Bind's handling of lame nameservers
jw354 at cornell.edu
Tue Dec 16 19:43:45 UTC 2014
How do BIND caching servers handle received responses with
no aa flag? We're running BIND 9.9.6-P1 and I received a
report of a query that our server sometimes answered as
expected and sometimes didn't.
The offending name is not one we are authoritative for.
I checked the offending name and found that just one of
its nameservers answered badly: with an empty answer section,
a "NOERROR" status and no "aa" flag set.
I know to contact the other site and report this, but
I'm wondering what bind tries to do. Assuming the above was
the situation when the reported symptoms occurred, I would
have guessed bind would act on the lack of an "aa" flag
and either answer the original query with SERVFAIL or
immediately retry with a different server,
and issues to the end user would be pretty rare.
FYI, the query was for MX records for convergepay.com
and their nameserver atl-embr-mdf1-lbtrans-7000-dl.elavon.net
was listed among the authoritative NS records but
answered an MX query as described. I tested both with
and without requesting recursion. In fact, every name
and record type I asked it got a response of
"NOERROR", no answer section, and no "aa" flag.
More information about the bind-users