SERVFAIL
Chris Buxton
cbuxton at menandmice.com
Wed Sep 10 22:38:07 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A name server may be authoritative for both a zone and its subzone.
Your traversal tool is wrong - the server is giving an authoritative
answer, not a downward referral. Your tool should consider an
authoritative answer as trumping the authority section, if there is
any conflict.
It is common for an authoritative answer to contain the NS records of
the zone containing the answer, along with any known addresses for
those servers.
Chris Buxton
Professional Services
Men & Mice
On Sep 10, 2008, at 10:04 AM, Paul Vixie wrote:
> i believe that the hard part of the traversal for www.flickr.com is:
>
> ; <<>> DiG 9.4.1-P1 <<>> @ns3.yahoo.com www.flickr.vip.mud.yahoo.com
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41226
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;www.flickr.vip.mud.yahoo.com. IN A
>
> ;; ANSWER SECTION:
> www.flickr.vip.mud.yahoo.com. 900 IN A 68.142.214.24
>
> ;; AUTHORITY SECTION:
> mud.yahoo.com. 172800 IN NS ns1.yahoo.com.
> mud.yahoo.com. 172800 IN NS ns2.yahoo.com.
> mud.yahoo.com. 172800 IN NS ns3.yahoo.com.
> mud.yahoo.com. 172800 IN NS ns4.yahoo.com.
> mud.yahoo.com. 172800 IN NS ns5.yahoo.com.
>
> ;; ADDITIONAL SECTION:
> ns1.yahoo.com. 172800 IN A 66.218.71.63
> ns2.yahoo.com. 172800 IN A 68.142.255.16
> ns3.yahoo.com. 172800 IN A 217.12.4.104
> ns4.yahoo.com. 172800 IN A 68.142.196.63
> ns5.yahoo.com. 1800 IN A 119.160.247.124
>
> ;; Query time: 153 msec
> ;; SERVER: 217.12.4.104#53(217.12.4.104)
> ;; WHEN: Wed Sep 10 16:58:43 2008
> ;; MSG SIZE rcvd: 232
>
> because this is a yahoo.com nameserver which is simultaneously
> answering
> and delegating. this is a sensible thing for it to do since it's
> authoritative for both yahoo.com and mud.yahoo.com, but it's also an
> insensible thing for it to do since the downward referral trumps the
> non-empty answer section. (it would also trump a non-empty answer
> section which would otherwise be seen as a NODATA response.) i'm not
> throwing stones, since this is ambiguous in the spec, and for all i
> know
> it's what BIND9 would do. but my own toy traversal tool spake thusly:
>
> response from 217.12.4.104 (ns3.yahoo.com) is NOERROR (1 1 5 5) (AA)
> down-referral
> downward referral trumps nonempty ANSWER
> cache modified by AUTHORITY
> cache unmodified by ADDITIONAL
> upstream transaction complete (tryagain)
> requires iteration (#3)
>
> and the complexity thus revealed may behoove yahoo to put the
> mud.yahoo.com
> zone separate nameservers (or separate views) from the yahoo.com zone.
> --
> Paul Vixie
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjITE8ACgkQ0p/8Jp6Boi3wgQCfQe8ybx0sENKX80aIn2M1k5tL
z7UAoJBGxp/JuR/2xEkTl+hS2SqZT1F5
=bpSG
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list