Query on ignoring additional section returned in replies

Mark Andrews marka at isc.org
Wed Nov 18 11:34:54 UTC 2015 

In message <5b818b25da9e40ebbff0e3d6dfec12ed at PVSVREXC06.AD.TMRES.MY>, Elias Ahm
ed Kamal writes:
> Even with a broken delegation its like always resolvable with Google DNS or=
>  even Open DNS. Are there any BIND specific workarounds?

The other nameservers will also fail with the right query sequence.

Just because something resolves, it doesn't mean that there is not a
error.  It is just good luck that Google's server resolve.

It's so broken that http://dnscheck.ripe.net can't even start checking
the delegation.

   Delegation
   Begin testing delegation for wip.fis.com.my.
   Name servers listed at parent: wan1.fis.com.my,wan2.fis.com.my,wan3.fis.com.my,wan4.fis.com.my
   Failed to find name servers of wip.fis.com.my/IN.
   No name servers found at child.
   Not enough nameserver information was found to test the zone wip.fis.com.my, but an IP address lookup succeeded in spite of that.
   Done testing delegation for wip.fis.com.my.

This is a case of Garbage-In - Garbage Out (lookup failure).

RFC 1035 states that nameserver each side of the delegation need
to stay the same.  This rule is there in part to stop issues like
this.

Fis.com.my need to fix their nameservers.  The NS records need to be
made consistent.  There needs to be address records for the nameservers.

Mark

> -----Original Message-----
> From: Mark Andrews [mailto:marka at isc.org]
> Sent: Wednesday, November 18, 2015 6:26 PM
> To: Elias Ahmed Kamal
> Cc: bind-users at lists.isc.org
> Subject: Re: Query on ignoring additional section returned in replies
> 
> 
> In message <659dec986e9347369634488991f6ea5f at PVSVREXC06.AD.TMRES.MY>, Elias=
>  Ahm ed Kamal writes:
> > Hi guys,
> >
> > I'm having issues resolving www.fis.com.my. I'm trying to tell
> > fis.com.my tha t its an issue at their end, but when checking against
> > 8.8.8.8 it resolves fi ne....so it MUST be a problem with me.
> >
> > 1. Lookups fail, this is clear enough
> >
> > root at sputnik # dig @localhost www.fis.com.my
> >
> > ; <<>> DiG 9.9.5-P1 <<>> @localhost www.fis.com.my ; (1 server found)
> > ;; global options: +cmd ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51246 ;; flags:
> > qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;www.fis.com.my.                        IN      A
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Wed Nov 18 17:40:58 MYT 2015
> > ;; MSG SIZE  rcvd: 43
> >
> >
> > 2. All of fis.com.my's authoritative nameservers answer and are consisten=
> t
> >    It tells me that www.wip.fis.com.my is a CNAME for www.fis.com.my
> >    And that wan1-wan4.fis.com.my is the authoritative servers for
> > *.wip.fis.c om.my
> >
> > root at sputnik # dig @ns1.fis.com.my www.fis.com.my
> >
> > ; <<>> DiG 9.9.5-P1 <<>> @ns1.fis.com.my www.fis.com.my ; (1 server
> > found) ;; global options: +cmd ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33357 ;; flags: qr
> > aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5 ;; WARNING:
> > recursion requested but not available
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;www.fis.com.my.                        IN      A
> >
> > ;; ANSWER SECTION:
> > www.fis.com.my.         38400   IN      CNAME   www.wip.fis.com.my.
> >
> > ;; AUTHORITY SECTION:
> > wip.fis.com.my.         38400   IN      NS      wan1.fis.com.my.
> > wip.fis.com.my.         38400   IN      NS      wan4.fis.com.my.
> > wip.fis.com.my.         38400   IN      NS      wan3.fis.com.my.
> > wip.fis.com.my.         38400   IN      NS      wan2.fis.com.my.
> >
> > ;; ADDITIONAL SECTION:
> > wan1.fis.com.my.        38400   IN      A       202.188.242.130
> > wan2.fis.com.my.        38400   IN      A       210.19.86.114
> > wan3.fis.com.my.        38400   IN      A       175.143.6.162
> > wan4.fis.com.my.        38400   IN      A       219.92.28.106
> >
> > ;; Query time: 8 msec
> > ;; SERVER: 202.188.242.135#53(202.188.242.135)
> > ;; WHEN: Wed Nov 18 17:41:09 MYT 2015
> > ;; MSG SIZE  rcvd: 205
> >
> >
> > 3. I now do a 3rd lookup test against wan1.fis.com.my for
> > www.wip.fis.com.my and get the answers
> >    BUT, the nameserver is also returning an authority section saying wip.=
> fis.
> > com.my is now served by ns1.wip.fis.com.my
> >    [Previously I know wip.fis.com.my was served by
> > wan1-wan4.fis.com.my, but now somehow I'm caching ns1.wip.fis.com.my inst=
> ead]
> >    [Question: Is it the expected behaviour that this new NS will
> > override the  previous NS for wip.fis.com.my? And is there any way to
> > ignore authority/add itional answers that I get from replies?]
> 
> Yes.  The delegation is broken.  Having a NS pointing at a nonexistant name=
>  is a big no no.  It's just a matter of time for a delegation like this to =
> break.
> 
> > root at cbj-cdns21 # dig @wan1.fis.com.my www.wip.fis.com.my
> >
> > ; <<>> DiG 9.9.5-P1 <<>> @wan1.fis.com.my www.wip.fis.com.my ; (1
> > server found) ;; global options: +cmd ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43777 ;; flags: qr
> > aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING:
> > recursion requested but not available
> >
> > ;; QUESTION SECTION:
> > ;www.wip.fis.com.my.            IN      A
> >
> > ;; ANSWER SECTION:
> > www.wip.fis.com.my.     5       IN      A       175.143.6.165
> > www.wip.fis.com.my.     5       IN      A       202.188.242.137
> > www.wip.fis.com.my.     5       IN      A       210.19.86.117
> >
> > ;; AUTHORITY SECTION:
> > wip.fis.com.my.         3600    IN      NS      ns1.wip.fis.com.my.
> >
> > ;; Query time: 7 msec
> > ;; SERVER: 202.188.242.130#53(202.188.242.130)
> > ;; WHEN: Wed Nov 18 17:44:59 MYT 2015
> > ;; MSG SIZE  rcvd: 102
> >
> >
> > 4. Lo and behold, ns1.wip.fis.com.my doesn't exist! And because of
> > this all m y queries for www.fis.com.my are failing. Am I correct?
> >
> > root at sputnik # dig @wan1.fis.com.my ns1.wip.fis.com.my
> >
> > ; <<>> DiG 9.9.5-P1 <<>> @wan1.fis.com.my ns1.wip.fis.com.my ; (1
> > server found) ;; global options: +cmd ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37457 ;; flags:
> > qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING:
> > recursion requested but not available
> >
> > ;; QUESTION SECTION:
> > ;ns1.wip.fis.com.my.            IN      A
> >
> > ;; AUTHORITY SECTION:
> > wip.fis.com.my.         3600    IN      SOA     ns1.wip.fis.com.my. webma=
> ster
> > . 2015111825 16384 2048 1048576 2560
> >
> > ;; Query time: 6 msec
> > ;; SERVER: 202.188.242.130#53(202.188.242.130)
> > ;; WHEN: Wed Nov 18 17:47:45 MYT 2015
> > ;; MSG SIZE  rcvd: 81
> >
> > We only send and receive email on the basis of the terms set out at
> > http://ww w.tm.com.my/email_disclaimer.
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe  from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> We only send and receive email on the basis of the terms set out at http://=
> www.tm.com.my/email_disclaimer.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list