FORMERR Messages in BIND 9.3.2

Mark Andrews Mark_Andrews at isc.org
Mon Jul 10 18:56:50 UTC 2006 

> I wrote on July 5:
> 
> >I recently upgraded BIND from 9.2.4 to 9.3.2.  I am now seeing in the
> >syslog of two of my DNS servers messages like this:
> >
> >     Jun 29 13:26:35 titania.ctd.anl.gov named[18180]:
> >       [ID 866145 daemon.info] FORMERR resolving
> >       'nicholas.8dstar.com/AAAA/IN': 64.250.235.139#53
> >
> >I did not see anything in the 9.3.2 CHANGES file about this message.
> >Is this something new that 9.3.2 catches but that 9.2.4 did not?
> >Or is it something that was caught in 9.2.4 but not logged.
> >
> >I am seeing a large number of these (342,644 since Friday at 03:10),
> >and I am trying to see how to eliminate logging of the message and to
> >discover what is causing the message.
> >
> >I ran a snoop trace on one of my servers, and I traced one FORMERR.
> >I see in response to the query:
> >
> >     What are the NS records for liarignorance.info.?
> >
> >that the response packet contains
> >
> >     1 question
> >     0 answers
> >     4 authority (NS) records
> >     5 additional records (the addresses of the four nameservers plus
> >                           some garbage).
> >
>I assume that it is this garbage in the fifth additional record that
> >is causing the FORMERR message from BIND.  I checked the version of
> >the server that created this response packet - 
> >
> >     "UltraDNS Version 2.9.6.1 Build 5094"
> >
> >Is it correct to have the answer appear in the authority section instead
> >of the answer secion?  Would this cause a FORMERR?  I did a standard 
> >
> >     dig anl.gov ns
> >
> >using one of my BIND slaves, and I get four answer sections and no
> >authority sections:
> >
> >     flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
> 
> As there have been no replies, I decided to run some tests.  I can run
> the following query
> 
>      britaine%   dig nastyhos.com mx @dns2.anl.gov
> 
>      ; <<>> DiG 8.3 <<>> nastyhos.com mx @dns2.anl.gov 
>      ; (3 servers found)
>      ;; res options: init recurs defnam dnsrch
>      ;; got answer:
>      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6
>      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>      ;; QUERY SECTION:
>      ;;      nastyhos.com, type = MX, class = IN
> 
>      ;; Total query time: 106 msec
>      ;; FROM: britaine.ctd.anl.gov to SERVER: dns2.anl.gov  146.137.64.7
>      ;; WHEN: Mon Jul 10 09:57:35 2006
>      ;; MSG SIZE  sent: 30  rcvd: 30
> 
>      britaine%
> 
> and produce the message
> 
>      Jul 10 09:57:41 oberon.ctd.anl.gov named[24253]:
>        [ID 866145 daemon.info] FORMERR resolving 'nastyhos.com/MX/IN':
>        64.20.33.3#53
> 
> I run the same command on one of our external DNS servers:
> 
>      britaine% dig nastyhos.com mx @t1dns2.anl.gov
> 
>      ; <<>> DiG 8.3 <<>> nastyhos.com mx @t1dns2.anl.gov 
>      ; (1 server found)
>      ;; res options: init recurs defnam dnsrch
>      ;; got answer:
>      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6
>      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>      ;; QUERY SECTION:
>      ;;      nastyhos.com, type = MX, class = IN
> 
>      ;; Total query time: 138 msec
>      ;; FROM: britaine.ctd.anl.gov to SERVER: t1dns2.anl.gov  130.202.101.37
>      ;; WHEN: Mon Jul 10 09:59:21 2006
>      ;; MSG SIZE  sent: 30  rcvd: 30
> 
>      britaine%
> 
> and I do not see any FORMERR message.  Note that both queries return
> SERVFAIL.  All of my DNS servers are running BIND 9.3.2, SunOS
> Generic_118558-23 sun4u sparc SUNW,Sun-Fire-V240.  I built BIND 9.3.2
> on each of the five servers using the same parameters.  The executables
> have different lengths, but an "ldd" command run against all five
> executables shows the same output.
> 
> As a further test, I took the executable on dns2 and replaced it with
> the executable on t1dns2, thinking that there may be problems with the
> executable on the internal dns1 and dns2, but I still get a FORMERR
> message on dns2.
> 
> I have looked at the code, and I am not sure what causes a FORMERR.
> I have looked at some SNOOP traces, and in some cases I cannot see
> anything wrong with the packets.  I have to assume from the numerous
> messages that when a FORMERR is detected, nothing in the packet it
> cached, as subsequent queries again produce a FORMERR message instead of
> retrieving information from the cache.
> 
> Can anyone explain what I am seeing?  Thanks.

	64.20.33.3 is delegated nastyhos.com but is configured with
	a single root zone.  FORMERR is internally generated saying
	we don't like the format of the negative answer we got.
	In this case it was "wrong owner name" but was handled as
	a default error condition.

nastyhos.com.           172800  IN      NS      ns1.zt-444.com.
nastyhos.com.           172800  IN      NS      ns2.zt-444.com.
nastyhos.com.           172800  IN      NS      ns3.zt-444.com.

;; ADDITIONAL SECTION:
ns1.zt-444.com.         172800  IN      A       64.20.33.130
ns2.zt-444.com.         172800  IN      A       64.20.33.3
ns3.zt-444.com.         172800  IN      A       64.20.33.114


; <<>> DiG 9.3.2 <<>> any nastyhos.com @64.20.33.3
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52650
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nastyhos.com.			IN	ANY

;; ANSWER SECTION:
nastyhos.com.		7200	IN	A	64.20.33.4

;; AUTHORITY SECTION:
.			259200	IN	NS	ns.

;; Query time: 46 msec
;; SERVER: 64.20.33.3#53(64.20.33.3)
;; WHEN: Tue Jul 11 04:46:40 2006
;; MSG SIZE  rcvd: 61


; <<>> DiG 9.3.2 <<>> nastyhos.com mx +norec @64.20.33.3
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26463
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nastyhos.com.			IN	MX

;; AUTHORITY SECTION:
.			2560	IN	SOA	ns. hostmaster. 1152476337 16384 2048 1048576 2560

;; Query time: 32 msec
;; SERVER: 64.20.33.3#53(64.20.33.3)
;; WHEN: Tue Jul 11 04:41:46 2006
;; MSG SIZE  rcvd: 77

> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> Building 222, Room D209              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4828             IBMMAIL:  I1004994
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list