ignoring incorrect nameservers in authority section
Sunil Shetye
shetye at bombay.retortsoft.com
Wed Dec 22 08:31:48 UTC 2010
Hi,
Some authoritative nameservers add incorrect nameservers in the
authority section of their replies. Due to caching of the incorrect
reply, further queries for that domain go to those incorrect
nameservers. Is there a way to ignore / not cache such replies?
For example, if ns1.realserver.com gives this authoritative reply:
=======================================================
$ dig a1.example.com.
;; QUESTION SECTION:
;a1.example.com. IN A
;; ANSWER SECTION:
a1.example.com. 3600 IN A 10.10.10.10
;; AUTHORITY SECTION:
example.com. 3600 IN NS ns1.fakeserver.com.
example.com. 3600 IN NS ns2.fakeserver.com.
=======================================================
Further queries for example.com go to ns[12].fakeserver.com.
=======================================================
$ dig a2.example.com.
;; QUESTION SECTION:
;a2.example.com. IN A
unexpected RCODE (REFUSED) resolving 'a2.example.com/A/IN': ns1.fakeserver.com#53
=======================================================
ns[12].fakeserver.com. are not authoritative for example.com here.
The symptoms are:
1. dig +trace a1.example.com. always works correctly.
2. dig a1.example.com. works correctly the first time.
2. dig a2.example.com. gives an error till the fake NS record expires.
This is obviously a misconfiguration on ns1.realserver.com. The
correct nameservers are listed in domain registration of example.com
along with the correct glue records.
Is there any solution to this problem without contacting the DNS
administrator of that domain? I have seen this problem for many
domains on the internet.
--
Sunil Shetye.
More information about the bind-users
mailing list