bad answers from BIND9 ?

Kevin Darcy kcd at daimlerchrysler.com
Thu Dec 12 20:36:36 UTC 2002 

Miroslaw Luc wrote:

> On Thu, 12 Dec 2002, Kevin Darcy wrote:
>
> > > is it ok? shoudn't BIND9 do an answer in ANSWER section, not in
> > > AUTHORITY ?
>
> > What ns.ripe.net returned to you was a *referral*, not an answer. See
> > section 4.3.1 of the same RFC, bearing in mind that ns.ripe.net does
> > not support recursion. This has nothing to do with the version of BIND
> You are right, but...
> I hope the examples below can clarify what we mean. Is bind8's answer
> a referral? It is not. Here are two questions (hm, answers) about ns
> records (with recursion disabled):
>
> bind9
> <------------------------------------------------------------------------->
> ; <<>> DiG 8.1 <<>> @ns.ripe.net a.pl. ns +norecurse
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>                                 ^             ^
> ;; QUERY SECTION:
> ;;      a.pl, type = NS, class = IN
> ;; AUTHORITY SECTION:
>    ^^^^^^^^^^^^^^^^^
> a.pl.                   1D IN NS        ns1.nss.pl.
> a.pl.                   1D IN NS        ns2.nss.pl.
> <------------------------------------------------------------------------->
>
> bind8
> <------------------------------------------------------------------------->
> ; <<>> DiG 8.1 <<>> @dns.nask.pl a.pl. ns +norecurse
> ; (2 servers found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
> ;; flags: qr; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>                                 ^             ^
> ;; QUERY SECTION:
> ;;      a.pl, type = NS, class = IN
> ;; ANSWER SECTION:
>    ^^^^^^^^^^^^^^
> a.pl.                   1D IN NS        ns2.nss.pl.
> a.pl.                   1D IN NS        ns1.nss.pl.
> <------------------------------------------------------------------------->

To a non-recursive query, a BIND nameserver will give either a) an answer, if
it is authoritative for the zone or happens to have the answer cached, b) a
referral, if it is not authoritative for the zone, c) some sort of error
message, if something has gone wrong.

The difference between the servers is that the BIND 8 nameserver happens to
have the answer cached. So it gives an answer. The BIND 9 nameserver
apparently doesn't. So it gives a referral. The respective versions of
BIND that these nameservers are running has no apparent bearing on the
contents of their responses.


- Kevin

More information about the bind-users mailing list