FORMERR resolving AAAA/IN records

Michael Milligan milli at acmeps.com
Mon Mar 30 16:35:16 UTC 2009 

Very curious...

That server (cpns01.secureserver.net) is claiming authority for the root
zone, so it's just plain a bad actor.  Into my blackhole list it goes,
along with it's friends...

$ dig @216.69.185.38 +norec any .

; <<>> DiG 9.6.0-P1 <<>> @216.69.185.38 +norec any .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50807
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;.                              IN      ANY

;; ANSWER SECTION:
.                       86400   IN      SOA     cpns01.secureserver.net.
dns.jomax.net. 20080922 28800 7200 604800 86400
.                       3600    IN      NS      cpns01.secureserver.net.
.                       3600    IN      NS      cpns02.secureserver.net.
.                       3600    IN      MX      0 smtp.secureserver.net.
.                       3600    IN      MX      10
mailstore1.secureserver.net.

;; Query time: 96 msec
;; SERVER: 216.69.185.38#53(216.69.185.38)
;; WHEN: Mon Mar 30 10:30:38 2009
;; MSG SIZE  rcvd: 187


Mark Andrews wrote:
> In message <20090326141903.19179175A0 at britaine.cis.anl.gov>, b19141 at anl.gov writ
> es:
>> Oliver Henriot <Oliver.Henriot at imag.fr> wrote:
>>
>> dnsserver% !! AAAA
>> dig auniarael.com @216.69.185.38 AAAA
>>
>> ; <<>> DiG 8.3 <<>> auniarael.com @216.69.185.38 AAAA 
>> ; (1 server found)
>> ;; res options: init recurs defnam dnsrch
>> ;; got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
>> ;; QUERY SECTION:
>> ;;      auniarael.com, type = AAAA, class = IN
>>
>> ;; AUTHORITY SECTION:
>> .                       1D IN SOA       cpns01.secureserver.net. dns.jomax.net
>> . (
>>                                         20080922        ; serial
>>                                         8H              ; refresh
>>                                         2H              ; retry
>>                                         1W              ; expiry
>>                                         1D )            ; minimum
>>
>> auniarael.com.          1H IN NS        cpns01.secureserver.net.
>> auniarael.com.          1H IN NS        cpns02.secureserver.net.
>>
>> ;; Total query time: 62 msec
>> ;; FROM: dnsserver.anl.gov to SERVER: 216.69.185.38  216.69.185.38
>> ;; WHEN: Thu Mar 26 09:06:02 2009
>> ;; MSG SIZE  sent: 31  rcvd: 157
> 
> 	Note this answer is internally self inconsistant.  AA=1
> 	which indicates the answer is authoritative yet the authority
> 	section contains SOA and NS RRsets with different owners
> 	with the SOA being higher in the namespace than the NS
> 	RRset.
> 
> 	Even if AA=0 it would still be self inconsistant and the
> 	relationship between the SOA and NS RRsets is impossible
> 	in a well formed response.
> 
> 	Mark

More information about the bind-users mailing list