Re: Dig ANY gives SERVFAIL / FORMERR
In message , Paul Wou ters writes: > On Wed, 30 Sep 2009, Mark Andrews wrote: > > >> http://www.afnic.fr/outils/zonecheck/_en > > > > The key word is "required". I know some do, I just wish more did. > > I for one, welcome our new named-checkzone overlords. > > (especially if named-checkzone would fail to OK a zone with NSEC3RSASHA1 keys > and re-used NSEC records :) NSEC3RSASHA1 w/ NSEC is fine and is required if you want to transition from RSASHA1 (w/ NSEC) to NSEC3RSASHA1 w/ NSEC3 w/o going insecure. NSEC + NSEC3PARAM however could be rejected as could having multiple NSEC3PARAM records. > Paul Not named-checkzone (yet) but the following are in BIND 9.6.2. 2686. [bug] dnssec-signzone should clean the old NSEC chain when signing with NSEC3 and vice versa. [RT #20301] 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when the NSEC3 parameters used to sign the zone change. [RT #20246] dnssec-signzone works on the zone as a whole so it is in the position to do this in a straight forward manner. Named, however, needs to support multiple NSEC3 chains (though not all may be complete) as it does its work incrementally but perhaps it could be argued that when you finish adding new NSEC3 chain incrementally the old one should be removed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
On Wed, 30 Sep 2009, Mark Andrews wrote: http://www.afnic.fr/outils/zonecheck/_en The key word is "required". I know some do, I just wish more did. I for one, welcome our new named-checkzone overlords. (especially if named-checkzone would fail to OK a zone with NSEC3RSASHA1 keys and re-used NSEC records :) Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
In message <20090929122845.ga13...@nic.fr>, Stephane Bortzmeyer writes: > On Thu, Sep 24, 2009 at 07:16:35AM +1000, > Mark Andrews wrote > a message of 77 lines which said: > > > It's a pity registries are not required to verify correct operation > > of the nameservers they are delegating to before accepting the > > delegation. > > Some do! > > http://www.afnic.fr/outils/zonecheck/_en The key word is "required". I know some do, I just wish more did. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
On Thu, Sep 24, 2009 at 07:16:35AM +1000, Mark Andrews wrote a message of 77 lines which said: > It's a pity registries are not required to verify correct operation > of the nameservers they are delegating to before accepting the > delegation. Some do! http://www.afnic.fr/outils/zonecheck/_en ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
In message , "Jeremy C. Re ed" writes: > > It looks like that the authoritative name server for youbei.cc > > actually did return some answers, but somehow bind gave a FORMERR for > > some unknown reasons, which I think it caused a SERVFAIL to be > > reported in turn. Interestingly, dig any youbei.cc +trace ran > > successfully and did not report any error. > > > > Does anyone know what might have caused this problem? > > My custom named logs: > > 23-Sep-2009 15:00:29.749 resolver: notice: FORMERR: Type didn't match (ANY != > A) > 23-Sep-2009 15:00:29.770 resolver: notice: FORMERR: Reply has no answer. > > named wants to know "Is the question the same as the one we asked?" > > I think 72dns.com has a broken DNS server. More modern versions of dig will also report the mismatch. The servers also answers queries with A records. It's a pity registries are not required to verify correct operation of the nameservers they are delegating to before accepting the delegation. If they were then a lot of this garbage would cease. It really isn't hard for a registry (or the registrar on behalf of the registry) to check that servers answer queries correctly. Just the almighty dollar has got in front of having a working system. Mark % dig any youbei.cc @ns1.72dns.com ;; Question section mismatch: got youbei.cc/A/IN ;; Question section mismatch: got youbei.cc/A/IN ;; Question section mismatch: got youbei.cc/A/IN ; <<>> DiG 9.7.0a2 <<>> any youbei.cc @ns1.72dns.com ;; global options: +cmd ;; connection timed out; no servers could be reached % % dig youbei.cc @ns1.72dns.com ; <<>> DiG 9.3.6-P1 <<>> youbei.cc @ns1.72dns.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5189 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;youbei.cc. IN ;; ANSWER SECTION: youbei.cc. 3600IN A 211.155.230.241 ;; Query time: 436 msec ;; SERVER: 121.12.173.174#53(121.12.173.174) ;; WHEN: Thu Sep 24 07:07:46 2009 ;; MSG SIZE rcvd: 52 % > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig ANY gives SERVFAIL / FORMERR
> It looks like that the authoritative name server for youbei.cc > actually did return some answers, but somehow bind gave a FORMERR for > some unknown reasons, which I think it caused a SERVFAIL to be > reported in turn. Interestingly, dig any youbei.cc +trace ran > successfully and did not report any error. > > Does anyone know what might have caused this problem? My custom named logs: 23-Sep-2009 15:00:29.749 resolver: notice: FORMERR: Type didn't match (ANY != A) 23-Sep-2009 15:00:29.770 resolver: notice: FORMERR: Reply has no answer. named wants to know "Is the question the same as the one we asked?" I think 72dns.com has a broken DNS server. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dig ANY gives SERVFAIL / FORMERR
Hi, I operate a caching naming server version 9.5.0-P1 for a small work group that includes an email server. From the server log file, there are occasional DNS error messages. Upon closer examination using a packet sniffer, the email server sends out queries of type ANY for all sender/recipient domain names. There are just some domains which cause errors, for example, youbei.cc (which is not under our control.) I tried dig any youbei.cc and it returns the following error: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64259 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 With heavy tracing turned on and rndc flush before executing the command, it gave the following log entries that I excerpted below: 24-Sep-2009 02:07:35.878 received packet: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28529 ;; flags: qr aa ; QUESTION: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3 ;; QUESTION SECTION: ;youbei.cc. IN A ;; ANSWER SECTION: youbei.cc. 86400 IN SOA ns1.72dns.com. admin.youbei.cc. 100 3600 900 86400 3600 youbei.cc. 3600IN NS ns1.72dns.com. youbei.cc. 3600IN NS ns2.72dns.com. youbei.cc. 3600IN MX 10 mail.youbei.cc. youbei.cc. 3600IN A 211.155.230.241 ;; ADDITIONAL SECTION: ns1.72dns.com. 3600IN A 121.12.173.174 ns2.72dns.com. 3600IN A 211.155.230.241 mail.youbei.cc. 3600IN A 58.61.157.116 24-Sep-2009 02:07:35.879 fctx d18160(youbei.cc/ANY'): cancelquery 24-Sep-2009 02:07:35.879 sockmgr dbea0: watcher got message -2 for socket -1 24-Sep-2009 02:07:35.880 dispatch 160dc88 response 160ce28 121.12.173.174#53: detaching from task ca310 24-Sep-2009 02:07:35.880 dispatch 160dc88: detach: refcount 0 24-Sep-2009 02:07:35.880 fctx d18160(youbei.cc/ANY'): add_bad 24-Sep-2009 02:07:35.881 dispatch 160dc88: got packet: requests 0, buffers 1, recvs 1 24-Sep-2009 02:07:35.881 FORMERR resolving 'youbei.cc/ANY/IN': 121.12.173.174#53 24-Sep-2009 02:07:35.881 fctx d18160(youbei.cc/ANY'): try 24-Sep-2009 02:07:35.882 fctx d18160(youbei.cc/ANY'): query It looks like that the authoritative name server for youbei.cc actually did return some answers, but somehow bind gave a FORMERR for some unknown reasons, which I think it caused a SERVFAIL to be reported in turn. Interestingly, dig any youbei.cc +trace ran successfully and did not report any error. Does anyone know what might have caused this problem? Best regards, Patrick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
