Servfail When Resolving certain domains
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Tue Dec 11 21:05:58 UTC 2001
> > > That is why if understand why a zone forward work and a standard config.
> > > does not then I can with confidence tell them why there is a problem.
> >
> > Because the standard config is expecting to be talking to servers
> > that are authoritative.
>
> If it does not will it just return a SERFAIL message?
If *all* the servers for the zone are broken.
> > When you are using a forward zone the
> > server is *not* expecting to be talking to a authoritative server
> > but rather a caching server and caching servers don't set 'aa'
> > whereas authoritative servers do.
>
> This does seem to be the case, but I was not sure that the name server HAD
> to receive an authoritative answer all the time, in order to be able to
> resolve a name. I see non authoritative answers allot, are you telling me
> that there are that many DNS server out there not configured correctly?
Yes. People don't look at the logs or ignore the error messages.
Answers from a cache don't have 'aa' set. Answers from a
authoritative server should have 'aa' set. The lack of 'aa'
means that a error was detected when the zone was loaded.
As a client we only know that there was a error and as such
the answers we are getting back from this server may be incomplete
therefore we should not accept them.
> > The servers in question are
> > not setting 'aa' in the answers (indicating that they detected
> > a error on load) and named is rejecting their answers as bad.
>
> Is their a way for the name server to accept a non authoritative answer with
> a standard configuration that uses the db.cache file?
No. Why would you accept known *bad* answers.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list