FORMERR Messages in BIND 9.3.2

Barry Finkel b19141 at achilles.ctd.anl.gov
Thu Jul 20 14:01:42 UTC 2006 

 I wrote on July 5, in part:

>>I recently upgraded BIND from 9.2.4 to 9.3.2.  I am now seeing in the
>>syslog of two of my DNS servers messages like this:
>>
>>     Jun 29 13:26:35 titania.ctd.anl.gov named[18180]:
>>       [ID 866145 daemon.info] FORMERR resolving
>>       'nicholas.8dstar.com/AAAA/IN': 64.250.235.139#53
>>
>>I did not see anything in the 9.3.2 CHANGES file about this message.
>>Is this something new that 9.3.2 catches but that 9.2.4 did not?
>>Or is it something that was caught in 9.2.4 but not logged.
>>
>>I am seeing a large number of these (342,644 since Friday at 03:10),
>>and I am trying to see how to eliminate logging of the message and to
>>discover what is causing the message.

Mark Andrews replied to one of my postings (based on a similar, but
different DNS query/response):

>	64.20.33.3 is delegated nastyhos.com but is configured with
>	a single root zone.  FORMERR is internally generated saying
>	we don't like the format of the negative answer we got.
>	In this case it was "wrong owner name" but was handled as
>	a default error condition.
>
>nastyhos.com.           172800  IN      NS      ns1.zt-444.com.
>nastyhos.com.           172800  IN      NS      ns2.zt-444.com.
>nastyhos.com.           172800  IN      NS      ns3.zt-444.com.
>
>;; ADDITIONAL SECTION:
>ns1.zt-444.com.         172800  IN      A       64.20.33.130
>ns2.zt-444.com.         172800  IN      A       64.20.33.3
>ns3.zt-444.com.         172800  IN      A       64.20.33.114
>
>
>; <<>> DiG 9.3.2 <<>> any nastyhos.com @64.20.33.3
>; (1 server found)
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52650
>;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;nastyhos.com.			IN	ANY
>
>;; ANSWER SECTION:
>nastyhos.com.		7200	IN	A	64.20.33.4
>
>;; AUTHORITY SECTION:
>.			259200	IN	NS	ns.
>
>;; Query time: 46 msec
>;; SERVER: 64.20.33.3#53(64.20.33.3)
>;; WHEN: Tue Jul 11 04:46:40 2006
>;; MSG SIZE  rcvd: 61
>
>
>; <<>> DiG 9.3.2 <<>> nastyhos.com mx +norec @64.20.33.3
>; (1 server found)
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26463
>;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;nastyhos.com.			IN	MX
>
>;; AUTHORITY SECTION:
>.			2560	IN	SOA	ns. hostmaster. 1152476337 16384 2048 1048576 2560
>
>;; Query time: 32 msec
>;; SERVER: 64.20.33.3#53(64.20.33.3)
>;; WHEN: Tue Jul 11 04:41:46 2006
>;; MSG SIZE  rcvd: 77

I have done more research, and I have changed the logging of these
FORMERR messages (they are in the lame-server category).  I have two
further questions:

1) In the MX query above, the answer is OK - no answer section, so
   no MX record exists.  How does one misconfigure a BIND server so
   that the authority section has

        .  2560  IN  SOA  ns. hostmaster. 1152476337 ...

   I thought that the zone file had to have the domain name in the SOA
   record.

2) Why does this bad authority record cause BIND to not cache the
   answer section, which seems to me to be a valid response to the
   query.  Is this to avoid cache poisoning?
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list