lb.msnbc.com and BIND oddities (ipv6 interaction?)

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Oct 8 05:17:54 UTC 2002 

> >From a box running 8.3.3-REL-NOESW (as bundled with netbsd nearly-1.6), 
> I am having frequent problems resolving www.msnbc.com.
> 
> www is a cname to lb, lb has its own nameserver that returns a single 
> IP with a short TTL.
> 
> >From a dump I see:
> 
> $ORIGIN msnbc.com.
> lb      890     IN      NS      cpns01.msnbc.com.       ;Cr=addtnl LAME=590 [
> 65.54.248.222]
> cpns01  890     IN      A       207.46.150.10   ;NT=39 Cr=addtnl [65.54.248.2
> 22]
> www     890     IN      CNAME   lb.msnbc.com.   ;Cr=auth [213.199.144.151]
> 
> So BIND is thinking cpns01 is lame for the lb.msnbc.com 
> zone, and refusing to use it:
> 
> Oct  7 21:19:40 rhombus named[4646]: ns_forw: query(lb.msnbc.com) All possibl
> e A RR's lame
> 
> It is lame in that if you ask it for ns records for lb.msnbc.com
> it returns a non-authoritative answer:
> 
> ; <<>> DiG 8.3 <<>> lb.msnbc.com ns @cpns01.msnbc.com 
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUERY SECTION:
> ;;      lb.msnbc.com, type = NS, class = IN
> 
> ;; ANSWER SECTION:
> lb.msnbc.com.           13m2s IN NS     cpns01.msnbc.com.
> 
> ;; ADDITIONAL SECTION:
> cpns01.msnbc.com.       10m41s IN A     207.46.150.10
> 
> ;; Total query time: 96 msec
> ;; FROM: rhombus.znep.com to SERVER: cpns01.msnbc.com  207.46.150.10
> ;; WHEN: Mon Oct  7 21:15:30 2002
> ;; MSG SIZE  sent: 30  rcvd: 67
> 
> 
> ...but it does return an authoritative answer when you ask for an A record
> for lb.msnbc.com.
> 
> And, umh... the client making the query seems to be getting some odd 
> responses:
> 
> 21:24:53.272641 10.66.66.11.2280 > 10.66.66.5.53:  47021+ AAAA? www.msnbc.com
> . (31)
> 21:24:53.276682 10.66.66.5.53 > 10.66.66.11.2280:  47021 ServFail 1/0/0 CNAME
>  lb.msnbc.com. (48)
> 21:24:53.332388 10.66.66.11.2282 > 10.66.66.5.53:  47023+ A? www.msnbc.com. (
> 31)
> 21:24:53.336470 10.66.66.5.53 > 10.66.66.11.2282:  47023 ServFail 1/0/0 CNAME
>  lb.msnbc.com. (48)
> 
> Umh, why is bind sending a servfail, and with a cname?  The client then
> doesn't make any further queries for lb.msnbc.com since it got a servfail.
> 10.66.66.5 is the server with BIND, .11 is a 4.7 freebsd box.

	Because it is lb.msnbc.com that it is SERVFAILing on.
 
> The BIND server to lb.msnbc.com:
> 
> 21:32:46.914959 216.39.145.194.63607 > 207.46.150.10.53:  31378 [1au] AAAA? l
> b.msnbc.com. (41)
> 21:32:46.963821 207.46.150.10.53 > 216.39.145.194.63607:  31378 FormErr [0q] 
> 0/0/0 (12)
> 21:32:46.965601 216.39.145.194.63607 > 207.46.150.10.53:  31378 AAAA? lb.msnb
> c.com. (30)
> 21:32:47.014083 207.46.150.10.53 > 216.39.145.194.63607:  31378 0/1/1 (67)
> 
> 
> And it works if I change the client so it isn't making any AAAA queries:
> 
> 21:31:21.816632 216.39.145.194.63617 > 207.46.150.10.53:  7045 [1au] A? lb.ms
> nbc.com. (41)
> 21:31:21.867362 207.46.150.10.53 > 216.39.145.194.63617:  7045 FormErr [0q] 0
> /0/0 (12)
> 21:31:21.868743 216.39.145.194.63617 > 207.46.150.10.53:  7045 A? lb.msnbc.co
> m. (30)
> 21:31:21.917880 207.46.150.10.53 > 216.39.145.194.63617:  7045*- 1/0/0 A 207.
> 46.245.60 (58)
> 
> 
> Hrm.  Suggestions?  Seems like a bunch of wacky things interacting here.

	Yes.  Complain to Microsoft that the server is broken.  AAAA
	queries are *common* these days and the server should handle
	them and not return a referal.

; <<>> DiG 8.3 <<>> AAAA lb.msnbc.com @207.46.150.10 +norec 
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3273
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUERY SECTION:
;;	lb.msnbc.com, type = AAAA, class = IN

;; AUTHORITY SECTION:
lb.msnbc.com.		14m31s IN NS	cpns01.msnbc.com.

;; ADDITIONAL SECTION:
cpns01.msnbc.com.	9m29s IN A	207.46.150.10

;; Total query time: 257 msec
;; FROM: drugs.dv.isc.org to SERVER: 207.46.150.10  207.46.150.10
;; WHEN: Tue Oct  8 15:17:04 2002
;; MSG SIZE  sent: 30  rcvd: 67

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list