Responses erroneously marked "invalid response"?

[Havard Eidnes]

Hi,

I've semi-recently updated a public resolver to running a bit newer
version of BIND, currently at 9.8.4-P3.

I've noticed that quite a number of query responses it receives
are logged with "DNS format error" ... "invalid response".  Some
semi-random examples picked from the log:

apis.markets.ft.com/AAAA 209.234.224.42
apis.markets.ft.com/AAAA 209.234.234.42
apis.markets.ft.com/AAAA 66.150.28.2
eu-sonar.sociomantic.com/AAAA 204.69.234.1
eu-sonar.sociomantic.com/AAAA 204.74.101.1
sn2.storage.msn.com/AAAA 207.46.0.139
sn2.storage.msn.com/AAAA 207.46.0.140
sn2.storage.msn.com/AAAA 65.55.195.203
sn2.storage.msn.com/AAAA 65.55.195.204
sb3-alt.map.media6degrees.com/AAAA 2001:500:90:1::27
sb3-alt.map.media6degrees.com/AAAA 2001:500:94:1::27
sb3-alt.map.media6degrees.com/AAAA 204.13.250.27
sb3-alt.map.media6degrees.com/AAAA 204.13.251.27
sb3-alt.map.media6degrees.com/AAAA 208.78.70.27
sb3-alt.map.media6degrees.com/AAAA 208.78.71.27
ws.mcafee.com/AAAA 161.69.13.53
ws.mcafee.com/AAAA 205.227.136.200
ws.mcafee.com/AAAA 67.97.80.200
www.euskadi.net/AAAA 195.77.108.238
www.euskadi.net/AAAA 212.55.29.238

These are the "queried-for name + type" and "IP address of name
server response came from".

Common for all of these is that the clients have quried for AAAA
records (I've also seen a query for SRV which ended up in this
category).  Inspecting the output from "dig" when querying these
name servers directly with e.g. +norec +dnssec, it doesn't look (to
the naked eye, interpreting "dig" output) like there is anything
wrong with the responses from these name servers.  Common among them
is that they have an empty answer section, and one SOA record in the
authority section.

The client after a while gets SERVFAIL for most of these, though for
www.euskadi.net I get no response before the client times out, and
BIND moans about FORMERR and "invalid response" in the log, many,
many times per original client query.

Now, I've on a test machine tried to instrument the
noanswer_response() function in lib/dns/resolver.c with some code to
log if it finds the SOA record in the authority section, but
apparently that's not happening for these particular answers (but it
hits for others).  So we end up in the "no SOA, no NS, no CNAME, no
answer => formerr" part of the code where log_formerr() is called
with "invalid response" as argument.

Unbound returns empty responses to the client with status=NOERROR
when queried for these names + types, which I think is the correct
behaviour.

So I'm sitting here scrathing my head even more confused than
usual.  Anyone have any insights?

Regards,

- Håvard