non-improving referral

Barry Margolin barmar at alum.mit.edu
Thu Oct 28 02:09:08 UTC 2010 

In article <mailman.567.1288203288.555.bind-users at lists.isc.org>,
 Leo Baltus <Leo.Baltus at omroep.nl> wrote:

> Hi,
> 
> We are in the process of migrating from bind-9.4-ESV-R2 to bind-9.7.2-P2.
> 
> We have our authoritative servers migrated to bind-9.7.2-P2 and it all
> seems to work fine.
> 
> While testing our caching resolvers with bind-9.7.2-P2 however, we
> noticed some errors in our logfiles we have never seen before.
> 
> Oct 26 09:52:03 myhost named[21085]: DNS format error from 1.5.3.4#53 
> resolving 1.2.4.2.x.y.z.example.com/TXT for client 1.5.3.203#15637: 
> non-improving referral
> Oct 26 09:52:03 myhost named[21085]: DNS format error from 1.5.2.2#53 
> resolving 1.2.4.2.x.y.z.example.com/TXT for client 1.5.3.203#15637: 
> non-improving referral
> 
> Obviously I have obscured some data here :) As you may guess this is a
> query for a TXT record from a blocklist-daemon.
> 
> The nameservers on 1.5.3.4 and 1.5.2.2 are bind-9.7.2-P2.
> 
> The queried domains are hosted by us and the hopefully relevant part of
> the zone looks like this:
> 
> x.y.z.example.com.   IN NS   bl1a.example.com.
> x.y.z.example.com.   IN NS   bl1b.example.com.
> 
> A dump of the cache shows NS and A records are in the cache for bl1[ab]
> however, on each non-cached query from the client both errorlines
> are printed in the log suggesting the resolver is not using the cached
> NS records.

It *is* using these NS records.  It's complaining that there's a problem 
with the responses these machines are sending.

> The client receives a valid answer, so my only real problem seems to be
> the amount of spam I get in our logfiles.
> 
> The blocklist is served by rbldnsd, manually query-ing gives my a
> valid response.
> 
> Could anybody tell me what problem bind is complaining about?
> 
> Please CC me as I am not on this list.

I think what it's complaining about is that the response to the query is 
a referral to the same or a higher level in the DNS hierarchy.  It 
should be either an ordinary response, a referral to nameservers for a 
subzone, or an NXDOMAIN.

Can you post the result of "dig 1.2.4.2.x.y.z.example.com 
@bl1a.example.com +norec"?

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list