BIND 9.10.0-P2 prefetch problem

Mark Andrews marka at isc.org
Tue Jul 15 22:18:44 UTC 2014 

The nameservers for securityplusfcuhb.flb.intuit.com are broken.

dig securityplusfcuhb.flb.intuit.com @flbflb-gtm-qydc.intuit.com ns -> NXDOMAIN
dig securityplusfcuhb.flb.intuit.com @flbflb-gtm-qydc.intuit.com a -> CNAME
dig securityplusfcuhb.flb.intuit.com @flbflb-gtm-qydc.intuit.com aaaa -> NODATA
dig securityplusfcuhb.flb.intuit.com @flbflb-gtm-qydc.intuit.com cname -> NXDOMAIN

A properly functioning, RFC 1034 [1] compliant, nameserver will
return CNAME to all these queries as there is a CNAME record in the
zone at that name.  intuit.com need to complain to their nameserver
vendor to get it fixed.  They also need to complain that the EDNS
handling [2] is broken as they the servers fail to correctly handle
EDNS versions other than 0 and they fail to correctly handle unknown
EDNS options.

dig securityplusfcuhb.flb.intuit.com @flbflb-gtm-qydc.intuit.com a +edns=1
	-> fails to respond. The correct answer is BADVERS.
dig securityplusfcuhb.flb.intuit.com @flbflb-gtm-qydc.intuit.com a +ednsopt=200
	-> incorrectly returns unknown EDNS options.

Mark

[1] http://tools.ietf.org/html/rfc1034
[2] http://tools.ietf.org/html/rfc6891

In message <F80B214C2304C641B917B47051D743C4201B6CCDE4 at HQ-MB-08.ba.ad.ssa.gov>,
 "Tracy, Tedd C. Contractor" writes:
> 
> I'm having problems querying one particular domain with BIND 9.10.0-P2 if p=
> refetch is enabled. I have been able to duplicate the problem from multiple=
>  servers running 9.10.0-P2 with different operating systems but I have not =
> been able to duplicate the problem with any other domains (yet, I'm still t=
> rying),
> 
> The domain that shows the problem is www.securityplusfcuhb.org<http://www.s=
> ecurityplusfcuhb.org>. It is a CNAME that points to a CNAME that points to =
> an A record:
> ;; QUESTION SECTION:
> ;www.securityplusfcuhb.org.     IN      A
> 
> ;; ANSWER SECTION:
> www.securityplusfcuhb.org. 86399 IN     CNAME   securityplusfcuhb.flb.intui=
> t.com.
> securityplusfcuhb.flb.intuit.com. 30 IN CNAME   03845.olb.prd1.flb.digitali=
> nsight.com.
> 03845.olb.prd1.flb.digitalinsight.com. 30 IN A  199.102.151.76
> 
> As long as no queries are performed at a time that would trigger a prefetch=
> , everything is fine. If a query is performed at a time that does trigger a=
>  prefetch, all subsequent queries return NXDOMAIN.
> dig @localhost a www.securityplusfcuhb.org
> 
> ; <<>> DiG 9.10.0-P2 <<>> @localhost a www.securityplusfcuhb.org
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49996
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.securityplusfcuhb.org.     IN      A
> 
> ;; ANSWER SECTION:
> www.securityplusfcuhb.org. 86187 IN     CNAME   securityplusfcuhb.flb.intui=
> t.com.
> 
> ;; AUTHORITY SECTION:
> flb.intuit.com.         597     IN      SOA     flbflb-gtm-qydc.intuit.com.=
>  hostmaster.flb.intuit.com. 2014022110 10800 3600 604800 86400
> 
> Flushing the cache fixes the problem. Disabling prefetch prevents the probl=
> em from happening.
> 
> 
> Tedd
> 
> --_000_F80B214C2304C641B917B47051D743C4201B6CCDE4HQMB08baadssa_
> Content-Type: text/html; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
> osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
> //www.w3.org/TR/REC-html40"><head><meta http-equiv=3DContent-Type content=
> =3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
> oft Word 14 (filtered medium)"><style><!--
> /* Font Definitions */
> @font-face
> 	{font-family:Calibri;
> 	panose-1:2 15 5 2 2 2 4 3 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> 	{margin:0in;
> 	margin-bottom:.0001pt;
> 	font-size:11.0pt;
> 	font-family:"Calibri","sans-serif";}
> a:link, span.MsoHyperlink
> 	{mso-style-priority:99;
> 	color:blue;
> 	text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> 	{mso-style-priority:99;
> 	color:purple;
> 	text-decoration:underline;}
> span.EmailStyle17
> 	{mso-style-type:personal-compose;
> 	font-family:"Calibri","sans-serif";
> 	color:windowtext;}
> .MsoChpDefault
> 	{mso-style-type:export-only;
> 	font-family:"Calibri","sans-serif";}
> @page WordSection1
> 	{size:8.5in 11.0in;
> 	margin:1.0in 1.0in 1.0in 1.0in;}
> div.WordSection1
> 	{page:WordSection1;}
> --></style><!--[if gte mso 9]><xml>
> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
> </xml><![endif]--><!--[if gte mso 9]><xml>
> <o:shapelayout v:ext=3D"edit">
> <o:idmap v:ext=3D"edit" data=3D"1" />
> </o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
> nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal>I’m having=
>  problems querying one particular domain with BIND 9.10.0-P2 if prefetch is=
>  enabled. I have been able to duplicate the problem from multiple servers r=
> unning 9.10.0-P2 with different operating systems but I have not been able =
> to duplicate the problem with any other domains (yet, I’m still tryin=
> g), <o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMso=
> Normal>The domain that shows the problem is <a href=3D"http://www.securityp=
> lusfcuhb.org">www.securityplusfcuhb.org</a>. It is a CNAME that points to a=
>  CNAME that points to an A record:<o:p></o:p></p><p class=3DMsoNormal>;; QU=
> ESTION SECTION:<o:p></o:p></p><p class=3DMsoNormal>;www.securityplusfcuhb.o=
> rg.     IN      A<o:p></o:p></=
> p><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>;; ANSWER =
> SECTION:<o:p></o:p></p><p class=3DMsoNormal>www.securityplusfcuhb.org. 8639=
> 9 IN     CNAME   securityplusfcuhb.flb.intuit=
> .com.<o:p></o:p></p><p class=3DMsoNormal>securityplusfcuhb.flb.intuit.com. =
> 30 IN CNAME   03845.olb.prd1.flb.digitalinsight.com.<o:p></o:p></=
> p><p class=3DMsoNormal>03845.olb.prd1.flb.digitalinsight.com. 30 IN A =
>  199.102.151.76<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
> class=3DMsoNormal>As long as no queries are performed at a time that would =
> trigger a prefetch, everything is fine. If a query is performed at a time t=
> hat does trigger a prefetch, all subsequent queries return NXDOMAIN.<o:p></=
> o:p></p><p class=3DMsoNormal>dig @localhost a www.securityplusfcuhb.org<o:p=
> ></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>;=
>  <<>> DiG 9.10.0-P2 <<>> @localhost a www.securityp=
> lusfcuhb.org<o:p></o:p></p><p class=3DMsoNormal>; (2 servers found)<o:p></o=
> :p></p><p class=3DMsoNormal>;; global options: +cmd<o:p></o:p></p><p class=
> =3DMsoNormal>;; Got answer:<o:p></o:p></p><p class=3DMsoNormal>;; ->>=
> HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49996<o:p></o:p></p><p=
>  class=3DMsoNormal>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, A=
> DDITIONAL: 1<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p cla=
> ss=3DMsoNormal>;; OPT PSEUDOSECTION:<o:p></o:p></p><p class=3DMsoNormal>; E=
> DNS: version: 0, flags:; udp: 4096<o:p></o:p></p><p class=3DMsoNormal>;; QU=
> ESTION SECTION:<o:p></o:p></p><p class=3DMsoNormal>;www.securityplusfcuhb.o=
> rg.     IN      A<o:p></o:p></=
> p><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>;; ANSWER =
> SECTION:<o:p></o:p></p><p class=3DMsoNormal>www.securityplusfcuhb.org. 8618=
> 7 IN     CNAME   securityplusfcuhb.flb.intuit=
> .com.<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMs=
> oNormal>;; AUTHORITY SECTION:<o:p></o:p></p><p class=3DMsoNormal>flb.intuit=
> .com.         597   =
>   IN      SOA     flbflb-=
> gtm-qydc.intuit.com. hostmaster.flb.intuit.com. 2014022110 10800 3600 60480=
> 0 86400<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p class=3D=
> MsoNormal>Flushing the cache fixes the problem. Disabling prefetch prevents=
>  the problem from happening. <o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp=
> ;</o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal><=
> b><span style=3D'color:#1F497D'>Tedd </span></b><o:p></o:p></p></div></body=
> ></html>=
> 
> --_000_F80B214C2304C641B917B47051D743C4201B6CCDE4HQMB08baadssa_--
> 
> --===============2013608274312288261==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============2013608274312288261==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list