Re: Understanding cause of DNS format error (FORMERR)
In article mailman.1145.1340719800.63724.bind-us...@lists.isc.org, Barry Margolin bar...@alum.mit.edu wrote: In article mailman.1144.1340718471.63724.bind-us...@lists.isc.org, Sam Wilson sam.wil...@ed.ac.uk wrote: For a NXDOMAIN response, or NOERROR with an empty answer section, the server should provide the SOA record in the authority section. That SOA is the apex of the zone which doesn't contain the answer record you asked for, if you see what I mean. The server is proving that it has authority to tell you that the information doesn't exist. More important, the SOA record contains the TTL that should be used for the negative cache entry. More important for the operation of the DNS, but I'd think less important from the point of view of manual debugging, like we're doing here. The fact that looking for nonexistent data for vlasext.partners.extranet.microsoft.com returns the partners.extranet.microsoft.com SOA record shows that the vlasext subdomain has not been delegated. The servers should therefore be able to offer an authoritative answer for data that does exist for vlasext.etc... but they don't. This type of inconsistency often suggests a DNS-based load balancer is involved. I wondered that but it's not consistent with earlier results in the thread which suggested Windows DNS server for at least one of them. An old version of fpdns (someone might like to try a newer one) concurs: $ for i in 0 1 2 3 ; do fpdns dns1$i.one.microsoft.com ; done fingerprint (dns10.one.microsoft.com, 131.107.125.65): Microsoft \ Windows 2003 fingerprint (dns11.one.microsoft.com, 94.245.124.49): Microsoft \ Windows 2003 fingerprint (dns12.one.microsoft.com, 207.46.55.10): Microsoft \ Windows 2003 fingerprint (dns13.one.microsoft.com, 65.55.31.17): Microsoft \ Windows 2003 $ fpdns -v fpdns.pl version 0.9.1 Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
Hello Sam, There's some kind of delegation bug as well. If I query dns1[0-3].one.microsoft.com for SOA and NS for partners.extranet.microsoft.com you get sensible answers though the origin host is different for each server queried and those origins are privately addressed. Which kind of misconfiguration could lead to SOA records for hosts on the internet to be privately addressed? Misconfigured split horizon server? [...] The authority for zero-answer responses such as vlasext.partners.extranet.microsoft.com/IN/ is the SOA for partners.extranet.microsoft.com What do you mean with authority for zero-answer responses? What is the normal authority response I should get when querying for non-existent records? I'm trying a few third level domains (e.g. fabric.readthedocs.org) and I most of the time get as authority section the SOA for the second level domain (readthedocs.org). Thanks! It's all rather horrible. I concur! Gabriele ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
In article mailman.1143.1340715359.63724.bind-us...@lists.isc.org, Gabriele Paggi gabriele@gmail.com wrote: Hello Sam, There's some kind of delegation bug as well. If I query dns1[0-3].one.microsoft.com for SOA and NS for partners.extranet.microsoft.com you get sensible answers though the origin host is different for each server queried and those origins are privately addressed. Which kind of misconfiguration could lead to SOA records for hosts on the internet to be privately addressed? Misconfigured split horizon server? It's not difficult for private addresses to escape. It need not actually be a problem. It's not necessarily a problem here but it does make it difficult to work out what's going on. [...] The authority for zero-answer responses such as vlasext.partners.extranet.microsoft.com/IN/ is the SOA for partners.extranet.microsoft.com What do you mean with authority for zero-answer responses? What is the normal authority response I should get when querying for non-existent records? For a NXDOMAIN response, or NOERROR with an empty answer section, the server should provide the SOA record in the authority section. That SOA is the apex of the zone which doesn't contain the answer record you asked for, if you see what I mean. The server is proving that it has authority to tell you that the information doesn't exist. The fact that looking for nonexistent data for vlasext.partners.extranet.microsoft.com returns the partners.extranet.microsoft.com SOA record shows that the vlasext subdomain has not been delegated. The servers should therefore be able to offer an authoritative answer for data that does exist for vlasext.etc... but they don't. I'm trying a few third level domains (e.g. fabric.readthedocs.org) and I most of the time get as authority section the SOA for the second level domain (readthedocs.org). Thanks! dig domain +trace will also (normally) show you how the tree is delegated, though it doesn't print out the SOA records. Try www.automation.ucs.ed.ac.uk. It's all rather horrible. I concur! Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
In article mailman.1144.1340718471.63724.bind-us...@lists.isc.org, Sam Wilson sam.wil...@ed.ac.uk wrote: For a NXDOMAIN response, or NOERROR with an empty answer section, the server should provide the SOA record in the authority section. That SOA is the apex of the zone which doesn't contain the answer record you asked for, if you see what I mean. The server is proving that it has authority to tell you that the information doesn't exist. More important, the SOA record contains the TTL that should be used for the negative cache entry. The fact that looking for nonexistent data for vlasext.partners.extranet.microsoft.com returns the partners.extranet.microsoft.com SOA record shows that the vlasext subdomain has not been delegated. The servers should therefore be able to offer an authoritative answer for data that does exist for vlasext.etc... but they don't. This type of inconsistency often suggests a DNS-based load balancer is involved. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
It looks to me like this is an EDNS bug. I am querying the authoritative server directly, with no firewalls in the way. The FORMERR is coming from the authoritative server not from BIND. I get the same result over IPv4 and IPv6. They also have a bug in their NXDOMAIN logic: extranet.microsoft.com does not exist therefore partners.extranet.microsoft.com cannot exist. ; DiG 9.9.1-P1 +noedns @ns1.msft.net. partners.extranet.microsoft.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 9931 ;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; ANSWER SECTION: partners.extranet.microsoft.com. 3600 IN NS dns12.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NS dns10.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NS dns13.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NS dns11.one.microsoft.com. ;; ADDITIONAL SECTION: dns12.one.microsoft.com. 3600 IN A 207.46.55.10 dns10.one.microsoft.com. 3600 IN A 131.107.125.65 dns13.one.microsoft.com. 3600 IN A 65.55.31.17 dns11.one.microsoft.com. 3600 IN A 94.245.124.49 ;; Query time: 159 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Mon Jun 25 12:38:51 2012 ;; MSG SIZE rcvd: 197 ; DiG 9.9.1-P1 +edns=0 @ns1.msft.net. partners.extranet.microsoft.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: FORMERR, id: 20875 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Query time: 142 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Mon Jun 25 12:38:57 2012 ;; MSG SIZE rcvd: 60 ; DiG 9.9.1-P1 +noedns @ns1.msft.net extranet.microsoft.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 141 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;extranet.microsoft.com.IN NS ;; AUTHORITY SECTION: microsoft.com. 3600IN SOA ns1.msft.net. msnhst.microsoft.com. 2012062205 300 600 2419200 3600 ;; Query time: 142 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Mon Jun 25 12:44:44 2012 ;; MSG SIZE rcvd: 95 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Sole, Lundy, Fastnet: Southeast at first in Lundy and Fastnet, otherwise southwest, 4 or 5. Slight or moderate, occasionally rough in west Sole. Occasional rain or drizzle, fog patches. Moderate, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
Carsten Strotmann (private) c...@strotmann.de wrote: The FORMERR I'm seeing is also quite odd, as it has the AD flag set, which should normally not appear in an error type of response, but might be caused by a mangled DNS packet: I think it is echoing the AD bit in the query. ; DiG 9.9.1-P1 +noad +qr @ns1.msft.net. partners.extranet.microsoft.com ns ; (2 servers found) ;; global options: +cmd ;; Sending: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3331 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Got answer: ;; -HEADER- opcode: QUERY, status: FORMERR, id: 3331 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Query time: 142 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Mon Jun 25 12:57:06 2012 ;; MSG SIZE rcvd: 60 ; DiG 9.9.1-P1 +qr @ns1.msft.net. partners.extranet.microsoft.com ns ; (2 servers found) ;; global options: +cmd ;; Sending: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21060 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Got answer: ;; -HEADER- opcode: QUERY, status: FORMERR, id: 21060 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Query time: 142 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Mon Jun 25 12:56:22 2012 ;; MSG SIZE rcvd: 60 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Dogger: Northwest 5 or 6 becoming variable 3 or 4. Moderate, becoming slight in west. Showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
In article mailman.1121.1340625284.63724.bind-us...@lists.isc.org, Tony Finch d...@dotat.at wrote: It looks to me like this is an EDNS bug. ... There's some kind of delegation bug as well. If I query dns1[0-3].one.microsoft.com for SOA and NS for partners.extranet.microsoft.com you get sensible answers though the origin host is different for each server queried and those origins are privately addressed. If I query dns1[0-3].one.microsoft.com for vlasext.partners.extranet.microsoft.com/IN/A I get answers with no AA bit set and a decreasing TTL as if the data were cached. It does not appear that vlasext.partners.extranet.microsoft.com is delegated itself so it's not cached answers from a child zone. The authority for zero-answer responses such as vlasext.partners.extranet.microsoft.com/IN/ is the SOA for partners.extranet.microsoft.com It's all rather horrible. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gabriele, On 6/24/12 5:57 AM, Gabriele Paggi wrote: Hello Carsten, Thanks for your reply! about the FORMERR. This might be caused by a Firewall or other middlebox that truncates the large answer containing the NS record set for this domain. I see the same if I try to fetch the delegation NS records from the parent domain (microsoft.com) for partners.extranet.microsoft.com: That doesn't explain why I get a correct reply to my query if I use a Windows DNS or one of the Google DNS (what software do they run?) or my home ISP DNS (UPC, Netherlands). what we see is that we get different responses for the NS record set for partners.extranet.microsoft.com: 1) a list of 4 NS records (dns10/11/12/13.one.microsoft.com) with public route-able IPv4 addresses, answer size is around 200 byte 2) a list of 18 NS records (-ptnr-dc-02.partners.extranet.microsoft.com.) with private RFC 1918 addresses and an answer size of above 800 byte. These are internal domain controllers. The answer size of 800 bytes can create the FORMERR issue. I'm using BIND 9.9.1(-P1) and Unbound 1.4.17 here. Today I'm getting answer type 1) from my home and also from a machine in the datacenter, yesterday I'm seen answer type 2) and the FORMERR. The FORMERR I'm seeing is also quite odd, as it has the AD flag set, which should normally not appear in an error type of response, but might be caused by a mangled DNS packet: ;; -HEADER- opcode: QUERY, status: FORMERR, id: 30679 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 I have no explanation of this issue at the moment. To my knowledge Google is using a homegrown DNS resolver, not BIND. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/mxZ4ACgkQsUJ3c+pomYHc6QCfeONcluurcPOX4dMqMWDm4pnf SlgAnAxlJ1UQRSdE+WgN28RYVBmo/N03 =DT/n -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Jeffry, On 6/22/12 1:25 PM, Spain, Dr. Jeffry A. wrote: From what I observed I would conclude that dns11.one.microsoft.com is a Windows DNS server since it behaves like mine except for the AA flag not being set in theirs. It might even be a new Windows 2012 DNS server, and it might be an issue with this new version. This is just speculation, but if it is an issue with Windows 2012 DNS, it might be good to be able to isolate that issue soon (so that it can be fixed before Windows 2012 is released). The missing AA flag and lack of authority and additional records in their response seems like improper behavior to me, but I don't know whether or not the DNS protocol actually requires this. Apparently BIND 9.9.1-P1 is able to handle this situation. my BIND 9.9.1-P1 showed FORMERR yesterday, but shows the same good answers that you report today. What is see today when I send a direct query to dns10.one.microsoft.com. (or dns11/12/13) is that both AA (Authoritative Answer) and AD (Authenticated Data) flags are set, but the zone does not seem to be DNSSEC signed (no RRSIGs, no DNSKEY): bash-3.2# dig partners.extranet.microsoft.com. INNS @dns11.one.microsoft.com. +dnssec ; DiG 9.9.1-P1 partners.extranet.microsoft.com. IN NS @dns11.one.microsoft.com. +dnssec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 40230 ;; flags: qr aa ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; ANSWER SECTION: partners.extranet.microsoft.com. 10 IN NS dns11.one.microsoft.com. partners.extranet.microsoft.com. 10 IN NS dns10.one.microsoft.com. partners.extranet.microsoft.com. 10 IN NS dns13.one.microsoft.com. partners.extranet.microsoft.com. 10 IN NS dns12.one.microsoft.com. dns11.one.microsoft.com. 10 IN A 94.245.124.49 dns10.one.microsoft.com. 10 IN A 131.107.125.65 dns13.one.microsoft.com. 10 IN A 65.55.31.17 dns12.one.microsoft.com. 10 IN A 207.46.55.10 ;; Query time: 37 msec ;; SERVER: 94.245.124.49#53(94.245.124.49) ;; WHEN: Sun Jun 24 10:00:54 2012 ;; MSG SIZE rcvd: 228 Having AD-Flag set on an non-DNSSEC zone might be a protocol violation, and that might be the cause of FORMERR. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/myqQACgkQsUJ3c+pomYGzyQCdF6q+TeWUmA4TWYgiOn6pA0ha HHgAn2Amo54kuiNEIJ4hU1kXOwjnY7Pb =7x6l -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, On 6/24/12 10:07 AM, Carsten Strotmann (private) wrote: It might even be a new Windows 2012 DNS server, and it might be an issue with this new version. This is just speculation, but if it is an issue with Windows 2012 DNS, it might be good to be able to isolate that issue soon (so that it can be fixed before Windows 2012 is released). I did some tests with the release candidate version of Windows 2012, and I could not reproduce the error. Windows 2012 internal version number is 6.2 (6.2.8400) and it does not implement the version.bind request (returns a NOTIMPL error). However the dns11.one.microsoft.com DNS server returns bash-3.2# dig @94.245.124.49 txt ch version.bind ;; Warning: query response not set ;; Warning: Message parser reports malformed message packet. ; DiG 9.9.1-P1 @94.245.124.49 txt ch version.bind ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11512 ;; flags: aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 1476526080 IN TXT Microsoft DNS 6.1.7601 (1DB14556) ;; Query time: 36 msec ;; SERVER: 94.245.124.49#53(94.245.124.49) ;; WHEN: Sun Jun 24 10:26:11 2012 ;; MSG SIZE rcvd: 76 which is Version Product Milestone Service branch 6.1.7600.16xxx Windows Server 2008 R2 RTM GDR I'm now setting up a Windows 2008R2 DNS Server with the latest patches in the test lab to see if I can recreate the issue. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/m1ioACgkQsUJ3c+pomYEXWQCfYge8Sjqa4YIhztZLZt5Z9PRp WuYAnjxfbhVJPRm9y31CKPiO/7wCp/fv =oS8C -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gabriele, On 6/22/12 11:22 AM, Gabriele Paggi wrote: I'm a BIND novice and I'm trying to understand what causes my BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried for the A record of vlasext.partners.extranet.microsoft.com: At Men Mice I've investigated this issue a few weeks ago for one of our customers. At that point of time, we've seen NS records with private addresses: dig ns partners.extranet.microsoft.com. ; DiG 9.9.1 ns partners.extranet.microsoft.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53053 ;; flags: qr rd ra; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 19 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; ANSWER SECTION: partners.extranet.microsoft.com. 2311 IN NS db3-ptnr-dc-01.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS tk5-ptnr-dc-02.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS by1-ptnr-dc-03.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS co2-ptnr-dc-02.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS co2-ptnr-dc-01.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS sinxtdnsz01.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS kaw-ptnr-dc-02.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS ph1-ptnr-dc-01.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS tk5-ptnr-dc-01.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS tk5-ptnr-dc-05.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS rno-ptnr-dc-01.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS tk5-ptnr-dc-03.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS sin-ptnr-dc-03.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS sin-ptnr-dc-02.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS by1-ptnr-dc-04.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS kaw-ptnr-dc-03.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS db3-ptnr-dc-02.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 2311 IN NS ph1-ptnr-dc-02.partners.extranet.microsoft.com. ;; ADDITIONAL SECTION: db3-ptnr-dc-01.partners.extranet.microsoft.com. 1406 IN A 10.251.138.15 tk5-ptnr-dc-02.partners.extranet.microsoft.com. 26 IN A 10.251.51.102 by1-ptnr-dc-03.partners.extranet.microsoft.com. 3505 IN A 10.251.94.15 co2-ptnr-dc-02.partners.extranet.microsoft.com. 2941 IN A 10.251.152.89 co2-ptnr-dc-01.partners.extranet.microsoft.com. 2679 IN A 10.251.152.173 sinxtdnsz01.partners.extranet.microsoft.com. 171 IN A 10.251.168.142 kaw-ptnr-dc-02.partners.extranet.microsoft.com. 1101 IN A 10.251.162.20 ph1-ptnr-dc-01.partners.extranet.microsoft.com. 1417 IN A 10.251.26.11 tk5-ptnr-dc-01.partners.extranet.microsoft.com. 2872 IN A 10.251.51.13 tk5-ptnr-dc-05.partners.extranet.microsoft.com. 137 IN A 10.251.52.143 rno-ptnr-dc-01.partners.extranet.microsoft.com. 1375 IN A 10.251.64.113 tk5-ptnr-dc-03.partners.extranet.microsoft.com. 1564 IN A 10.251.52.124 sin-ptnr-dc-03.partners.extranet.microsoft.com. 882 IN A 10.251.168.67 sin-ptnr-dc-02.partners.extranet.microsoft.com. 505 IN A 10.251.169.47 by1-ptnr-dc-04.partners.extranet.microsoft.com. 2270 IN A 10.251.94.16 kaw-ptnr-dc-03.partners.extranet.microsoft.com. 3461 IN A 10.251.162.193 db3-ptnr-dc-02.partners.extranet.microsoft.com. 1690 IN A 10.251.138.59 ph1-ptnr-dc-02.partners.extranet.microsoft.com. 3018 IN A 10.251.26.12 ;; Query time: 1314 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 30 18:57:27 2012 ;; MSG SIZE rcvd: 867 The issue seem to differ from the point in the network you are sending the query, and if the resolving DNS server has only IPv4 or is dual-stack (IPv4 + IPv6). It seems that the resolution is sometimes broken, but we have not found the root cause of the issue. This forward zone proved to be an (ugly, but working) workaround: zone partners.extranet.microsoft.com IN { type forward; forwarders { 131.107.125.65; 94.245.124.49; 207.46.55.10; 65.55.31.17; }; }; We've also informed Microsoft about the issue. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/le38ACgkQsUJ3c+pomYEwDACgit4MdoFl4rfSCcapx1NMr9cB 1bUAn1QNRM2Gw//EsLYnH1jw1g25IvFl =hB+P -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
Re: Understanding cause of DNS format error (FORMERR)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gabriele, On 6/22/12 11:22 AM, Gabriele Paggi wrote: I'm a BIND novice and I'm trying to understand what causes my BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried for the A record of vlasext.partners.extranet.microsoft.com: about the FORMERR. This might be caused by a Firewall or other middlebox that truncates the large answer containing the NS record set for this domain. I see the same if I try to fetch the delegation NS records from the parent domain (microsoft.com) for partners.extranet.microsoft.com: # dig @ns1.msft.net. partners.extranet.microsoft.com ns ; DiG 9.9.1-P1 ns @ns1.msft.net. partners.extranet.microsoft.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: FORMERR, id: 30679 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Query time: 167 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Sat Jun 23 10:47:33 2012 ;; MSG SIZE rcvd: 60 If some other members of this mailing list also see the same FORMERR (I'm seeing it over IPv4+IPv6), that is is very likely a firewall or middlebox on the Microsoft side. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/lhEsACgkQsUJ3c+pomYE8RwCgldVhiIiwuavJGy0VEQAbek5M d7sAoKg1ny9dN6UMhuXyF1a6diylGyzz =+PcU -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
Hello Carsten, Thanks for your reply! about the FORMERR. This might be caused by a Firewall or other middlebox that truncates the large answer containing the NS record set for this domain. I see the same if I try to fetch the delegation NS records from the parent domain (microsoft.com) for partners.extranet.microsoft.com: That doesn't explain why I get a correct reply to my query if I use a Windows DNS or one of the Google DNS (what software do they run?) or my home ISP DNS (UPC, Netherlands). stanislao:~ gpaggi$ dig A @62.179.104.196 vlasext.partners.extranet.microsoft.com +short 70.42.230.20 stanislao:~ gpaggi$ dig A @8.8.8.8 vlasext.partners.extranet.microsoft.com +short 70.42.230.20 I'm trying to understand if this behavior is specific to the BIND release that I'm running (should be the latest available on CentOS 5) and what's triggering it. Increasing debug logging to 90 doesn't tell me what's wrong with the reply BIND gets from the Microsoft DNS. # dig @ns1.msft.net. partners.extranet.microsoft.com ns [...] If some other members of this mailing list also see the same FORMERR (I'm seeing it over IPv4+IPv6), that is is very likely a firewall or middlebox on the Microsoft side. I do get indeed a reply from my home connection: stanislao:~ gpaggi$ dig @ns1.msft.net. partners.extranet.microsoft.com ns ; DiG 9.6-ESV-R4-P3 @ns1.msft.net. partners.extranet.microsoft.com ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 37303 ;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; ANSWER SECTION: partners.extranet.microsoft.com. 3600 IN NSdns13.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NSdns11.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NSdns12.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NSdns10.one.microsoft.com. ;; ADDITIONAL SECTION: dns13.one.microsoft.com. 3600INA65.55.31.17 dns11.one.microsoft.com. 3600INA94.245.124.49 dns12.one.microsoft.com. 3600INA207.46.55.10 dns10.one.microsoft.com. 3600INA131.107.125.65 ;; Query time: 201 msec ;; SERVER: 65.55.37.62#53(65.55.37.62) ;; WHEN: Sun Jun 24 05:51:37 2012 ;; MSG SIZE rcvd: 197 Gabriele PS. Carsten, apologizes for the double message. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
Hello Carsten, At Men Mice I've investigated this issue a few weeks ago for one of our customers. At that point of time, we've seen NS records with private addresses: That's interesting but it still doesn't explain why BIND reports a format error in the reply it receives. The reply is nonsense but it's legit and BIND should just return it. Am I wrong? Beside that, I've been constantly getting a FORMERR reply for a week now. The issue seem to differ from the point in the network you are sending the query, and if the resolving DNS server has only IPv4 or is dual-stack (IPv4 + IPv6). It seems that the resolution is sometimes broken, but we have not found the root cause of the issue. I'm running with only IPv4. May I ask you which version of BIND are you running? Jeffry is not able to reproduce the issue using BIND 9.9.1-P1 and I might consider an upgrade. We've also informed Microsoft about the issue. I know what the answer is but I'll ask anyway: did you ever get a reply / acknowledgement from them? Thanks! Gabriele ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
Hello Jeffry, FWIW I'm not able to reproduce this using a BIND 9.9.1-P1 recursive resolver. On this system dig @localhost vlasext.partners.extranet.microsoft.com a returns the answer 70.42.230.20 and identifies dns11.one.microsoft.com (94.245.124.49) as one of four authoritative servers. dig @94.245.124.49 vlasext.partners.extranet.microsoft.com a also returns the answer 70.42.230.20, but no authority or additional records (except EDNS UDP 4000), and with no AA flag set. On the contrary querying one of my own authoritative servers, also running BIND 9.9.1-P1, for a record for which it is authoritative (dig @ns2.countryday.net countryday.net a) does return the answer along with authority and additional records for the name servers and does have the AA flag set. Finally querying one of my internal Microsoft DNS servers (Windows Server 2008 R2 SP1) for a record for which it is authoritative gives me a correct answer, no authority or additional records (except EDNS UDP 4000), but does have the AA flag set. Thanks. At least I know an upgrade would fix the issue although I still don't know what and where the problem is (Microsoft DNS reply? BIND?). From what I observed I would conclude that dns11.one.microsoft.com is a Windows DNS server since it behaves like mine except for the AA flag not being set in theirs. The missing AA flag and lack of authority and additional records in their response seems like improper behavior to me, but I don't know whether or not the DNS protocol actually requires this. Apparently BIND 9.9.1-P1 is able to handle this situation. I kind of assumed Microsoft would have been running a Windows DNS for their domains ;-) Gabriele ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users