To:
Mats Dufberg <dufberg@nic-se.se>
CC:
dnsop@cafax.se
From:
"Eric A. Hall" <ehall@ehsco.com>
Date:
Tue, 03 Apr 2001 11:54:17 -0700
Sender:
owner-dnsop@cafax.se
Subject:
Re: Strange behavior from resolvers?
Sorry, responded to the wrong message before. > If I recursively through a resolver (bind 8.2.2, 8.2.3. or 9.1.0) send > the request > > ns1.obol-net.net. MX ? > > the response is SERVFAIL. When I direct the request directly to the > servers I see no problem with the response. The stub resolver is just displaying the answer that it gets back from whatever server it queried. When the resolver queries a BIND (8.1->?) server, it displays the answer that BIND returns. BIND sees this particular response as a malformed NODATA response, which it treats as a referral. When the referrals fail the proper response is to return SERVFAIL, since none of the auth servers were able to answer the query. RFC 2308, 2.2 - No Data NODATA is indicated by an answer with the RCODE set to NOERROR and no relevant answers in the answer section. The authority section will contain an SOA record, or there will be no NS records there. Your auth servers are returning NS RRs in the auth section. BIND sees this response format as a referral and tries to query the listed servers. When your resolver queries the original auth servers, they are just returning NODATA/NOERROR, but the resover doesn't have the smarts from RFC-2308 to parse the response and restart the query (iteratively). It's just a dumb stub so it just prints the answer it got. You will have to fix your auth servers so that they return properly formatted NODATA response if you want them to interoperate with 2308-compliant DNS servers in the query path. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/