lame-servers: error (FORMERR) resolving [something]

Daniele d.imbrogino at gmail.com
Thu Jan 17 14:04:43 UTC 2013 

I'm going crazy.

This is my named.conf

logging {

        channel default_logfile {
                file "/var/cache/bind/logs/default.log";
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        category default {
                default_logfile;
        };

        category lame-servers {null;};
};

options {
        directory "/var/cache/bind";

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

and the default zones (not shown here).

This is the output of `dig +trace +nodnssec www.isc.org`
; <<>> DiG 9.8.1-P1 <<>> +trace +nodnssec www.isc.org
;; global options: +cmd
.            3600000    IN    NS    M.ROOT-SERVERS.NET.
.            3600000    IN    NS    K.ROOT-SERVERS.NET.
.            3600000    IN    NS    G.ROOT-SERVERS.NET.
.            3600000    IN    NS    L.ROOT-SERVERS.NET.
.            3600000    IN    NS    B.ROOT-SERVERS.NET.
.            3600000    IN    NS    E.ROOT-SERVERS.NET.
.            3600000    IN    NS    A.ROOT-SERVERS.NET.
.            3600000    IN    NS    F.ROOT-SERVERS.NET.
.            3600000    IN    NS    J.ROOT-SERVERS.NET.
.            3600000    IN    NS    H.ROOT-SERVERS.NET.
.            3600000    IN    NS    C.ROOT-SERVERS.NET.
.            3600000    IN    NS    I.ROOT-SERVERS.NET.
.            3600000    IN    NS    D.ROOT-SERVERS.NET.
dig: couldn't get address for 'M.ROOT-SERVERS.NET': not found


During `dig` operations, using Wireshark I can see outgoing packets to port
53 and incoming ones from port 53

The default policy of my firewall, configured via `iptables`, is to accept
everything (I'm on VirtualBox); the only rule is to MASQUERADE outgoing
packets for NAT reasons (this box is the gateway of my private network).

What's wrong?

2013/1/15 Chris Thompson <cet1 at cam.ac.uk>

> On Jan 14 2013, Shane Kerr wrote:
>
> [...]
>
>  You may want to try:
>>
>> dig +trace www.isc.org
>>
>>  [...]
>
>  The next step may be to try:
>>
>> dig +trace +dnssec www.isc.org
>>
>
> Beware that if you have a dig(1) from BIND 9.9.x, +dnssec has become the
> default with +trace. In that case replace the first attempt with
>
> dig +trace +nodnssec www.isc.org
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130117/a6730299/attachment.html>

More information about the bind-users mailing list