possible interoperability issue with Win2K3 name-server

Danny Thomas d.thomas at its.uq.edu.au
Sun Sep 17 00:17:24 UTC 2006 

While this message describes an apparently bogus response from the
Microsoft Windows 2003 DNS server, there are two points relevant
to bind
  1) bind9's dig refuses to print the response (more a curiosity)
  2) while I've only seen such responses from cached records, without
     knowing the full scope of the problem there exists the potential for
     interoperability issues with bind

I'd be grateful if anyone else can shed light on this behaviour or
knows an effective way to raise the issue with Microsoft, e.g. to
identify
  1) that it is a problem
  2) whether the scope of the problem might extend beyond cached
     records, i.e. possible interoperability issues if bind
     ignores records with more than 16-odd copies of the SOA record
     in the authority section
  3) the likelihood of a patch




BACKGROUND
=========================================================================
I've written a script to survey name-servers running on our network,
which include many from a default install of ActiveDirectory.
Unfortunately these often have their own separate version of zones,
though I was pleasantly surprised to find nearly all forwarding
through our central name-servers (mainly by checking whether rfc1918
reverse zones come from the IANA blackholes).
NB one motivation from the survey was to identify MS name-servers
   so they can be shutdown. But it's not that simple as disabling the
   name-server as that can result in domain logins taking 10 minutes.
   We'll need to get our MS sysadmins to resolve the slow logins
   before we can start shutting them down en mass.

Part of the survey uses fpdns (http://www.rfc.se/fpdns/) to fingerprint
the name-server software, but fpdns fails for all name-servers
exhibiting the following problem NB fingerprinting fails for quite
a few non-Microsoft name-servers too. While a few Microsoft systems
seem to be successfully fingerprinted, only NT and Win2K versions
are reported. The apparent problem fingerprinting Win2K3's name-server
is something I'll take up on the fpdns list, but nmap OS fingerprinting
indicates the following problem happens on Win2K3 systems.


THE PROBLEM
=========================================================================
An SOA query is done for the zones in the master named.conf, and many
of the MS servers return a truncated response for most of the 1,400
odd zones. Curiously, doing an ANY query works fine. While bind-8.3
has no problem printing the response, the bind9 dig reports:
  ;; Truncated, retrying in TCP mode.
  ;; Got bad packet: too many hops
  1884 bytes
followed by a hex dump of the response. Using bind-9.4.0b1's dig
after increasing DNS_POINTER_MAXHOPS in lib/dns/include/dns/name.h
from 16 -> 64 prints out similarly to bind8's dig:

bin/dig/dig @130.102.198.22 awmc.uq.edu.au soa
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.4.0b1 <<>> @130.102.198.22 awmc.uq.edu.au soa
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26092
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 50, ADDITIONAL: 0

;; QUESTION SECTION:
;awmc.uq.edu.au.                        IN      SOA

;; ANSWER SECTION:
awmc.uq.edu.au.         2282    IN      SOA
  noddns.cc.uq.edu.au. hostmaster.uq.edu.au. 2006091502 10800 1800 3600000 3600

;; AUTHORITY SECTION:
cc.uq.edu.au.           2256    IN      SOA
  noddns.cc.uq.edu.au. hostmaster.uq.edu.au. 2006091501 10800 1800 3600000 3600
cc.uq.edu.au.           2256    IN      SOA 
  noddns.cc.uq.edu.au. hostmaster.uq.edu.au. 2006091501 10800 1800 3600000 3600
<48 more copies of this SOA record>

;; Query time: 4 msec
;; SERVER: 130.102.198.22#53(130.102.198.22)
;; WHEN: Sun Sep 17 08:30:20 2006
;; MSG SIZE  rcvd: 1892

I'm not suggesting DNS_POINTER_MAXHOPS should be increased as I expect
there were reasons/experience to suggest 16 was adequate.

NB the SOA query seems to behave properly when un-cached (reponse
has aa and full TTL), and (sometimes?) another SOA query works
properly with the result coming from the cache (no aa and reduced
TTL) before subsequent responses have this 50 SOA records in the
authority section)

Danny

-- 
   d.thomas at its.uq.edu.au    Danny Thomas,                                    
          +61-7-3365-8221    Software Infrastructure,
 http://www.its.uq.edu.au    ITS, The University of Queensland

More information about the bind-users mailing list