FORMERR resolving AAAA/IN records
Michael Milligan
milli at acmeps.com
Mon Mar 30 16:35:16 UTC 2009
Very curious...
That server (cpns01.secureserver.net) is claiming authority for the root
zone, so it's just plain a bad actor. Into my blackhole list it goes,
along with it's friends...
$ dig @216.69.185.38 +norec any .
; <<>> DiG 9.6.0-P1 <<>> @216.69.185.38 +norec any .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50807
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN ANY
;; ANSWER SECTION:
. 86400 IN SOA cpns01.secureserver.net.
dns.jomax.net. 20080922 28800 7200 604800 86400
. 3600 IN NS cpns01.secureserver.net.
. 3600 IN NS cpns02.secureserver.net.
. 3600 IN MX 0 smtp.secureserver.net.
. 3600 IN MX 10
mailstore1.secureserver.net.
;; Query time: 96 msec
;; SERVER: 216.69.185.38#53(216.69.185.38)
;; WHEN: Mon Mar 30 10:30:38 2009
;; MSG SIZE rcvd: 187
Mark Andrews wrote:
> In message <20090326141903.19179175A0 at britaine.cis.anl.gov>, b19141 at anl.gov writ
> es:
>> Oliver Henriot <Oliver.Henriot at imag.fr> wrote:
>>
>> dnsserver% !! AAAA
>> dig auniarael.com @216.69.185.38 AAAA
>>
>> ; <<>> DiG 8.3 <<>> auniarael.com @216.69.185.38 AAAA
>> ; (1 server found)
>> ;; res options: init recurs defnam dnsrch
>> ;; got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
>> ;; QUERY SECTION:
>> ;; auniarael.com, type = AAAA, class = IN
>>
>> ;; AUTHORITY SECTION:
>> . 1D IN SOA cpns01.secureserver.net. dns.jomax.net
>> . (
>> 20080922 ; serial
>> 8H ; refresh
>> 2H ; retry
>> 1W ; expiry
>> 1D ) ; minimum
>>
>> auniarael.com. 1H IN NS cpns01.secureserver.net.
>> auniarael.com. 1H IN NS cpns02.secureserver.net.
>>
>> ;; Total query time: 62 msec
>> ;; FROM: dnsserver.anl.gov to SERVER: 216.69.185.38 216.69.185.38
>> ;; WHEN: Thu Mar 26 09:06:02 2009
>> ;; MSG SIZE sent: 31 rcvd: 157
>
> Note this answer is internally self inconsistant. AA=1
> which indicates the answer is authoritative yet the authority
> section contains SOA and NS RRsets with different owners
> with the SOA being higher in the namespace than the NS
> RRset.
>
> Even if AA=0 it would still be self inconsistant and the
> relationship between the SOA and NS RRsets is impossible
> in a well formed response.
>
> Mark
More information about the bind-users
mailing list