bind 9.3.2 FORMERR CNAME Problem

Chris Buxton cbuxton at menandmice.com
Fri Aug 25 17:04:33 UTC 2006 

We'll probably have to wait for confirmation from Mark Andrews, but  
this sounds to me like a bug in the credibility check - it maybe  
can't handle an untrustworthy record in the answer section of an  
authoritative answer. There's probably some factor related to having  
the result come from two different subzones of the same zone that is  
delegated to the authoritative name server.

I'm able to reproduce the results you report (works with BIND 9.2,  
doesn't work with BIND 9.3), so it's not some transitory error on the  
part of the authoritative name servers.

I don't have time to test, but if you want, you can check my  
hypothesis above as follows:

- Create two subzones on your authoritative name server - subzones of  
a zone delegated to your name server.
- Create a CNAME record in one of these zones pointing to a name in  
the other.
- Query your BIND 9.3 resolving name server for an A record of the  
same name as the alias - the authoritative name server should return  
an auth answer containing the alias from subzone 1, the address from  
subzone 2, and the authority records from subzone 2.

Chris Buxton
Men & Mice

On Aug 24, 2006, at 12:45 PM, Gunnar S. wrote:

> Hi,
>
> I have a CNAME Problem with bind 9.3.2 (and higher) which does not  
> exist
> with bind 9.2.4.
>
> dig @127.0.0.1 teltest2.thinkcrime.de
>
> ; <<>> DiG 9.2.4 <<>> @127.0.0.1 teltest2.thinkcrime.de
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61894
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;teltest2.thinkcrime.de.                IN      A
>
> ;; Query time: 3223 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Aug 24 21:17:14 2006
> ;; MSG SIZE  rcvd: 40
>
> debug output:
> [...]
> 24-Aug-2006 20:56:59.590 fctx 0x8235a20(teltest2.thinkcrime.de/A'):  
> try
> 24-Aug-2006 20:56:59.590 fctx 0x8235a20(teltest2.thinkcrime.de/A'):  
> query
> 24-Aug-2006 20:56:59.591 resquery 0x82443e0 (fctx
> 0x8235a20(teltest2.thinkcrime.de/A)): send
> 24-Aug-2006 20:56:59.591 dispatch 0x8212f00 response 0x8237788
> 81.3.43.97#53: attached to task 0x8213b98
> 24-Aug-2006 20:56:59.591 resquery 0x82443e0 (fctx
> 0x8235a20(teltest2.thinkcrime.de/A)): sent
> 24-Aug-2006 20:56:59.591 resquery 0x82443e0 (fctx
> 0x8235a20(teltest2.thinkcrime.de/A)): senddone
> 24-Aug-2006 20:56:59.640 socket 0x8200f78: dispatch_recv:  event
> 0x8202900 -> task 0x82013c0
> 24-Aug-2006 20:56:59.640 socket 0x8200f78: internal_recv: task  
> 0x82013c0
> got event 0x8200fb8
> 24-Aug-2006 20:56:59.640 socket 0x8200f78 81.3.43.97#53: packet  
> received
> correctly
> 24-Aug-2006 20:56:59.640 socket 0x8200f78: processing cmsg 0x8201058
> 24-Aug-2006 20:56:59.640 client 81.3.43.97#53: UDP request
> 24-Aug-2006 20:56:59.641 client 81.3.43.97#53: next
> 24-Aug-2006 20:56:59.641 client 81.3.43.97#53: endrequest
> 24-Aug-2006 20:56:59.641 client @0x8201158: udprecv
> 24-Aug-2006 20:56:59.641 socket 0x8200f78: socket_recv: event  
> 0x8202900
> -> task 0x82013c0
> 24-Aug-2006 20:56:59.641 dispatch 0x8200dc0: got packet: requests 0,
> buffers 2, recvs 0
> 24-Aug-2006 20:56:59.641 dispatch 0x8200dc0: got valid DNS message
> header, /QR 1, id 42269
> 24-Aug-2006 20:56:59.641 dispatch 0x8200dc0: search for response in
> bucket 3844: found
> 24-Aug-2006 20:56:59.641 dispatch 0x8200dc0 response 0x8237788
> 81.3.43.97#53: [a] Sent event 0x8237568 buffer 0x823bb58 len 4096 to
> task 0x8213b98
> 24-Aug-2006 20:56:59.641 resquery 0x82443e0 (fctx
> 0x8235a20(teltest2.thinkcrime.de/A)): response
> 24-Aug-2006 20:56:59.641 received packet:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  42269
> ;; flags: qr aa ; QUESTION: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;teltest2.thinkcrime.de.                IN      A
>
> ;; ANSWER SECTION:
> teltest2.thinkcrime.de. 28800   IN      CNAME   teltest.thinkcrime.de.
> teltest.thinkcrime.de.  28800   IN      A       213.133.110.149
>
> ;; AUTHORITY SECTION:
> teltest2.thinkcrime.de. 28800   IN      NS       
> ns1.domaindiscount24.net.
> teltest2.thinkcrime.de. 28800   IN      NS       
> ns2.domaindiscount24.net.
> teltest2.thinkcrime.de. 28800   IN      NS       
> ns3.domaindiscount24.net.
>
>
> 24-Aug-2006 20:56:59.641 fctx 0x8235a20(teltest2.thinkcrime.de/A'):
> answer_response
> 24-Aug-2006 20:56:59.641 fctx 0x8235a20(teltest2.thinkcrime.de/A'):
> noanswer_response
> 24-Aug-2006 20:56:59.641 fctx 0x8235a20(teltest2.thinkcrime.de/A'):
> cancelquery
> 24-Aug-2006 20:56:59.641 dispatch 0x8212f00 response 0x8237788
> 81.3.43.97#53: detaching from task 0x8213b98
> 24-Aug-2006 20:56:59.641 dispatch 0x8212f00: detach: refcount 4
> 24-Aug-2006 20:56:59.641 fctx 0x8235a20(teltest2.thinkcrime.de/A'):  
> add_bad
> 24-Aug-2006 20:56:59.641 FORMERR resolving
> 'teltest2.thinkcrime.de/A/IN': 81.3.43.97#53
> 24-Aug-2006 20:56:59.642 fctx 0x8235a20(teltest2.thinkcrime.de/A'):  
> try
> 24-Aug-2006 20:56:59.642 fctx 0x8235a20(teltest2.thinkcrime.de/A'):
> cancelqueries
> [...]
>
> (AUTHORITY SECTION seems to be a little bit strange for me)
>
> Any idea what's going wrong?
>
> Thanks,
>
> Gunnar
>
>
>

More information about the bind-users mailing list