Getting a formerr 'invalid response' for winqual.microsoft.com. but dig +trace works.

Mark Andrews marka at isc.org
Thu Feb 9 23:29:07 UTC 2012


In message <CAGyBzcyQ_LN1=bSnaAy=TO4f6AeDhmOwL0-Hs4SKvouZmM9Bcg at mail.gmail.com>
, Matt Doughty writes:
> It seems like multiple things are wrong, but I'm still trying to
> understand what part of the breakage is causing Bind to throw out the
> response with the formerr 'invalid response'.  Is this broken for
> everyone using bind 9.7 or later?  I can just forward this zone to
> HonestDNS, which happily serves up the data, and lodge a complaint
> with Microsoft to fix their servers, but I want to make sure there
> isn't something wrong somewhere in my network that is causing this
> problem.
> 
> thanks,
> 
> --Matt

It's because a few load balancer vendors don't read freely available
specifications but instead appear to reverse engineer the protocol
and get it wrong.

BIND 9.7.0 fixed a long standing of accepting glue promoted to
answer by parent nameservers.  Once we did that there was no need
to accept none "aa" answers from servers that have been listed as
being authoritative for the zone.  This allowed the resolver to
ignore broken authoritative servers.

This got relaxed in later release of BIND 9.7.

> On Wed, Feb 8, 2012 at 8:05 PM, David Miller <dmiller at tiggee.com> wrote:
> > On 2/8/2012 10:32 PM, Matt Doughty wrote:
> >>
> >> I have spend the afternoon trying to figure this out. The response I
> >> get back from their nameserver looks fine to me, and dig +trace works
> >> fine, but a regular dig returns a servfail. I have looked at the code
> >> for invalid response, but I don't quite follow what is going on there,
> >> and the comment 'responder is insane' leaves something to be desired.
> >> Any help would be appreciated here. I have included the dig +trace
> >> output below:
> >>
> >> dig +trace winqual.partners.extranet.microsoft.com.
> >>
> >> ;<<>>  DiG 9.7.0-P1<<>>  +trace 
> winqual.partners.extranet.microsoft.com.
> >> ;; global options: +cmd
> >> .                       518004  IN      NS      j.root-servers.net.
> >> .                       518004  IN      NS      e.root-servers.net.
> >> .                       518004  IN      NS      l.root-servers.net.
> >> .                       518004  IN      NS      c.root-servers.net.
> >> .                       518004  IN      NS      m.root-servers.net.
> >> .                       518004  IN      NS      d.root-servers.net.
> >> .                       518004  IN      NS      b.root-servers.net.
> >> .                       518004  IN      NS      h.root-servers.net.
> >> .                       518004  IN      NS      k.root-servers.net.
> >> .                       518004  IN      NS      a.root-servers.net.
> >> .                       518004  IN      NS      g.root-servers.net.
> >> .                       518004  IN      NS      i.root-servers.net.
> >> .                       518004  IN      NS      f.root-servers.net.
> >> ;; Received 228 bytes from 172.16.255.1#53(172.16.255.1) in 1 ms
> >>
> >> com.                    172800  IN      NS      h.gtld-servers.net.
> >> com.                    172800  IN      NS      f.gtld-servers.net.
> >> com.                    172800  IN      NS      m.gtld-servers.net.
> >> com.                    172800  IN      NS      g.gtld-servers.net.
> >> com.                    172800  IN      NS      l.gtld-servers.net.
> >> com.                    172800  IN      NS      c.gtld-servers.net.
> >> com.                    172800  IN      NS      d.gtld-servers.net.
> >> com.                    172800  IN      NS      a.gtld-servers.net.
> >> com.                    172800  IN      NS      b.gtld-servers.net.
> >> com.                    172800  IN      NS      i.gtld-servers.net.
> >> com.                    172800  IN      NS      j.gtld-servers.net.
> >> com.                    172800  IN      NS      e.gtld-servers.net.
> >> com.                    172800  IN      NS      k.gtld-servers.net.
> >> ;; Received 497 bytes from 192.33.4.12#53(c.root-servers.net) in 18 ms
> >>
> >> microsoft.com.          172800  IN      NS      ns3.msft.net.
> >> microsoft.com.          172800  IN      NS      ns1.msft.net.
> >> microsoft.com.          172800  IN      NS      ns5.msft.net.
> >> microsoft.com.          172800  IN      NS      ns2.msft.net.
> >> microsoft.com.          172800  IN      NS      ns4.msft.net.
> >> ;; Received 235 bytes from 192.43.172.30#53(i.gtld-servers.net) in 67 
> ms
> >>
> >> partners.extranet.microsoft.com. 3600 IN NS     
> dns10.one.microsoft.com.
> >> partners.extranet.microsoft.com. 3600 IN NS     
> dns13.one.microsoft.com.
> >> partners.extranet.microsoft.com. 3600 IN NS     
> dns11.one.microsoft.com.
> >> partners.extranet.microsoft.com. 3600 IN NS     
> dns12.one.microsoft.com.
> >> ;; Received 236 bytes from 64.4.59.173#53(ns2.msft.net) in 3 ms
> >>
> >> winqual.partners.extranet.microsoft.com. 10 IN A 131.107.97.31
> >> ;; Received 112 bytes from 131.107.125.65#53(dns10.one.microsoft.com) 
> in
> >> 23 ms
> >>
> >
> > If I just dig at their servers for NS, I get a trunc and retry over TCP 
> that
> > times out.
> >
> > If I signal a bufsize, I get back a 777 byte response with NS that don't
> > match the parent and an additional full of private 10/8 addresses
> >
> > # dig +norecurse +bufsize=1024 ns partners.extranet.microsoft.com
> > @dns10.one.microsoft.com.
> >
> > ; <<>> DiG 9.8.1 <<>> +norecurse +bufsize=1024 ns
> > partners.extranet.microsoft.com @dns10.one.microsoft.com.
> >
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10678
> > ;; flags: qr ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 17
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4000
> > ;; QUESTION SECTION:
> > ;partners.extranet.microsoft.com. IN    NS
> >
> > ;; ANSWER SECTION:
> > partners.extranet.microsoft.com. 1076 IN NS
> > tk5-ptnr-dc-02.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > kaw-ptnr-dc-02.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > co2-ptnr-dc-02.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > co2-ptnr-dc-01.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > tk5-ptnr-dc-01.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > db3-ptnr-dc-02.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > db3-ptnr-dc-01.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > tk5-ptnr-dc-03.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > sin-ptnr-dc-03.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > rno-ptnr-dc-01.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > ph1-ptnr-dc-02.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > ph1-ptnr-dc-01.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > sin-ptnr-dc-02.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > sinxtdnsz01.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > tk5-ptnr-dc-05.partners.extranet.microsoft.com.
> > partners.extranet.microsoft.com. 1076 IN NS
> > kaw-ptnr-dc-03.partners.extranet.microsoft.com.
> >
> > ;; ADDITIONAL SECTION:
> > tk5-ptnr-dc-02.partners.extranet.microsoft.com. 65 IN A 10.251.51.102
> > kaw-ptnr-dc-02.partners.extranet.microsoft.com. 3564 IN A 10.251.162.20
> > co2-ptnr-dc-02.partners.extranet.microsoft.com. 3196 IN A 10.251.152.89
> > co2-ptnr-dc-01.partners.extranet.microsoft.com. 2092 IN A 10.251.152.173
> > tk5-ptnr-dc-01.partners.extranet.microsoft.com. 2307 IN A 10.251.51.13
> > db3-ptnr-dc-02.partners.extranet.microsoft.com. 2887 IN A 10.251.138.59
> > db3-ptnr-dc-01.partners.extranet.microsoft.com. 2518 IN A 10.251.138.15
> > tk5-ptnr-dc-03.partners.extranet.microsoft.com. 1925 IN A 10.251.52.124
> > sin-ptnr-dc-03.partners.extranet.microsoft.com. 3109 IN A 10.251.168.67
> > rno-ptnr-dc-01.partners.extranet.microsoft.com. 2498 IN A 10.251.64.113
> > ph1-ptnr-dc-02.partners.extranet.microsoft.com. 2552 IN A 10.251.26.12
> > ph1-ptnr-dc-01.partners.extranet.microsoft.com. 3357 IN A 10.251.26.11
> > sin-ptnr-dc-02.partners.extranet.microsoft.com. 2897 IN A 10.251.169.47
> > sinxtdnsz01.partners.extranet.microsoft.com. 897 IN A 10.251.168.142
> > tk5-ptnr-dc-05.partners.extranet.microsoft.com. 3234 IN A 10.251.52.143
> > kaw-ptnr-dc-03.partners.extranet.microsoft.com. 1140 IN A 10.251.162.193
> >
> > ;; Query time: 70 msec
> > ;; SERVER: 131.107.125.65#53(131.107.125.65)
> > ;; WHEN: Thu Feb  9 04:03:26 2012
> > ;; MSG SIZE  rcvd: 777
> >
> > -DMM
> >
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> -- 
> --Matt
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list