SERVFAIL

Chris Buxton cbuxton at menandmice.com
Wed Sep 10 22:38:07 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A name server may be authoritative for both a zone and its subzone.  
Your traversal tool is wrong - the server is giving an authoritative  
answer, not a downward referral. Your tool should consider an  
authoritative answer as trumping the authority section, if there is  
any conflict.

It is common for an authoritative answer to contain the NS records of  
the zone containing the answer, along with any known addresses for  
those servers.

Chris Buxton
Professional Services
Men & Mice

On Sep 10, 2008, at 10:04 AM, Paul Vixie wrote:

> i believe that the hard part of the traversal for www.flickr.com is:
>
> 	; <<>> DiG 9.4.1-P1 <<>> @ns3.yahoo.com www.flickr.vip.mud.yahoo.com
> 	; (1 server found)
> 	;; global options:  printcmd
> 	;; Got answer:
> 	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41226
> 	;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
> 	;; WARNING: recursion requested but not available
> 	
> 	;; QUESTION SECTION:
> 	;www.flickr.vip.mud.yahoo.com.  IN      A
> 	
> 	;; ANSWER SECTION:
> 	www.flickr.vip.mud.yahoo.com. 900 IN    A       68.142.214.24
> 	
> 	;; AUTHORITY SECTION:
> 	mud.yahoo.com.          172800  IN      NS      ns1.yahoo.com.
> 	mud.yahoo.com.          172800  IN      NS      ns2.yahoo.com.
> 	mud.yahoo.com.          172800  IN      NS      ns3.yahoo.com.
> 	mud.yahoo.com.          172800  IN      NS      ns4.yahoo.com.
> 	mud.yahoo.com.          172800  IN      NS      ns5.yahoo.com.
> 	
> 	;; ADDITIONAL SECTION:
> 	ns1.yahoo.com.          172800  IN      A       66.218.71.63
> 	ns2.yahoo.com.          172800  IN      A       68.142.255.16
> 	ns3.yahoo.com.          172800  IN      A       217.12.4.104
> 	ns4.yahoo.com.          172800  IN      A       68.142.196.63
> 	ns5.yahoo.com.          1800    IN      A       119.160.247.124
> 	
> 	;; Query time: 153 msec
> 	;; SERVER: 217.12.4.104#53(217.12.4.104)
> 	;; WHEN: Wed Sep 10 16:58:43 2008
> 	;; MSG SIZE  rcvd: 232
>
> because this is a yahoo.com nameserver which is simultaneously  
> answering
> and delegating.  this is a sensible thing for it to do since it's
> authoritative for both yahoo.com and mud.yahoo.com, but it's also an
> insensible thing for it to do since the downward referral trumps the
> non-empty answer section.  (it would also trump a non-empty answer
> section which would otherwise be seen as a NODATA response.)  i'm not
> throwing stones, since this is ambiguous in the spec, and for all i  
> know
> it's what BIND9 would do.  but my own toy traversal tool spake thusly:
>
> 	response from 217.12.4.104 (ns3.yahoo.com) is NOERROR (1 1 5 5) (AA)
> 	down-referral
> 	downward referral trumps nonempty ANSWER
> 	cache modified by AUTHORITY
> 	cache unmodified by ADDITIONAL
> 	upstream transaction complete (tryagain)
> 	requires iteration (#3)
>
> and the complexity thus revealed may behoove yahoo to put the  
> mud.yahoo.com
> zone separate nameservers (or separate views) from the yahoo.com zone.
> -- 
> Paul Vixie
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkjITE8ACgkQ0p/8Jp6Boi3wgQCfQe8ybx0sENKX80aIn2M1k5tL
z7UAoJBGxp/JuR/2xEkTl+hS2SqZT1F5
=bpSG
-----END PGP SIGNATURE-----

More information about the bind-users mailing list