correct response for blocked queries?

Kevin Darcy kcd at daimlerchrysler.com
Mon Oct 31 21:49:33 UTC 2005 

aklist_bind at enigmedia.com wrote:

>Hi All:
>
>Bit of a newbie question...I'm just testing my setup on my 9.2.3 server 
>running Fedora Core2. Recursion is not allowed from outside my "local" zone. 
>Everything is working well.
>
>When I dig the server (from outside my "local" network) for a 
>non-authoritative domain, the response is:
>
>10/31/05 10:23:29 dig lpgk.com @ ns.enigmedia.com
>Dig lpgk.com at ns.enigmedia.com (207.158.46.200) ...
>Non-authoritative answer
> Query for lpgk.com type=255 class=1
>Malformed name in RR
>
>
>Just checking that this is the correct non-authoritative response?
>
>FWIW, it's providing the correct response for domains for which it is 
>authoritative.
>
>Is the "malformed name" the RFC-appropriate response for a blocked recursive 
>query?
>
It's not clear exactly what syntax you're using for that "dig" command. 
Is it "space-at-space" before the target nameserver name, or no spaces 
at all? Neither syntax is correct for "dig"; it needs to be "space-at", 
then nameserver name (or address).

What you *should* be getting if you query a pure non-recursing BIND 
server for a zone for which it does not host, is a referral to the 
closest enclosing zone that it does host (e.g. if it hosts example.com 
but not foo.bar.example.com, or bar.example.com, then you'll get a 
referral to example.com), or, if it does not host any zones in the 
entire delegation chain, a referral to the root zone, e.g.

% dig lpgk.com @ns.enigmedia.com

; <<>> DiG 9.2.2rc1 <<>> lpgk.com @ns.enigmedia.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26398
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;lpgk.com.                      IN      A

;; AUTHORITY SECTION:
.                       3600000 IN      NS      I.ROOT-SERVERS.NET.
.                       3600000 IN      NS      J.ROOT-SERVERS.NET.
.                       3600000 IN      NS      K.ROOT-SERVERS.NET.
.                       3600000 IN      NS      L.ROOT-SERVERS.NET.
.                       3600000 IN      NS      M.ROOT-SERVERS.NET.
.                       3600000 IN      NS      A.ROOT-SERVERS.NET.
.                       3600000 IN      NS      B.ROOT-SERVERS.NET.
.                       3600000 IN      NS      C.ROOT-SERVERS.NET.
.                       3600000 IN      NS      D.ROOT-SERVERS.NET.
.                       3600000 IN      NS      E.ROOT-SERVERS.NET.
.                       3600000 IN      NS      F.ROOT-SERVERS.NET.
.                       3600000 IN      NS      G.ROOT-SERVERS.NET.
.                       3600000 IN      NS      H.ROOT-SERVERS.NET.

;; Query time: 72 msec
;; SERVER: 207.158.46.200#53(ns.enigmedia.com)
;; WHEN: Mon Oct 31 16:45:16 2005
;; MSG SIZE  rcvd: 237

                                                                         
                                                - Kevin

More information about the bind-users mailing list