Re: Understanding cause of DNS format error (FORMERR)
Hello Sam, There's some kind of delegation bug as well. If I query dns1[0-3].one.microsoft.com for SOA and NS for partners.extranet.microsoft.com you get sensible answers though the origin host is different for each server queried and those origins are privately addressed. Which kind of misconfiguration could lead to SOA records for hosts on the internet to be privately addressed? Misconfigured split horizon server? [...] The authority for zero-answer responses such as vlasext.partners.extranet.microsoft.com/IN/ is the SOA for partners.extranet.microsoft.com What do you mean with authority for zero-answer responses? What is the normal authority response I should get when querying for non-existent records? I'm trying a few third level domains (e.g. fabric.readthedocs.org) and I most of the time get as authority section the SOA for the second level domain (readthedocs.org). Thanks! It's all rather horrible. I concur! Gabriele ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
Hello Carsten, Thanks for your reply! about the FORMERR. This might be caused by a Firewall or other middlebox that truncates the large answer containing the NS record set for this domain. I see the same if I try to fetch the delegation NS records from the parent domain (microsoft.com) for partners.extranet.microsoft.com: That doesn't explain why I get a correct reply to my query if I use a Windows DNS or one of the Google DNS (what software do they run?) or my home ISP DNS (UPC, Netherlands). stanislao:~ gpaggi$ dig A @62.179.104.196 vlasext.partners.extranet.microsoft.com +short 70.42.230.20 stanislao:~ gpaggi$ dig A @8.8.8.8 vlasext.partners.extranet.microsoft.com +short 70.42.230.20 I'm trying to understand if this behavior is specific to the BIND release that I'm running (should be the latest available on CentOS 5) and what's triggering it. Increasing debug logging to 90 doesn't tell me what's wrong with the reply BIND gets from the Microsoft DNS. # dig @ns1.msft.net. partners.extranet.microsoft.com ns [...] If some other members of this mailing list also see the same FORMERR (I'm seeing it over IPv4+IPv6), that is is very likely a firewall or middlebox on the Microsoft side. I do get indeed a reply from my home connection: stanislao:~ gpaggi$ dig @ns1.msft.net. partners.extranet.microsoft.com ns ; DiG 9.6-ESV-R4-P3 @ns1.msft.net. partners.extranet.microsoft.com ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 37303 ;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; ANSWER SECTION: partners.extranet.microsoft.com. 3600 IN NSdns13.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NSdns11.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NSdns12.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NSdns10.one.microsoft.com. ;; ADDITIONAL SECTION: dns13.one.microsoft.com. 3600INA65.55.31.17 dns11.one.microsoft.com. 3600INA94.245.124.49 dns12.one.microsoft.com. 3600INA207.46.55.10 dns10.one.microsoft.com. 3600INA131.107.125.65 ;; Query time: 201 msec ;; SERVER: 65.55.37.62#53(65.55.37.62) ;; WHEN: Sun Jun 24 05:51:37 2012 ;; MSG SIZE rcvd: 197 Gabriele PS. Carsten, apologizes for the double message. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
Hello Carsten, At Men Mice I've investigated this issue a few weeks ago for one of our customers. At that point of time, we've seen NS records with private addresses: That's interesting but it still doesn't explain why BIND reports a format error in the reply it receives. The reply is nonsense but it's legit and BIND should just return it. Am I wrong? Beside that, I've been constantly getting a FORMERR reply for a week now. The issue seem to differ from the point in the network you are sending the query, and if the resolving DNS server has only IPv4 or is dual-stack (IPv4 + IPv6). It seems that the resolution is sometimes broken, but we have not found the root cause of the issue. I'm running with only IPv4. May I ask you which version of BIND are you running? Jeffry is not able to reproduce the issue using BIND 9.9.1-P1 and I might consider an upgrade. We've also informed Microsoft about the issue. I know what the answer is but I'll ask anyway: did you ever get a reply / acknowledgement from them? Thanks! Gabriele ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
Hello Jeffry, FWIW I'm not able to reproduce this using a BIND 9.9.1-P1 recursive resolver. On this system dig @localhost vlasext.partners.extranet.microsoft.com a returns the answer 70.42.230.20 and identifies dns11.one.microsoft.com (94.245.124.49) as one of four authoritative servers. dig @94.245.124.49 vlasext.partners.extranet.microsoft.com a also returns the answer 70.42.230.20, but no authority or additional records (except EDNS UDP 4000), and with no AA flag set. On the contrary querying one of my own authoritative servers, also running BIND 9.9.1-P1, for a record for which it is authoritative (dig @ns2.countryday.net countryday.net a) does return the answer along with authority and additional records for the name servers and does have the AA flag set. Finally querying one of my internal Microsoft DNS servers (Windows Server 2008 R2 SP1) for a record for which it is authoritative gives me a correct answer, no authority or additional records (except EDNS UDP 4000), but does have the AA flag set. Thanks. At least I know an upgrade would fix the issue although I still don't know what and where the problem is (Microsoft DNS reply? BIND?). From what I observed I would conclude that dns11.one.microsoft.com is a Windows DNS server since it behaves like mine except for the AA flag not being set in theirs. The missing AA flag and lack of authority and additional records in their response seems like improper behavior to me, but I don't know whether or not the DNS protocol actually requires this. Apparently BIND 9.9.1-P1 is able to handle this situation. I kind of assumed Microsoft would have been running a Windows DNS for their domains ;-) Gabriele ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Understanding cause of DNS format error (FORMERR)
Hello, I'm a BIND novice and I'm trying to understand what causes my BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried for the A record of vlasext.partners.extranet.microsoft.com: Jun 22 11:14:47 res1 named[32210]: DNS format error from 94.245.124.49#53 resolving vlasext.partners.extranet.microsoft.com/A for client 10.16.32.4#50421: invalid response Jun 22 11:14:47 res1 named[32210]: error (FORMERR) resolving 'vlasext.partners.extranet.microsoft.com/A/IN': 94.245.124.49#53 Jun 22 11:14:47 res1 named[32210]: DNS format error from 131.107.125.65#53 resolving vlasext.partners.extranet.microsoft.com/A for client 10.16.32.4#50421: invalid response Jun 22 11:14:47 res1 named[32210]: error (FORMERR) resolving 'vlasext.partners.extranet.microsoft.com/A/IN': 131.107.125.65#53 Jun 22 11:14:47 res1 named[32210]: DNS format error from 207.46.55.10#53 resolving vlasext.partners.extranet.microsoft.com/A for client 10.16.32.4#50421: invalid response Jun 22 11:14:47 res1 named[32210]: error (FORMERR) resolving 'vlasext.partners.extranet.microsoft.com/A/IN': 207.46.55.10#53 If I submit the same query to a Windows DNS, or one of the Google DNS, I do get a reply: [gpaggi@res1 ~]# dig A @8.8.8.8 vlasext.partners.extranet.microsoft.com +short 70.42.230.20 [gpaggi@res1 ~]# Is it related to the AA bit strictness[1] ? 94.245.124.49 is dns11.one.microsoft.com and does indeed reply without setting the AA bit. As far as know the 'strictness' was removed in P2, correct me if I'm wrong. Thanks! Gabriele [1] http://www.isc.org/community/blog/201007/compatibility-issues-bind-970-and-971 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users