Reply Code 0x8083 vs 0x8080
Jiann-Ming Su
su_js1 at yahoo.com
Fri May 30 04:27:33 UTC 2014
Looking through the traces of the NXDomain vs NoError responses. The NoError response includes the list of the Internet root servers. This would definitely be a valid response for a "." query. I wonder if I've run into a bug with this particular version of BIND where it ignores or changes the actual query with a "." lookup. Hence the NoError response with the full list of root servers.
> On Thursday, May 29, 2014 6:53 PM, Jiann-Ming Su <su_js1 at yahoo.com> wrote:
> >
>
>
>
>
>
>> On Thursday, May 29, 2014 6:32 PM, Mark Andrews <marka at isc.org>
> wrote:
>> >
>> In message <53879683.2080500 at chrysler.com>, Kevin Darcy writes:
>>> Why the different RCODES? See RFC 2308. Short version: the
>> "NODATA"
>>> response occurs when the QNAME exists, but no records match QTYPE. It
>>> will also occur if the QNAME is merely a "branch" to
> something
>> further
>>> down in the hierarchy (a so-called "empty non-terminal"),
> and
>> owns no
>>> records of its own.
>>>
>>> I'm not sure why NODATA would inhibit search-suffixing, but I just
>
>>> confirmed on a Linux platform that it does. Weird.
>>>
>>> - Kevin
>>
>> Actually is it perfectly logical and fixes a long standing security
>> bug. A name should refer to a single node in the DNS not multiple
>> nodes depending upon the query type. A search should always end
>> on the same node independent of query type.
>>
>> What is broken is putting a bare SRV prefix into res_search.
>> res_search was not designed for that type of searching and doing
>> so introduces the sort of security errors talked about in RFC 1535.
>>
>
> Mark,
>
> Thanks again for your insights. The troublesome app is the same one you
> responded to me about back in February when I was asking about recursion and
> auth responses. While it does appear the app may not be following best
> practices in its DNS queries, do you have insights as to why BIND would respond
> NoError on one query and NXDomain on another?
>
> I'm reading through RFC 1535 now and will forward that along to the
> application owners.
>
More information about the bind-users
mailing list