Understanding cause of DNS format error (FORMERR)
Carsten Strotmann (private)
cas at strotmann.de
Sun Jun 24 08:07:00 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 6/22/12 1:25 PM, Spain, Dr. Jeffry A. wrote:
> From what I observed I would conclude that dns11.one.microsoft.com
> is a Windows DNS server since it behaves like mine except for the
> AA flag not being set in theirs.
It might even be a new Windows 2012 DNS server, and it might be an
issue with this new version. This is just speculation, but if it is an
issue with Windows 2012 DNS, it might be good to be able to isolate
that issue soon (so that it can be fixed before Windows 2012 is released).
> The missing AA flag and lack of authority and additional records in
> their response seems like improper behavior to me, but I don't know
> whether or not the DNS protocol actually requires this. Apparently
> BIND 9.9.1-P1 is able to handle this situation.
my BIND 9.9.1-P1 showed FORMERR yesterday, but shows the same good
answers that you report today.
What is see today when I send a direct query to
dns10.one.microsoft.com. (or dns11/12/13) is that both AA
(Authoritative Answer) and AD (Authenticated Data) flags are set, but
the zone does not seem to be DNSSEC signed (no RRSIGs, no DNSKEY):
bash-3.2# dig partners.extranet.microsoft.com. IN NS
; <<>> DiG 9.9.1-P1 <<>> partners.extranet.microsoft.com. IN NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40230
;; flags: qr aa ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;partners.extranet.microsoft.com. IN NS
;; ANSWER SECTION:
partners.extranet.microsoft.com. 10 IN NS dns11.one.microsoft.com.
partners.extranet.microsoft.com. 10 IN NS dns10.one.microsoft.com.
partners.extranet.microsoft.com. 10 IN NS dns13.one.microsoft.com.
partners.extranet.microsoft.com. 10 IN NS dns12.one.microsoft.com.
dns11.one.microsoft.com. 10 IN A 18.104.22.168
dns10.one.microsoft.com. 10 IN A 22.214.171.124
dns13.one.microsoft.com. 10 IN A 126.96.36.199
dns12.one.microsoft.com. 10 IN A 188.8.131.52
;; Query time: 37 msec
;; SERVER: 184.108.40.206#53(220.127.116.11)
;; WHEN: Sun Jun 24 10:00:54 2012
;; MSG SIZE rcvd: 228
Having AD-Flag set on an non-DNSSEC zone might be a protocol
violation, and that might be the cause of FORMERR.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the bind-users