-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dear Barry and list users,
Thanks for the info.
- From what you tell me, there's not much more to do than reduce logging
of this type of error on my side, so the logging info you gave in 2006
solves my problem just fine.
Thank you very much for your help.
Cheers,
Dans sa grande sagesse, b19...@anl.gov a écrit, le 26.03.2009 15:19 :
Oliver Henriot oliver.henr...@imag.fr wrote:
Dear list users,
I have a bind 9.3 server on a centos 5.2 machine which logs huge (about
12 errors every second) quantities of FORMERR messages while trying to
resolve /IN records which look like this :
Mar 25 08:44:24 myserver named[1124]: FORMERR resolving
'auniarael.com//IN': 216.69.185.38#53
I'm a bit of a bind noob so I scoured the bind 9.3 ARM and the web
looking for info which could help me understand what is going wrong. I
found nothing of much use to me, appart from a thread on this list from
2006 in which Barry Finkel has a similar question. I followed the
logging instructions he gives and solved the overfull /var/log problem
but I presume I still have these FORMERR problems occuring.
Just for info, if it of any use, in a log file from before modifying
logging, I had 1826550 lines of FORMERR but of these, only 275
unique adresses, so it's always the same requests and always the same
errors...
I don't think it's a recursion problem, I have restricted that to my
networks.
I only get these logs on this server, not on any of the others.
I'd greatly appreciate if someone could point me in the right direction
to try and work out what is going wrong and fix it.
Look at the output of these queries:
dnsserver% dig auniarael.com @216.69.185.38
; DiG 8.3 auniarael.com @216.69.185.38
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUERY SECTION:
;; auniarael.com, type = A, class = IN
;; ANSWER SECTION:
auniarael.com. 1H IN A 68.178.232.143
;; AUTHORITY SECTION:
auniarael.com. 1H IN NScpns01.secureserver.net.
auniarael.com. 1H IN NScpns02.secureserver.net.
;; Total query time: 62 msec
;; FROM: dnsserver.anl.gov to SERVER: 216.69.185.38 216.69.185.38
;; WHEN: Thu Mar 26 09:05:56 2009
;; MSG SIZE sent: 31 rcvd: 105
dnsserver% !!
dig auniarael.com @216.69.185.38
; DiG 8.3 auniarael.com @216.69.185.38
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
;; QUERY SECTION:
;; auniarael.com, type = , class = IN
;; AUTHORITY SECTION:
. 1D IN SOA cpns01.secureserver.net.
dns.jomax.net. (
20080922; serial
8H ; refresh
2H ; retry
1W ; expiry
1D ); minimum
auniarael.com. 1H IN NScpns01.secureserver.net.
auniarael.com. 1H IN NScpns02.secureserver.net.
;; Total query time: 62 msec
;; FROM: dnsserver.anl.gov to SERVER: 216.69.185.38 216.69.185.38
;; WHEN: Thu Mar 26 09:06:02 2009
;; MSG SIZE sent: 31 rcvd: 157
dnsserver%
Note that the first query defaults to an A record search, and the
authority section gives the names of the two name servers. This is
fine. The second query is specifically for an record.
Note the authority section -
;; AUTHORITY SECTION:
. 1D IN SOA...
The authority is the root. BIND (correctly) does not believe this
and returns FORMERR (format error). This occurs, as Mark Andrews
pointed out to me a numbe of months ago, because the DNS administrator
has placed all of the records for various zones into one zone, and thus
cannot configure an SOA record that is correct. A search for an A
record that exists will return correct values, but a search for a
record that does not exist forces DNS to return the faulty SOA record.
I just ran my FORMERR script against our current /var/adm/messsages,
and I see a handful of DNS servers producing most of the FORMERR
messages:
cnt DNS Server IP
--- --
37 60.191.254.243
37 219.152.120.12
24 203.93.208.86
24 124.207.117.60
12 75.126.8.248
12 75.126.57.130
12 65.55.238.126
12 65.54.240.126
12 213.199.161.77
12 207.68.160.190
12 207.46.66.126
6 66.211.162.250
6 66.135.220.69
6 66.135.220.68
4 159.215.217.197
4 159.215.16.197
4 159.215.117.197
3 209.235.30.142
3 204.77.28.20
1 68.156.138.136
1