lame servers: due to redundant Authority answers?

Kevin Darcy kcd at daimlerchrysler.com
Thu Jun 14 18:11:06 UTC 2001 

My post was in response to the question "why am I seeing these NS records
twice?".

As for the larger question of "why is named complaining about basf-arg.com.ar"
being lame?", that's because it *is* lame. Both of the delegated nameservers
for the domain --  basfegw.basf-corp.com and basfegw.basf-ag.de -- are
answering non-authoritatively for it. The duplicated RRs have nothing to do
with it.


- Kevin

John Hilgart wrote:

> Kevin Darcy addressed at least part of the problem in another message:
> -------------
> Well, this is partly a BIND bug and partly just nslookup's suckiness. When
> receiving an authoritative response to a query, nslookup
> normally reports the contents of the Authority Section with "nameserver ="
> lines. However, it uses *exactly*the*same* output format when
> reporting NS records in the Answer Section of the response, and it gives no
> indication of what section the information comes from. So when
> a nameserver reports NS records in the Answer Section, as is common for ANY
> queries, and the same NS records in the Authority Section, you
> get two identically-appearing sets of lines. When the response is
> non-authoritative, at least nslookup prefaces the Authority Section
> output with "Authoritative answers can be found from:", so at least there's
> a chance of figuring out what it's doing.
>
> The BIND bug consists of the fact that it should not be reporting the same
> RR more than once in the response, as per RFC 2181, Section 5.5.
> ------------
> I looked up the RFC and agree with Kevin's interpretation.
>
> This was in response to a BIND v 9 server.  Have others seen such beahviour
> cause BIND v 8.2.x to label the broken server's zone as lame like we are
> seeing?
>
> John Hilgart wrote:
>
> > Hi,
> >
> > We have a complicated Intranet DNS with mixtures of BIND and Novell
> > Netware servers.  Now one of our BIND 8.2.3 servers cannot get an MX
> > record from one of the domains for which a Netware server is
> > authoritative.  It produces a serverfail message though the query works
> > fine when directed at the Netware server.
> >
> > I noticed that the Netware server answers twice for NS queries thusly:
> >
> > > set q=ns
> > > basf-arg.com.ar.
> > Server:  [139.31.0.2]
> > Address:  139.31.0.2
> >
> > basf-arg.com.ar nameserver = goethe1-ar.basf-arg.com.ar
> > basf-arg.com.ar nameserver = tortuguitas1-ar.basf-arg.com.ar
> > basf-arg.com.ar nameserver = tortuguitas1-ar.basf-arg.com.ar
> > basf-arg.com.ar nameserver = goethe1-ar.basf-arg.com.ar
> > goethe1-ar.basf-arg.com.ar      internet address = 139.31.0.2
> > tortuguitas1-ar.basf-arg.com.ar internet address = 139.33.0.2
> > tortuguitas1-ar.basf-arg.com.ar internet address = 139.33.0.2
> > goethe1-ar.basf-arg.com.ar      internet address = 139.31.0.2
> >
> > In more detail:
> >
> > dig @139.31.0.2 basf-arg.com.ar ns +norecurse
> >
> > ; <<>> DiG 8.2 <<>> @139.31.0.2 basf-arg.com.ar ns +norecurse
> > ; (1 server found)
> > ;; res options: init defnam dnsrch
> > ;; got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14568
> > ;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4
> > ;; QUERY SECTION:
> > ;;      basf-arg.com.ar, type = NS, class = IN
> >
> > ;; ANSWER SECTION:
> > basf-arg.com.ar.        1D IN NS        goethe1-ar.basf-arg.com.ar.
> > basf-arg.com.ar.        1D IN NS        tortuguitas1-ar.basf-arg.com.ar.
> >
> > ;; AUTHORITY SECTION:
> > basf-arg.com.ar.        1D IN NS        tortuguitas1-ar.basf-arg.com.ar.
> >
> > basf-arg.com.ar.        1D IN NS        goethe1-ar.basf-arg.com.ar.
> >
> > ;; ADDITIONAL SECTION:
> > goethe1-ar.basf-arg.com.ar.  1D IN A  139.31.0.2
> > tortuguitas1-ar.basf-arg.com.ar.  1D IN A  139.33.0.2
> > tortuguitas1-ar.basf-arg.com.ar.  1D IN A  139.33.0.2
> > goethe1-ar.basf-arg.com.ar.  1D IN A  139.31.0.2
> >
> > ;; Total query time: 217 msec
> > ;; FROM: johnhilg to SERVER: 139.31.0.2
> > ;; WHEN: Mon Jun 11 21:55:10 2001
> > ;; MSG SIZE  sent: 33  rcvd: 180
> >
> > Is this server violating an RFC or other conventon by including both an
> > Answer section and an Authority section for this type of NS query?
> > Should BIND v 8 be so judgemental about it?  (Bind v 4.9 doesn't seem to
> > care).
> >
> > The BIND v 8.2.3 logs say things like:
> >
> > 11-Jun-2001 21:21:05.957 ns_forw: query(basf-arg.com.ar) All possible A
> > RR's lame
> > 11-Jun-2001 21:52:10.079 Lame server on 'basf-arg.com.ar' (in
> > 'basf-arg.com.ar'?
> > ): [139.33.0.2].53 'tortuguitas1-ar.basf-arg.com.ar'
> > 11-Jun-2001 21:52:10.294 Lame server on 'basf-arg.com.ar' (in
> > 'basf-arg.com.ar'?
> > ): [139.31.0.2].53 'goethe1-ar.basf-arg.com.ar'
> >
> > Any ideas appreciated.
> >
> > Thanks,
> > -john

More information about the bind-users mailing list