Minor "query (cache) denied" Logging Bug?

bsfinkel at anl.gov bsfinkel at anl.gov
Wed Apr 1 15:27:10 UTC 2009 

I have a name server that is authoritative for the zone

     tlh.fl.us.

In that zone is a record

     freenet.tlh.fl.us.  IN  CNAME   tfn.net.

My server is not authoritative for tfn.net.

Some external client sends a request:

     What is the MX for freenet.tlh.fl.us.?

My server responds (this is from a snoop trace):

     DNS:  Response ID = 61546
     DNS:  AA (Authoritative Answer)
     DNS:  Response Code: 0 (OK)
     DNS:  Reply to 1 question(s)
     DNS:      Domain Name: freenet.tlh.fl.us.
     DNS:      Class: 1 (Internet)
     DNS:      Type:  15 (Mail Exchange)
     DNS:
     DNS:  1 answer(s)
     DNS:      Domain Name: freenet.tlh.fl.us.
     DNS:      Class: 1 (Internet)
     DNS:      Type:  5 (Canonical Name)
     DNS:      TTL (Time To Live): 86400
     DNS:      Canonical Name: tfn.net.
     DNS:
     DNS:  0 name server resource(s)
     DNS:  0 additional record(s)

This is a correct answer.  Note that there are no authority nor
additional sections.  But I also see in /var/adm/messages:

     Apr  1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info]
       client 217.232.216.120#10000:
       query (cache) 'tfn.net/MX/IN' denied

I assume that in the process of getting more information about

     tfn.net

to give the authority section and the additional section (this is from
an query I made to an internal BIND server, where queries are not
denied):

     ;; AUTHORITY SECTION:
     tfn.net.                1d23h59m59s IN NS  ns92.worldnic.com.
     tfn.net.                1d23h59m59s IN NS  ns91.worldnic.com.

     ;; ADDITIONAL SECTION:
     freenet.tfn.net.        2H IN A         199.44.235.10
     ns91.worldnic.com.      1d6h26m5s IN A  205.178.190.46
     ns92.worldnic.com.      1d6h26m5s IN A  205.178.144.46

BIND 9.6.0-P1 determines that although it may have this information
about tfn.net in its cache, it cannot give the information to the
requester because I have not configured BIND to allow external users
to query the cache.  If BIND did not have the information about tfn.net
in its cache, would it go and retrieve the information and then
decide that it was unable to give the cached information to the
requester?

Should the "query (cache) denied" message be produced?  We were
confused because we did not see any queries for tfn.net in the
named.querylog file, where we log all DNS queries.  I had to run a
snoop trace to see what was happening.

In this case, should BIND give the information about tfn.net in its
cache back to the requester?
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list