FORMERR Messages in BIND 9.3.2

Mark Andrews Mark_Andrews at isc.org
Thu Jul 20 14:25:07 UTC 2006 

>  I wrote on July 5, in part:
> 
> >>I recently upgraded BIND from 9.2.4 to 9.3.2.  I am now seeing in the
> >>syslog of two of my DNS servers messages like this:
> >>
> >>     Jun 29 13:26:35 titania.ctd.anl.gov named[18180]:
> >>       [ID 866145 daemon.info] FORMERR resolving
> >>       'nicholas.8dstar.com/AAAA/IN': 64.250.235.139#53
> >>
> >>I did not see anything in the 9.3.2 CHANGES file about this message.
> >>Is this something new that 9.3.2 catches but that 9.2.4 did not?
> >>Or is it something that was caught in 9.2.4 but not logged.
> >>
> >>I am seeing a large number of these (342,644 since Friday at 03:10),
> >>and I am trying to see how to eliminate logging of the message and to
> >>discover what is causing the message.
> 
> Mark Andrews replied to one of my postings (based on a similar, but
> different DNS query/response):
> 
> >	64.20.33.3 is delegated nastyhos.com but is configured with
> >	a single root zone.  FORMERR is internally generated saying
> >	we don't like the format of the negative answer we got.
> >	In this case it was "wrong owner name" but was handled as
> >	a default error condition.
> >
> >nastyhos.com.           172800  IN      NS      ns1.zt-444.com.
> >nastyhos.com.           172800  IN      NS      ns2.zt-444.com.
> >nastyhos.com.           172800  IN      NS      ns3.zt-444.com.
> >
> >;; ADDITIONAL SECTION:
> >ns1.zt-444.com.         172800  IN      A       64.20.33.130
> >ns2.zt-444.com.         172800  IN      A       64.20.33.3
> >ns3.zt-444.com.         172800  IN      A       64.20.33.114
> >
> >
> >; <<>> DiG 9.3.2 <<>> any nastyhos.com @64.20.33.3
> >; (1 server found)
> >;; global options:  printcmd
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52650
> >;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> >
> >;; QUESTION SECTION:
> >;nastyhos.com.			IN	ANY
> >
> >;; ANSWER SECTION:
> >nastyhos.com.		7200	IN	A	64.20.33.4
> >
> >;; AUTHORITY SECTION:
> >.			259200	IN	NS	ns.
> >
> >;; Query time: 46 msec
> >;; SERVER: 64.20.33.3#53(64.20.33.3)
> >;; WHEN: Tue Jul 11 04:46:40 2006
> >;; MSG SIZE  rcvd: 61
> >
> >
> >; <<>> DiG 9.3.2 <<>> nastyhos.com mx +norec @64.20.33.3
> >; (1 server found)
> >;; global options:  printcmd
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26463
> >;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >
> >;; QUESTION SECTION:
> >;nastyhos.com.			IN	MX
> >
> >;; AUTHORITY SECTION:
> >.			2560	IN	SOA	ns. hostmaster. 1152476337 1638
> 4 2048 1048576 2560
> >
> >;; Query time: 32 msec
> >;; SERVER: 64.20.33.3#53(64.20.33.3)
> >;; WHEN: Tue Jul 11 04:41:46 2006
> >;; MSG SIZE  rcvd: 77
> 
> I have done more research, and I have changed the logging of these
> FORMERR messages (they are in the lame-server category).  I have two
> further questions:
> 
> 1) In the MX query above, the answer is OK - no answer section, so
>    no MX record exists.  How does one misconfigure a BIND server so
>    that the authority section has
> 
>         .  2560  IN  SOA  ns. hostmaster. 1152476337 ...
> 
>    I thought that the zone file had to have the domain name in the SOA
>    record.

	It does.  The domain name is ".".

	zone "." {
		file "i-will-stuff-all-my-records-here";
		type master
	};

i-will-stuff-all-my-records-here:
.                       2560    IN      SOA     ns. hostmaster. 1153403511 16384 2048 1048576 2560
.                       259200  IN      NS      ns
nastyhos.com.           7200    IN      A       64.20.33.131
*.nastyhos.com.         7200    IN      A       64.20.33.131
8dstar.com.             7200    IN      A       64.20.33.131
*.8dstar.com.           7200    IN      A       64.20.33.131

	Repeat for each domain delegated to the servers.  Basically
	they are trying to be lazy.

> 2) Why does this bad authority record cause BIND to not cache the
>    answer section, which seems to me to be a valid response to the
>    query.  Is this to avoid cache poisoning?

	Because the answer is *not* just the answer section.  It is
	the answer + authority sections and the authority section
	is bogus.

	Mark

> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> Building 222, Room D209              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4828             IBMMAIL:  I1004994
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list