ignoring incorrect nameservers in authority section
Torinthiel
torinthiel at data.pl
Thu Dec 30 12:13:06 UTC 2010
Dnia 2010-12-30 11:45 Torinthiel napisał(a):
>Dnia 2010-12-30 18:03 pyh at mail.nsbeta.info napisał(a):
>
>>Sunil Shetye writes:
>>
>>>
>>> Case 2: Lame Server Reply
>>>
>>> ===================================================================
>>> $ dig +norecurse @a.iana-servers.net. example.org.
>>> ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;example.org. IN A
>>>
>>> ;; ANSWER SECTION:
>>> example.org. 172800 IN A 192.0.32.10
>>>
>>> ;; AUTHORITY SECTION:
>>> example.org. 172800 IN NS ns1.example.org.
>>> example.org. 172800 IN NS ns2.example.org.
>>> ===================================================================
>>>
>>> This is a lame server reply. bind ignores this reply. bind will give a
>>> server fail reply to the client.
>>>
>>
>>
>>Would you please tell me why this is a lame server reply? why bind will
>>give a server fail reply to the client? Thanks again a lot.
>
>Because it's contrary to itself.
>You've specified norecurse, which means that if nameserver believes it has
>authorative data it should return it, if it doesn't it should return a
>referral (and no answer beside it).
>
>But the server returns answer (which means it believes it has authorative
>data), but in authority section is not listed in nameservers, which states
>it does not have authorative data.
>
>To sum up:
>Question: Does the server have authorative data?
>Answer 1: Server returns data when asked without recursion ->; YES
>Answer 2: Server is not listed in authority section ->; NO
>Real answer: Lame server.
And I was wrong about that one.
There are two issues with that one. First, I get a different response from
that command. different flags (no ra but aa instead), differend authority
section.
It's much simplier to tell if it's a 'lame nameserver response' although it
can't be judged by a single query.
Let's say that nameservers for .org domain (there are a lot of them), when
asked for example.org give a.iana-servers.net and b.iana-servers.net (which
is true, and by itself nothing special).
Then lets assume (which is not true, but a good example) that
a.iana-servers.net when asked for www.example.org gives something (doesn't
matter if a true answer, or missing record, or anything), but with 'aa' flag
not set. This, by itself, is still nothing special, no server is required to
know everything.
But from those two answers you have a contradiction, and this contradiction
is a real lane nameserver issue. .org servers delegate answers to
a.iana-servers.net, and a.iana-servers.net fails to deliver authorative
response. So the delegation is in fact incorrect.
Fortunately, a.iana-servers.net does not behave the way I've described here
and does set 'aa' flag in it's response.
Hope this clears up the issue a bit, and reduces misinformation caused by my
previous answer.
Regards,
Torinthiel
More information about the bind-users
mailing list