Understanding cause of DNS format error (FORMERR)

Carsten Strotmann (private) cas at strotmann.de
Sat Jun 23 08:17:03 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Gabriele,

On 6/22/12 11:22 AM, Gabriele Paggi wrote:
> I'm a BIND novice and I'm trying to understand what causes my
> BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried
> for the A record of vlasext.partners.extranet.microsoft.com:
> 

At Men & Mice I've investigated this issue a few weeks ago for one of
our customers. At that point of time, we've seen NS records with
private addresses:

dig ns partners.extranet.microsoft.com.

; <<>> DiG 9.9.1 <<>> ns partners.extranet.microsoft.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53053
;; flags: qr rd ra; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 19

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;partners.extranet.microsoft.com. IN	NS

;; ANSWER SECTION:
partners.extranet.microsoft.com. 2311 IN NS
db3-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
by1-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
co2-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
co2-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
sinxtdnsz01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
kaw-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
ph1-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-05.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
rno-ptnr-dc-01.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
tk5-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
sin-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
sin-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
by1-ptnr-dc-04.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
kaw-ptnr-dc-03.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
db3-ptnr-dc-02.partners.extranet.microsoft.com.
partners.extranet.microsoft.com. 2311 IN NS
ph1-ptnr-dc-02.partners.extranet.microsoft.com.

;; ADDITIONAL SECTION:
db3-ptnr-dc-01.partners.extranet.microsoft.com.	1406 IN	A 10.251.138.15
tk5-ptnr-dc-02.partners.extranet.microsoft.com.	26 IN A	10.251.51.102
by1-ptnr-dc-03.partners.extranet.microsoft.com.	3505 IN	A 10.251.94.15
co2-ptnr-dc-02.partners.extranet.microsoft.com.	2941 IN	A 10.251.152.89
co2-ptnr-dc-01.partners.extranet.microsoft.com.	2679 IN	A 10.251.152.173
sinxtdnsz01.partners.extranet.microsoft.com. 171 IN A 10.251.168.142
kaw-ptnr-dc-02.partners.extranet.microsoft.com.	1101 IN	A 10.251.162.20
ph1-ptnr-dc-01.partners.extranet.microsoft.com.	1417 IN	A 10.251.26.11
tk5-ptnr-dc-01.partners.extranet.microsoft.com.	2872 IN	A 10.251.51.13
tk5-ptnr-dc-05.partners.extranet.microsoft.com.	137 IN A 10.251.52.143
rno-ptnr-dc-01.partners.extranet.microsoft.com.	1375 IN	A 10.251.64.113
tk5-ptnr-dc-03.partners.extranet.microsoft.com.	1564 IN	A 10.251.52.124
sin-ptnr-dc-03.partners.extranet.microsoft.com.	882 IN A 10.251.168.67
sin-ptnr-dc-02.partners.extranet.microsoft.com.	505 IN A 10.251.169.47
by1-ptnr-dc-04.partners.extranet.microsoft.com.	2270 IN	A 10.251.94.16
kaw-ptnr-dc-03.partners.extranet.microsoft.com.	3461 IN	A 10.251.162.193
db3-ptnr-dc-02.partners.extranet.microsoft.com.	1690 IN	A 10.251.138.59
ph1-ptnr-dc-02.partners.extranet.microsoft.com.	3018 IN	A 10.251.26.12

;; Query time: 1314 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 30 18:57:27 2012
;; MSG SIZE  rcvd: 867

The issue seem to differ from the point in the network you are sending
the query, and if the resolving DNS server has only IPv4 or is
dual-stack (IPv4 + IPv6). It seems that the resolution is sometimes
broken, but we have not found the root cause of the issue.

This forward zone proved to be an (ugly, but working) workaround:

zone "partners.extranet.microsoft.com" IN {
	type forward;
	forwarders { 131.107.125.65;
                     94.245.124.49;
                     207.46.55.10;
                     65.55.31.17; };
};

We've also informed Microsoft about the issue.

Best regards

Carsten Strotmann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/le38ACgkQsUJ3c+pomYEwDACgit4MdoFl4rfSCcapx1NMr9cB
1bUAn1QNRM2Gw//EsLYnH1jw1g25IvFl
=hB+P
-----END PGP SIGNATURE-----



More information about the bind-users mailing list