FORMERR Messages in BIND 9.3.2
Barry Finkel
b19141 at achilles.ctd.anl.gov
Thu Jul 20 14:01:42 UTC 2006
I wrote on July 5, in part:
>>I recently upgraded BIND from 9.2.4 to 9.3.2. I am now seeing in the
>>syslog of two of my DNS servers messages like this:
>>
>> Jun 29 13:26:35 titania.ctd.anl.gov named[18180]:
>> [ID 866145 daemon.info] FORMERR resolving
>> 'nicholas.8dstar.com/AAAA/IN': 64.250.235.139#53
>>
>>I did not see anything in the 9.3.2 CHANGES file about this message.
>>Is this something new that 9.3.2 catches but that 9.2.4 did not?
>>Or is it something that was caught in 9.2.4 but not logged.
>>
>>I am seeing a large number of these (342,644 since Friday at 03:10),
>>and I am trying to see how to eliminate logging of the message and to
>>discover what is causing the message.
Mark Andrews replied to one of my postings (based on a similar, but
different DNS query/response):
> 64.20.33.3 is delegated nastyhos.com but is configured with
> a single root zone. FORMERR is internally generated saying
> we don't like the format of the negative answer we got.
> In this case it was "wrong owner name" but was handled as
> a default error condition.
>
>nastyhos.com. 172800 IN NS ns1.zt-444.com.
>nastyhos.com. 172800 IN NS ns2.zt-444.com.
>nastyhos.com. 172800 IN NS ns3.zt-444.com.
>
>;; ADDITIONAL SECTION:
>ns1.zt-444.com. 172800 IN A 64.20.33.130
>ns2.zt-444.com. 172800 IN A 64.20.33.3
>ns3.zt-444.com. 172800 IN A 64.20.33.114
>
>
>; <<>> DiG 9.3.2 <<>> any nastyhos.com @64.20.33.3
>; (1 server found)
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52650
>;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;nastyhos.com. IN ANY
>
>;; ANSWER SECTION:
>nastyhos.com. 7200 IN A 64.20.33.4
>
>;; AUTHORITY SECTION:
>. 259200 IN NS ns.
>
>;; Query time: 46 msec
>;; SERVER: 64.20.33.3#53(64.20.33.3)
>;; WHEN: Tue Jul 11 04:46:40 2006
>;; MSG SIZE rcvd: 61
>
>
>; <<>> DiG 9.3.2 <<>> nastyhos.com mx +norec @64.20.33.3
>; (1 server found)
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26463
>;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;nastyhos.com. IN MX
>
>;; AUTHORITY SECTION:
>. 2560 IN SOA ns. hostmaster. 1152476337 16384 2048 1048576 2560
>
>;; Query time: 32 msec
>;; SERVER: 64.20.33.3#53(64.20.33.3)
>;; WHEN: Tue Jul 11 04:41:46 2006
>;; MSG SIZE rcvd: 77
I have done more research, and I have changed the logging of these
FORMERR messages (they are in the lame-server category). I have two
further questions:
1) In the MX query above, the answer is OK - no answer section, so
no MX record exists. How does one misconfigure a BIND server so
that the authority section has
. 2560 IN SOA ns. hostmaster. 1152476337 ...
I thought that the zone file had to have the domain name in the SOA
record.
2) Why does this bad authority record cause BIND to not cache the
answer section, which seems to me to be a valid response to the
query. Is this to avoid cache poisoning?
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list