BIND 8.2.2 can return referral for recursive query
Barry Margolin
barmar at genuity.net
Tue May 23 14:23:39 UTC 2000
In article <8RE*fzNso at news.davenant.greenend.org.uk>,
Ian Jackson <ian at davenant.greenend.org.uk> wrote:
>In article <Z_fW4.30$sR4.2069 at burlma1-snr2>,
>Barry Margolin <barmar at genuity.net> wrote:
>>In article <Uir*XrKso at news.chiark.greenend.org.uk>,
>>Ian Jackson <ijackson at chiark.greenend.org.uk> wrote:
>>>I've discovered that BIND 8 (and perhaps other versions of BIND) can
>>>sometimes return a referral (ie, a reply with no answers, no error,
>>>and some NS records and no SOA record in the authority section) even
>>>if recursion is desired and available.
>>
>>It's simply forwarding the answer it got from the authoritative server when
>>it recursed. Notice:
>
>Well, quite, but (i) the AA bit isn't set, meaning BIND must have
>cached this gibberish or transferred it from some other part of some
No. The PSI.CA server is not setting the AA flag. I believe that
delegation NS records from the parent zone are never authoritative, to
distinguish them from NS records in the child zone itself, which are
presumed to be more accurate.
>other response, and in any case (ii) surely BIND should protect its
>client resolvers from such nonsense ?
I believe that the purpose of a recursive server is to save the resolver
the trouble of having to perform iterative queries. But its job isn't to
protect the resolver from bad data on the delegated servers themselves.
>If it's reasonable for a recursive nameserver to forward nonsense
>answers to its client stub resolvers then obviously I have to deal
>with it without producing alarming diagnostics (after all, the DNS is
>full of sh*t and having applications doing general-purpose lookups
>produce warnings on stderr about remote configuration errors is
>generally unhelpful).
Note that this isn't really a "nonsense answer". The Answer section of the
response is empty, which is a normal condition (it means the name exists,
but it doesn't have the type of record you're looking for -- in this case
the wildcard would manufacture an NS record if you asked for one). The
resolver generally doesn't need to look in the Authority section, so you
should just treat this like any other response with RCODE=0, Answers=0.
--
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list