.18#53(61.9.170.18)
;; WHEN: Mon Feb 8 08:57:31 2010
;; MSG SIZE rcvd: 281
Ian.
--- On Fri, 5/2/10, Mark Andrews <marka at isc.org> wrote:
> From: Mark Andrews <marka at isc.org>
> Subject: Re: Intermittent NXDOMAIN, (possibly) Bind or PowerDNS problem?
> To: "Ian B" <porjo38 at yahoo.com.au>
> Cc: bind-users at lists.isc.org
> Received: Friday, 5 February, 2010, 2:47 PM
>
> In message <260066.10841.qm at web63105.mail.re1.yahoo.com>,
> Ian B writes:
> > Hi All,
> >
> > I found a post on this list from July 2009 with the
> subject:
> > "Intermittent NXDOMAIN, Bind 9.2.3 config and PowerDNS
> problem?"
> >
> > https://lists.isc.org/pipermail/bind-users/2009-July/077045.html
> >
> > I'm having exactly the same issue but with hostname
> dreamteam.afl.com.au
> >
> > A sample dig is as follows:
> >
> > $ dig dreamteam.afl.com.au
> >
> > ; <<>> DiG 9.3.4-P1 <<>>
> dreamteam.afl.com.au
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status:
> NXDOMAIN, id: 22236
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
> ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;dreamteam.afl.com.au.
> IN A
> >
> > ;; ANSWER SECTION:
> > dreamteam.afl.com.au.
> 30 IN
> CNAME afl.virtualsports.com.au.
> >
> > ;; AUTHORITY SECTION:
> > com.au.
> 60 IN
> SOA stl-bpc-gslb1500-1.bigp
> > ond.com. hostmaster.stl-bpc-gslb1500-1.bigpond.com. 4
> 10800 3600 604800 60
> >
> > ;; Query time: 53 msec
> > ;; SERVER: 203.161.127.1#53(203.161.127.1)
> > ;; WHEN: Fri Feb 5 11:29:24 2010
> > ;; MSG SIZE rcvd: 147
> >
> >
> > My understanding of the issue is that the
> authoritative nameserver for dreamt
> > eam.afl.com.au is returning the incorrect data in the
> 'AUTHORITY SECTION' cau
> > sing PowerDNS to act unpredictably. Other DNS
> recursors may not have an issue
> > with this, as they overlook the error. Is that a
> correct understanding?
>
> It looks like the two bigpond servers have been configured
> to serve
> a unofficial version of COM.AU. Normal query
> processing then causes
> the servers to find the unofficial version of COM.AU and
> return
> NXDOMAIN rather than a referral as they should. This
> is hard to
> avoid unless the normal query process rules are changed to
> not
> re-start the query after following a CNAME for a
> non-recursive query
> or only follow a CNAME if the target is in the same zone as
> the
> owner of the CNAME.
>
> The incorrect answer is then accepted and the cache is
> poisoned.
>
> One would think however that Telstra would have locked
> COM.AU out
> in the automatic provisioning systems for these servers as
> adding
> it can only be for nefarious purposes. Similarly any
> other
> infrastucture zones.
>
> Mark
>
> > Thanks,
> > Ian.
> >
> >
> >
> _______________________________________________________________________
> > ___________
> > Yahoo!7: Catch-up on your favourite Channel 7 TV shows
> easily, legally, and f
> > or free at PLUS7. www.tv.yahoo.com.au/plus7
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742
> INTERNET: marka at isc.org
>
__________________________________________________________________________________
Yahoo!7: Catch-up on your favourite Channel 7 TV shows easily, legally, and for free at PLUS7. www.tv.yahoo.com.au/plus7
More information about the bind-users
mailing list