win2k SOA Non-Authoritative Response
James A Griffin
agriffin at cpcug.org
Wed Oct 31 20:04:47 UTC 2001
Jay Remsen wrote:
> My colleague and I currently support several Bind DNS servers and recently
> inherited a win2k DNS active directory server. While trying to integrate the
> win2k server into our DNS structure we noticed that the win2k server was
> responding to queries with what appears to be non-authoritative answers for
> things that it is the authoritative server. Looking at the packets with a
> sniffer, we see that the AA bit is set in the replies but there is not any info
> in the Authority Section of the packet. However, there is info in the
> Additional Section. DIG, NSLOOKUP and Host commands all show the replies as
> being non-authoritative even when the AA bit is set. The following is an
> example of what we are seeing.
> $ dig @192.168.40.51 soa academy.com.
> ; <<>> DiG 8.3 <<>> @192.168.40.51 soa academy.com.
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUERY SECTION:
> ;; academy.com, type = SOA, class = IN
> ;; ANSWER SECTION:
> academy.com. 1H IN SOA plato.academy.com. admin. (
> 104 ; serial
> 15M ; refresh
> 10M ; retry
> 1D ; expiry
> 1H ) ; minimum
> ;; ADDITIONAL SECTION:
> plato.academy.com. 1H IN A 192.168.40.51
> ;; Total query time: 3 msec
> ;; FROM: kotpns01 to SERVER: 192.168.40.51
> ;; WHEN: Wed Oct 31 12:47:56 2001
> Has anyone seen this before, or thinks that this is going to be a problem in a
> bind environment?
Yes, I have seen this before while 'dig'ing at Microsoft Windows 2000
servers. I concluded that it as just Microsoft's way of tyring to
achieve acceptable performance by sending a minimum useful response to a
qurery. The reply answers the query and in this case include the A RR
for the MNAME server which make sense if a query for SOA is most often a
prelude to an update.
I found no evidence that this (missing AUTHORITY SECTION:) is a problem
in a bind environment, but check the archives for information an dynamic
some 'network access devices' (e.g. 3Com ISDN LAN Modem) which have DNS
service as one of their functions also give brief answers. 126.96.36.199
is the inside interface on my LAN Modem.
[artch at sparta artch]$ dig @192.168.1.1 palis.athena.inc.
; <<>> DiG 9.2.0rc7 <<>> @192.168.1.1 palis.athena.inc.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27247
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;palis.athena.inc. IN A
;; ANSWER SECTION:
palis.athena.inc. 0 IN A 192.168.1.2
;; Query time: 20 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Oct 31 15:00:23 2001
;; MSG SIZE rcvd: 50
> Jay Remsen
> jkremsen at netusa1.net
More information about the bind-users