Understanding cause of DNS format error (FORMERR)

Spain, Dr. Jeffry A. spainj at countryday.net
Fri Jun 22 11:25:09 UTC 2012 

> I'm a BIND novice and I'm trying to understand what causes my BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried for the A record of vlasext.partners.extranet.microsoft.com:

FWIW I'm not able to reproduce this using a BIND 9.9.1-P1 recursive resolver. On this system "dig @localhost vlasext.partners.extranet.microsoft.com a" returns the answer 70.42.230.20 and identifies dns11.one.microsoft.com (94.245.124.49) as one of four authoritative servers. "dig @94.245.124.49 vlasext.partners.extranet.microsoft.com a" also returns the answer 70.42.230.20, but no authority or additional records (except EDNS UDP 4000), and with no AA flag set. On the contrary querying one of my own authoritative servers, also running BIND 9.9.1-P1, for a record for which it is authoritative ("dig @ns2.countryday.net countryday.net a") does return the answer along with authority and additional records for the name servers and does have the AA flag set. Finally querying one of my internal Microsoft DNS servers (Windows Server 2008 R2 SP1) for a record for which it is authoritative gives me a correct answer, no authority or additional records (except EDNS UDP 4000), but does have the AA flag set.

> Is it related to the "AA bit strictness"[1] ? 94.245.124.49 is dns11.one.microsoft.com and does indeed reply without setting the AA bit.
> As far as know the 'strictness' was removed in P2, correct me if I'm wrong.

I don't know enough about the history of BIND functionality to answer this. I'm sure others will comment.

>From what I observed I would conclude that dns11.one.microsoft.com is a Windows DNS server since it behaves like mine except for the AA flag not being set in theirs. The missing AA flag and lack of authority and additional records in their response seems like improper behavior to me, but I don't know whether or not the DNS protocol actually requires this. Apparently BIND 9.9.1-P1 is able to handle this situation.

Hope this is at least somewhat helpful. Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list