workaround for broken nameserver

Mark Andrews Mark_Andrews at isc.org
Sun Aug 6 23:25:05 UTC 2006 

> I recently encountered a couple of nameservers which exhibit seriously 
> broken behavior with respect to IPv6.  As I understand it, a nameserver 
> which recieves an AAAA query for a domain which exists but which has no 
> AAAA record is supposed to return NOERROR and an empty result set.  These 
> particular servers return NXDOMAIN; from the research I did on Google, it 
> sounds like there are also some that return SERVFAIL.
> So the result of this problem is that I can't send email to this domain. 
> Sendmail tries an AAAA lookup; it fails, returning NXDOMAIN, and sendmail 
> - following every RFC that I can find - decides that an A query will be 
> fruitless and gives up.  After some research, I discovered that sendmail 
> has an option to ignore NXDOMAIN and SERVFAIL responses to AAAA queries 
> and try an A query anyway; this option was added to help work around 
> exactly this kind of broken nameserver.  So I tried enabling that option, 
> but it didn't fix the problem.
> 
> Why not?  Well, the resolver library on that machine is pointed at a 
> caching nameserver (bind 9.3.1) on the local machine.  Bind goes out, 
> tries the AAAA query, gets back NXDOMAIN, and returns NXDOMAIN to 
> sendmail.  Sendmail then tries an A query (because of the workaround 
> option), but bind says, ah ha, I don't need to recurse, I already know the 
> answer, because I got NXDOMAIN from my AAAA query.  This host doesn't 
> exist.  So it sends that answer back in response to the A query as well.
> 
> This behavior on the part of bind is eminently sensible, but I still can't 
> send mail to that domain, whereas if either my MTA or my nameserver were 
> slightly stupider (and I'm guessing that most people's are, or the people 
> responsible for the domain would have fixed it) I would be able to do so. 
> So I'm looking for a workaround.  Any ideas?  I see that there is a 
> "bogus" option in the "server {}" stanza, but doesn't help me in this case 
> because ALL of the nameservers for that domain exhibit this problem 
> (otherwise I could declare the broken ones bogus and rely on the 
> remainder).  It seems like it might be helpful to have a "bogus-ipv6" or 
> "dont-cache-ipv6-failure" option that flags a nameserver as having this 
> problem, unless there is some other clean solution that I have missed.
> 
> Thanks in advance for any suggestions,
> 
> ...Robert

	The usual offendors are load balancers.

	Look up the offending site with whois and phone the operator.

	Tell them that they are not running a RFC 1034/1034 compliant
	nameserver (load balancer).  You can also refer them to:

		http://www.kb.cert.org/vuls/id/714121

	Their nameserver (load balancer) vendor should have a patch.
	Or in the case where the load balancer falls through to a
	standard nameserver, for non A queries, add the A records
	to the backing nameserver.

	While they are waiting for a fix from their vendor that
	should install a regular nameserver with multiple address
	records.  It will make them compliant again.  Keep them
	operational and may even show them that they don't need
	the load balancer.

	As for bogus-ipv6 etc.  There are / were load balancers that
	did this for ever type other than A.  Working around broken
	nameservers doesn't fix the problem.  It just perpetuates it.

	Note: this issue is nowhere near as prevalent as it once
	was.

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list