ignoring incorrect nameservers in authority section

Torinthiel torinthiel at data.pl
Thu Dec 30 12:13:06 UTC 2010

Dnia 2010-12-30 11:45 Torinthiel napisał(a):

>Dnia 2010-12-30 18:03 pyh at mail.nsbeta.info napisał(a):
>>Sunil Shetye writes: 
>>> Case 2: Lame Server Reply 
>>> ===================================================================
>>> $ dig +norecurse @a.iana-servers.net. example.org.
>>> ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 
>>> ;example.org.		IN  A 
>>> example.org.	    172800  IN	A 
>>> example.org.	    172800  IN	NS  ns1.example.org.
>>> example.org.	    172800  IN	NS  ns2.example.org.
>>> =================================================================== 
>>> This is a lame server reply. bind ignores this reply. bind will give a
>>> server fail reply to the client. 
>>Would you please tell me why this is a lame server reply? why bind will 
>>give a server fail reply to the client? Thanks again a lot. 
>Because it's contrary to itself.
>You've specified norecurse, which means that if nameserver believes it has 
>authorative data it should return it, if it doesn't it should return a 
>referral (and no answer beside it).
>But the server returns answer (which means it believes it has authorative 
>data), but in authority section is not listed in nameservers, which states 
>it does not have authorative data.
>To sum up:
>Question: Does the server have authorative data?
>Answer 1: Server returns data when asked without recursion ->; YES
>Answer 2: Server is not listed in authority section ->; NO
>Real answer: Lame server.

And I was wrong about that one.

There are two issues with that one. First, I get a different response from 
that command. different flags (no ra but aa instead), differend authority 

It's much simplier to tell if it's a 'lame nameserver response' although it 
can't be judged by a single query.
Let's say that nameservers for .org domain (there are a lot of them), when 
asked for example.org give a.iana-servers.net and b.iana-servers.net (which 
is true, and by itself nothing special). 
Then lets assume (which is not true, but a good example) that 
a.iana-servers.net when asked for www.example.org gives something (doesn't 
matter if a true answer, or missing record, or anything), but with 'aa' flag 
not set. This, by itself, is still nothing special, no server is required to 
know everything.
But from those two answers you have a contradiction, and this contradiction 
is a real lane nameserver issue. .org servers delegate answers to 
a.iana-servers.net, and a.iana-servers.net fails to deliver authorative 
response. So the delegation is in fact incorrect.
Fortunately, a.iana-servers.net does not behave the way I've described here 
and does set 'aa' flag in it's response.

Hope this clears up the issue a bit, and reduces misinformation caused by my 
previous answer.


More information about the bind-users mailing list