To:
Mats Dufberg <dufberg@nic-se.se>
CC:
namedroppers@local.reachin.com, dnsop@cafax.se, registry@OBOL-NET.NET
From:
"Eric A. Hall" <ehall@ehsco.com>
Date:
Tue, 03 Apr 2001 12:47:32 -0700
Sender:
owner-dnsop@cafax.se
Subject:
Re: Strange behavior from resolvers?
> > As Eric has just pointed out (as I was writing this), this tells > > BIND (and DJBDNS) "I do not have this answer, but the answer can > > be found at my nameserver". > > I tested a server which I think is an NT (non-bind) server, which > permits recursion. It accepts the respons from the Novell server > without SERVFAIL: Yeah I have an NT4 server here and it passed my tests as well. It doesn't cache the data either, which would also seem to be a valid position in this scenario. *BUT* it doesn't treat the answer like a referral (it doesn't query the other server), and that's the wrong behavior. My guess (without having the code, and turning up no hits on "2308" in MS KB) would be that NT4's DNS server doesn't know about 2308 NODATA and that it's just returning the referral for the stub to deal with. Win2k's DNS server returns NO ERROR -- and even caches it -- after it asks both auth servers. It appears to understand 2308 but just hands off the referral data rather than falling into SERVFAIL. NetWare 5.1 DNS server returns SERVFAIL after trying both auth servers. It doesn't cache the data. This is all expected since NW5 DNS server is based on BIND 8. There may be an argument to be made that BIND shouldn't fall into SERVFAIL if it gets into referral mode through authoritative NO ERROR responses. Perhaps it should return the referral to the client for additional processing or local failure (depending on the client's resolver). I will leave that to the BIND people. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/