Understanding cause of DNS format error (FORMERR)

Sam Wilson Sam.Wilson at ed.ac.uk
Wed Jun 27 09:23:03 UTC 2012

In article <mailman.1145.1340719800.63724.bind-users at lists.isc.org>,
 Barry Margolin <barmar at alum.mit.edu> wrote:

> In article <mailman.1144.1340718471.63724.bind-users at lists.isc.org>,
>  Sam Wilson <Sam.Wilson at ed.ac.uk> wrote:
> > For a NXDOMAIN response, or NOERROR with an empty answer section, the 
> > server should provide the SOA record in the authority section.  That SOA 
> > is the apex of the zone which doesn't contain the answer record you 
> > asked for, if you see what I mean.  The server is proving that it has 
> > authority to tell you that the information doesn't exist.
> More important, the SOA record contains the TTL that should be used for 
> the negative cache entry.

More important for the operation of the DNS, but I'd think less 
important from the point of view of manual debugging, like we're doing 

> > The fact that looking for nonexistent data for 
> > vlasext.partners.extranet.microsoft.com returns the 
> > partners.extranet.microsoft.com SOA record shows that the vlasext 
> > subdomain has not been delegated.  The servers should therefore be able 
> > to offer an authoritative answer for data that does exist for 
> > vlasext.etc... but they don't.
> This type of inconsistency often suggests a DNS-based load balancer is 
> involved.

I wondered that but it's not consistent with earlier results in the 
thread which suggested Windows DNS server for at least one of them.  An 
old version of fpdns (someone might like to try a newer one) concurs:

$ for i in 0 1 2 3 ; do fpdns dns1$i.one.microsoft.com  ; done
fingerprint (dns10.one.microsoft.com, Microsoft \
Windows 2003 
fingerprint (dns11.one.microsoft.com, Microsoft \
Windows 2003 
fingerprint (dns12.one.microsoft.com, Microsoft \
Windows 2003 
fingerprint (dns13.one.microsoft.com, Microsoft \
Windows 2003 
$ fpdns -v
fpdns.pl version 0.9.1


The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the bind-users mailing list