Intermittent NXDOMAIN, (possibly) Bind or PowerDNS problem?

Mark Andrews marka at isc.org
Fri Feb 5 06:47:33 UTC 2010


In message <260066.10841.qm at web63105.mail.re1.yahoo.com>, Ian B writes:
> Hi All,
> 
> I found a post on this list from July 2009 with the subject:
> "Intermittent NXDOMAIN, Bind 9.2.3 config and PowerDNS problem?"
> 
> https://lists.isc.org/pipermail/bind-users/2009-July/077045.html
> 
> I'm having exactly the same issue but with hostname dreamteam.afl.com.au
> 
> A sample dig is as follows:
> 
> $ dig dreamteam.afl.com.au 
> 
> ; <<>> DiG 9.3.4-P1 <<>> dreamteam.afl.com.au
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22236
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;dreamteam.afl.com.au.		IN	A
> 
> ;; ANSWER SECTION:
> dreamteam.afl.com.au.	30	IN	CNAME	afl.virtualsports.com.au.
> 
> ;; AUTHORITY SECTION:
> com.au.			60	IN	SOA	stl-bpc-gslb1500-1.bigp
> ond.com. hostmaster.stl-bpc-gslb1500-1.bigpond.com. 4 10800 3600 604800 60
> 
> ;; Query time: 53 msec
> ;; SERVER: 203.161.127.1#53(203.161.127.1)
> ;; WHEN: Fri Feb  5 11:29:24 2010
> ;; MSG SIZE  rcvd: 147
> 
> 
> My understanding of the issue is that the authoritative nameserver for dreamt
> eam.afl.com.au is returning the incorrect data in the 'AUTHORITY SECTION' cau
> sing PowerDNS to act unpredictably. Other DNS recursors may not have an issue
> with this, as they overlook the error. Is that a correct understanding?

It looks like the two bigpond servers have been configured to serve
a unofficial version of COM.AU.  Normal query processing then causes
the servers to find the unofficial version of COM.AU and return
NXDOMAIN rather than a referral as they should.  This is hard to
avoid unless the normal query process rules are changed to not
re-start the query after following a CNAME for a non-recursive query
or only follow a CNAME if the target is in the same zone as the
owner of the CNAME.

The incorrect answer is then accepted and the cache is poisoned.

One would think however that Telstra would have locked COM.AU out
in the automatic provisioning systems for these servers as adding
it can only be for nefarious purposes.  Similarly any other
infrastucture zones.

Mark

> Thanks,
> Ian.
> 
> 
>       _______________________________________________________________________
> ___________
> Yahoo!7: Catch-up on your favourite Channel 7 TV shows easily, legally, and f
> or free at PLUS7. www.tv.yahoo.com.au/plus7
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list