To deal with inproper nodata notification

Mark Andrews marka at isc.org
Sat May 11 11:45:23 UTC 2013


In message <2013051114140947567014 at gmail.com>, "Liu Mingxing" writes:
> 
> I found that bind9.9.2 recursor returns servfail to  soa requests when 
> receiving inproper nodata notification that there is just a root SOA RR 
> in the authority section in response from authoritative namservers.
> Just like this as following.   Why does it forward the inproper response 
> to clients?

No version of BIND 9 accepts those responses.  The operators of
vipbiz.cn took short cut and failed to properly set up the zone.
As a result the servers generate incorrect answers.  named detects
the incorrect answer, marks the server as bad, tries the other
server, marks it as bad and having exhausted the list of nameservers
for the zone returns SERVFAIL to the client.

>  root at localhost secman# dig soft.vipbiz.cn ns @localhost
> 
> ; <<>> DiG 9.9.2-P2 <<>> soft.vipbiz.cn ns @localhost
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21576
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;soft.vipbiz.cn.                        IN      NS
> 
> ;; Query time: 91 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri May 10 23:08:56 2013
> ;; MSG SIZE  rcvd: 43
> 
> 
> 
> 
> 
> Liu Mingxing


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list