Query on ignoring additional section returned in replies
Mark Andrews
marka at isc.org
Wed Nov 18 11:34:54 UTC 2015
In message <5b818b25da9e40ebbff0e3d6dfec12ed at PVSVREXC06.AD.TMRES.MY>, Elias Ahm
ed Kamal writes:
> Even with a broken delegation its like always resolvable with Google DNS or=
> even Open DNS. Are there any BIND specific workarounds?
The other nameservers will also fail with the right query sequence.
Just because something resolves, it doesn't mean that there is not a
error. It is just good luck that Google's server resolve.
It's so broken that http://dnscheck.ripe.net can't even start checking
the delegation.
Delegation
Begin testing delegation for wip.fis.com.my.
Name servers listed at parent: wan1.fis.com.my,wan2.fis.com.my,wan3.fis.com.my,wan4.fis.com.my
Failed to find name servers of wip.fis.com.my/IN.
No name servers found at child.
Not enough nameserver information was found to test the zone wip.fis.com.my, but an IP address lookup succeeded in spite of that.
Done testing delegation for wip.fis.com.my.
This is a case of Garbage-In - Garbage Out (lookup failure).
RFC 1035 states that nameserver each side of the delegation need
to stay the same. This rule is there in part to stop issues like
this.
Fis.com.my need to fix their nameservers. The NS records need to be
made consistent. There needs to be address records for the nameservers.
Mark
> -----Original Message-----
> From: Mark Andrews [mailto:marka at isc.org]
> Sent: Wednesday, November 18, 2015 6:26 PM
> To: Elias Ahmed Kamal
> Cc: bind-users at lists.isc.org
> Subject: Re: Query on ignoring additional section returned in replies
>
>
> In message <659dec986e9347369634488991f6ea5f at PVSVREXC06.AD.TMRES.MY>, Elias=
> Ahm ed Kamal writes:
> > Hi guys,
> >
> > I'm having issues resolving www.fis.com.my. I'm trying to tell
> > fis.com.my tha t its an issue at their end, but when checking against
> > 8.8.8.8 it resolves fi ne....so it MUST be a problem with me.
> >
> > 1. Lookups fail, this is clear enough
> >
> > root at sputnik # dig @localhost www.fis.com.my
> >
> > ; <<>> DiG 9.9.5-P1 <<>> @localhost www.fis.com.my ; (1 server found)
> > ;; global options: +cmd ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51246 ;; flags:
> > qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;www.fis.com.my. IN A
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Wed Nov 18 17:40:58 MYT 2015
> > ;; MSG SIZE rcvd: 43
> >
> >
> > 2. All of fis.com.my's authoritative nameservers answer and are consisten=
> t
> > It tells me that www.wip.fis.com.my is a CNAME for www.fis.com.my
> > And that wan1-wan4.fis.com.my is the authoritative servers for
> > *.wip.fis.c om.my
> >
> > root at sputnik # dig @ns1.fis.com.my www.fis.com.my
> >
> > ; <<>> DiG 9.9.5-P1 <<>> @ns1.fis.com.my www.fis.com.my ; (1 server
> > found) ;; global options: +cmd ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33357 ;; flags: qr
> > aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5 ;; WARNING:
> > recursion requested but not available
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;www.fis.com.my. IN A
> >
> > ;; ANSWER SECTION:
> > www.fis.com.my. 38400 IN CNAME www.wip.fis.com.my.
> >
> > ;; AUTHORITY SECTION:
> > wip.fis.com.my. 38400 IN NS wan1.fis.com.my.
> > wip.fis.com.my. 38400 IN NS wan4.fis.com.my.
> > wip.fis.com.my. 38400 IN NS wan3.fis.com.my.
> > wip.fis.com.my. 38400 IN NS wan2.fis.com.my.
> >
> > ;; ADDITIONAL SECTION:
> > wan1.fis.com.my. 38400 IN A 202.188.242.130
> > wan2.fis.com.my. 38400 IN A 210.19.86.114
> > wan3.fis.com.my. 38400 IN A 175.143.6.162
> > wan4.fis.com.my. 38400 IN A 219.92.28.106
> >
> > ;; Query time: 8 msec
> > ;; SERVER: 202.188.242.135#53(202.188.242.135)
> > ;; WHEN: Wed Nov 18 17:41:09 MYT 2015
> > ;; MSG SIZE rcvd: 205
> >
> >
> > 3. I now do a 3rd lookup test against wan1.fis.com.my for
> > www.wip.fis.com.my and get the answers
> > BUT, the nameserver is also returning an authority section saying wip.=
> fis.
> > com.my is now served by ns1.wip.fis.com.my
> > [Previously I know wip.fis.com.my was served by
> > wan1-wan4.fis.com.my, but now somehow I'm caching ns1.wip.fis.com.my inst=
> ead]
> > [Question: Is it the expected behaviour that this new NS will
> > override the previous NS for wip.fis.com.my? And is there any way to
> > ignore authority/add itional answers that I get from replies?]
>
> Yes. The delegation is broken. Having a NS pointing at a nonexistant name=
> is a big no no. It's just a matter of time for a delegation like this to =
> break.
>
> > root at cbj-cdns21 # dig @wan1.fis.com.my www.wip.fis.com.my
> >
> > ; <<>> DiG 9.9.5-P1 <<>> @wan1.fis.com.my www.wip.fis.com.my ; (1
> > server found) ;; global options: +cmd ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43777 ;; flags: qr
> > aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING:
> > recursion requested but not available
> >
> > ;; QUESTION SECTION:
> > ;www.wip.fis.com.my. IN A
> >
> > ;; ANSWER SECTION:
> > www.wip.fis.com.my. 5 IN A 175.143.6.165
> > www.wip.fis.com.my. 5 IN A 202.188.242.137
> > www.wip.fis.com.my. 5 IN A 210.19.86.117
> >
> > ;; AUTHORITY SECTION:
> > wip.fis.com.my. 3600 IN NS ns1.wip.fis.com.my.
> >
> > ;; Query time: 7 msec
> > ;; SERVER: 202.188.242.130#53(202.188.242.130)
> > ;; WHEN: Wed Nov 18 17:44:59 MYT 2015
> > ;; MSG SIZE rcvd: 102
> >
> >
> > 4. Lo and behold, ns1.wip.fis.com.my doesn't exist! And because of
> > this all m y queries for www.fis.com.my are failing. Am I correct?
> >
> > root at sputnik # dig @wan1.fis.com.my ns1.wip.fis.com.my
> >
> > ; <<>> DiG 9.9.5-P1 <<>> @wan1.fis.com.my ns1.wip.fis.com.my ; (1
> > server found) ;; global options: +cmd ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37457 ;; flags:
> > qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING:
> > recursion requested but not available
> >
> > ;; QUESTION SECTION:
> > ;ns1.wip.fis.com.my. IN A
> >
> > ;; AUTHORITY SECTION:
> > wip.fis.com.my. 3600 IN SOA ns1.wip.fis.com.my. webma=
> ster
> > . 2015111825 16384 2048 1048576 2560
> >
> > ;; Query time: 6 msec
> > ;; SERVER: 202.188.242.130#53(202.188.242.130)
> > ;; WHEN: Wed Nov 18 17:47:45 MYT 2015
> > ;; MSG SIZE rcvd: 81
> >
> > We only send and receive email on the basis of the terms set out at
> > http://ww w.tm.com.my/email_disclaimer.
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> We only send and receive email on the basis of the terms set out at http://=
> www.tm.com.my/email_disclaimer.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list