lame-servers: error (FORMERR) resolving [something]

Daniele d.imbrogino at
Wed Jan 9 13:53:58 UTC 2013

This is the scenario.

I installed BIND9 via `apt-get` on a newly installed UBUNTU 12.04,
virtualized on VirtualBox.
The network works properly because if I indicate a different server from my
own BIND9 (the first line of '/etc/resolv.conf' is, for example,
`nameserver`) the lookups and any action on the Internet succeed.

BIND9 configuration is the default one.
I deleted all local zones that I added (even if internal lookups worked
correctly). Now there are only default zones (root, localhost,,,
Options are the default ones
options {
    directory "/var/cache/bind";

    dnssec-validation auto;

    auth-nxdomain no;

    listen-on-v6 {any;}

In this situation, if I dig anything the lookup fails, and the log is full
of "lame server" and "FORMERR".

Perhaps the problem is due to the presence of “dnssec-validaton“ line?

2013/1/8 Matus UHLAR - fantomas <uhlar at>

> > Sometimes I can't resolve some addresses and, in the logs, I can find
>>> > the message in the title:
>>> >    lame-servers: error (FORMERR) resolving [something]
>>> > (where `something` is the address I'm trying to resolve).
>>> >
>>> > What does it means?
>  2013/1/8 Shane Kerr <shane at>
>>> When acting as a recursive resolver, BIND 9 follows the chain of
>>> delegation from the root, contacting name servers identified for each
>>> domain on the way.
>>> In this case, one of those name servers returned a packet that BIND 9
>>> did not like for some reason - a FORMat ERRor. The offending server is
>>> marked as "lame" since it cannot answer queries for the domain in
>>> question.
>>> The message should also include the IP address of the server that it is
>>> going to at the end of the line.
> On 08.01.13 13:05, Daniele wrote:
>> So it's not my responsibility to resolve the problem, right?
>> The point is that, sometimes, I can't resolve an address because of this
>> lame servers, and dig (for example) fails.
>> Is it possible?
> possible, yes. but I would not be sure, since there are many different
> reasons for the lookups to fail.
> and there are few web services that check proper DNS functionality. I
> advise
> check with more of them, since there's none I would completely trust.
> --
> Matus UHLAR - fantomas, uhlar at ;
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
> ______________________________**_________________
> Please visit**listinfo/bind-users<>to unsubscribe from this list
> bind-users mailing list
> bind-users at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list