Minor "query (cache) denied" Logging Bug?
bsfinkel at anl.gov
bsfinkel at anl.gov
Wed Apr 1 15:27:10 UTC 2009
I have a name server that is authoritative for the zone
tlh.fl.us.
In that zone is a record
freenet.tlh.fl.us. IN CNAME tfn.net.
My server is not authoritative for tfn.net.
Some external client sends a request:
What is the MX for freenet.tlh.fl.us.?
My server responds (this is from a snoop trace):
DNS: Response ID = 61546
DNS: AA (Authoritative Answer)
DNS: Response Code: 0 (OK)
DNS: Reply to 1 question(s)
DNS: Domain Name: freenet.tlh.fl.us.
DNS: Class: 1 (Internet)
DNS: Type: 15 (Mail Exchange)
DNS:
DNS: 1 answer(s)
DNS: Domain Name: freenet.tlh.fl.us.
DNS: Class: 1 (Internet)
DNS: Type: 5 (Canonical Name)
DNS: TTL (Time To Live): 86400
DNS: Canonical Name: tfn.net.
DNS:
DNS: 0 name server resource(s)
DNS: 0 additional record(s)
This is a correct answer. Note that there are no authority nor
additional sections. But I also see in /var/adm/messages:
Apr 1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info]
client 217.232.216.120#10000:
query (cache) 'tfn.net/MX/IN' denied
I assume that in the process of getting more information about
tfn.net
to give the authority section and the additional section (this is from
an query I made to an internal BIND server, where queries are not
denied):
;; AUTHORITY SECTION:
tfn.net. 1d23h59m59s IN NS ns92.worldnic.com.
tfn.net. 1d23h59m59s IN NS ns91.worldnic.com.
;; ADDITIONAL SECTION:
freenet.tfn.net. 2H IN A 199.44.235.10
ns91.worldnic.com. 1d6h26m5s IN A 205.178.190.46
ns92.worldnic.com. 1d6h26m5s IN A 205.178.144.46
BIND 9.6.0-P1 determines that although it may have this information
about tfn.net in its cache, it cannot give the information to the
requester because I have not configured BIND to allow external users
to query the cache. If BIND did not have the information about tfn.net
in its cache, would it go and retrieve the information and then
decide that it was unable to give the cached information to the
requester?
Should the "query (cache) denied" message be produced? We were
confused because we did not see any queries for tfn.net in the
named.querylog file, where we log all DNS queries. I had to run a
snoop trace to see what was happening.
In this case, should BIND give the information about tfn.net in its
cache back to the requester?
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list