Understanding cause of DNS format error (FORMERR)

Gabriele Paggi gabriele.pgi at gmail.com
Sun Jun 24 04:14:58 UTC 2012

Hello Jeffry,

> FWIW I'm not able to reproduce this using a BIND 9.9.1-P1 recursive resolver. On this system "dig @localhost vlasext.partners.extranet.microsoft.com a" returns the answer and identifies dns11.one.microsoft.com ( as one of four authoritative servers. "dig @ vlasext.partners.extranet.microsoft.com a" also returns the answer, but no authority or additional records (except EDNS UDP 4000), and with no AA flag set. On the contrary querying one of my own authoritative servers, also running BIND 9.9.1-P1, for a record for which it is authoritative ("dig @ns2.countryday.net countryday.net a") does return the answer along with authority and additional records for the name servers and does have the AA flag set. Finally querying one of my internal Microsoft DNS servers (Windows Server 2008 R2 SP1) for a record for which it is authoritative gives me a correct answer, no authority or additional records (except EDNS UDP 4000), but does have the AA flag set.
Thanks. At least I know an upgrade would fix the issue although I still 
don't know what and where the problem is (Microsoft DNS reply? BIND?).
>  From what I observed I would conclude that dns11.one.microsoft.com is a Windows DNS server since it behaves like mine except for the AA flag not being set in theirs. The missing AA flag and lack of authority and additional records in their response seems like improper behavior to me, but I don't know whether or not the DNS protocol actually requires this. Apparently BIND 9.9.1-P1 is able to handle this situation.
I kind of assumed Microsoft would have been running a Windows DNS for 
their domains ;-)


More information about the bind-users mailing list