A recursive resolver of mine running BIND 9.7.3 logs many messages like:
resolver: DNS format error from 208.80.152.130#53 resolving \
en.wikipedia.org/AAAA for client ::1#33887: invalid response
lame-servers: error (FORMERR) resolving 'en.wikipedia.org/AAAA/IN': \
208.80.152.130#53
I see this for a variety of domains, including wikipedia.org, yahoodns.net,
officedepot.com, & staples.com. I did some investigation, including sniffing
the DNS traffic. The problematic case seems to be names which have CNAMEs to
names in other zones for which the queried record type doesn't exist. For
example:
en.wikipedia.org is a CNAME -> text.wikimedia.org
text.wikimedia.org is a CNAME -> text.pmtpa.wikimedia.org
text.pmtpa.wikimedia.org has an A record, but no AAAA, TXT...
A query for type=aaaa name=en.wikipedia.org returns:
% dig -t aaaa en.wikipedia.org
; <<>> DiG 9.7.3 <<>> -t aaaa en.wikipedia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45218
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;en.wikipedia.org. IN AAAA
;; Query time: 229 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Mar 16 11:34:08 2011
;; MSG SIZE rcvd: 34
The response packet from the wikipedia/wikimedia DNS servers is:
Internet Protocol, Src: 208.80.152.142 (208.80.152.142), \
Dst: 128.255.204.16 (128.255.204.16)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 55497 (55497)
Domain Name System (response)
[Request In: 159]
[Time: 0.061065000 seconds]
Transaction ID: 0xd49c
Flags: 0x8400 (Standard query response, No error)
Questions: 1
Answer RRs: 0
Authority RRs: 1
Additional RRs: 0
Queries
en.wikipedia.org: type AAAA, class IN
Authoritative nameservers
wikimedia.org: type SOA, class IN, mname ns0.wikimedia.org
so, basically:
code NOERROR
no answer
authority citing wikimedia.org
NOERROR seems right, but it includes authority information for the zone of
the CNAME target without including the CNAME as an answer, amounting to a
mismatch between the original query & the cited authority.
Note that if I do an A query first, I get the CNAME via a correctly formed
response, after which the TXT & AAAA queries work, with the CNAME chain
filled in from local cache.
To me it looks like BIND is doing the right thing (as usual ;^), but the
wikipedia... servers are returning bogus responses. Is this interpretation
correct? If so, does anybody know what apparently screwy DNS server or
configuration causes this behavior? I saw something similar with an F5
installation here on campus briefly before I had the local folks fix it, but
I'd like some confirmation that's what's going on with wikipedia... before I
try to get them & others to fix it. Further, if it's a systemic F5...
problem, then a different approach is probably in order.
________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users