Query on ignoring additional section returned in replies

Mark Andrews marka at isc.org
Wed Nov 18 10:25:51 UTC 2015


In message <659dec986e9347369634488991f6ea5f at PVSVREXC06.AD.TMRES.MY>, Elias Ahm
ed Kamal writes:
> Hi guys,
> 
> I'm having issues resolving www.fis.com.my. I'm trying to tell fis.com.my tha
> t its an issue at their end, but when checking against 8.8.8.8 it resolves fi
> ne....so it MUST be a problem with me.
> 
> 1. Lookups fail, this is clear enough
> 
> root at sputnik # dig @localhost www.fis.com.my
> 
> ; <<>> DiG 9.9.5-P1 <<>> @localhost www.fis.com.my
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51246
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.fis.com.my.                        IN      A
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Nov 18 17:40:58 MYT 2015
> ;; MSG SIZE  rcvd: 43
> 
> 
> 2. All of fis.com.my's authoritative nameservers answer and are consistent
>    It tells me that www.wip.fis.com.my is a CNAME for www.fis.com.my
>    And that wan1-wan4.fis.com.my is the authoritative servers for *.wip.fis.c
> om.my
> 
> root at sputnik # dig @ns1.fis.com.my www.fis.com.my
> 
> ; <<>> DiG 9.9.5-P1 <<>> @ns1.fis.com.my www.fis.com.my
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33357
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.fis.com.my.                        IN      A
> 
> ;; ANSWER SECTION:
> www.fis.com.my.         38400   IN      CNAME   www.wip.fis.com.my.
> 
> ;; AUTHORITY SECTION:
> wip.fis.com.my.         38400   IN      NS      wan1.fis.com.my.
> wip.fis.com.my.         38400   IN      NS      wan4.fis.com.my.
> wip.fis.com.my.         38400   IN      NS      wan3.fis.com.my.
> wip.fis.com.my.         38400   IN      NS      wan2.fis.com.my.
> 
> ;; ADDITIONAL SECTION:
> wan1.fis.com.my.        38400   IN      A       202.188.242.130
> wan2.fis.com.my.        38400   IN      A       210.19.86.114
> wan3.fis.com.my.        38400   IN      A       175.143.6.162
> wan4.fis.com.my.        38400   IN      A       219.92.28.106
> 
> ;; Query time: 8 msec
> ;; SERVER: 202.188.242.135#53(202.188.242.135)
> ;; WHEN: Wed Nov 18 17:41:09 MYT 2015
> ;; MSG SIZE  rcvd: 205
> 
> 
> 3. I now do a 3rd lookup test against wan1.fis.com.my for www.wip.fis.com.my 
> and get the answers
>    BUT, the nameserver is also returning an authority section saying wip.fis.
> com.my is now served by ns1.wip.fis.com.my
>    [Previously I know wip.fis.com.my was served by wan1-wan4.fis.com.my, but 
> now somehow I'm caching ns1.wip.fis.com.my instead]
>    [Question: Is it the expected behaviour that this new NS will override the
>  previous NS for wip.fis.com.my? And is there any way to ignore authority/add
> itional answers that I get from replies?]

Yes.  The delegation is broken.  Having a NS pointing at a nonexistant
name is a big no no.  It's just a matter of time for a delegation like
this to break.
 
> root at cbj-cdns21 # dig @wan1.fis.com.my www.wip.fis.com.my
> 
> ; <<>> DiG 9.9.5-P1 <<>> @wan1.fis.com.my www.wip.fis.com.my
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43777
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;www.wip.fis.com.my.            IN      A
> 
> ;; ANSWER SECTION:
> www.wip.fis.com.my.     5       IN      A       175.143.6.165
> www.wip.fis.com.my.     5       IN      A       202.188.242.137
> www.wip.fis.com.my.     5       IN      A       210.19.86.117
> 
> ;; AUTHORITY SECTION:
> wip.fis.com.my.         3600    IN      NS      ns1.wip.fis.com.my.
> 
> ;; Query time: 7 msec
> ;; SERVER: 202.188.242.130#53(202.188.242.130)
> ;; WHEN: Wed Nov 18 17:44:59 MYT 2015
> ;; MSG SIZE  rcvd: 102
> 
> 
> 4. Lo and behold, ns1.wip.fis.com.my doesn't exist! And because of this all m
> y queries for www.fis.com.my are failing. Am I correct?
> 
> root at sputnik # dig @wan1.fis.com.my ns1.wip.fis.com.my
> 
> ; <<>> DiG 9.9.5-P1 <<>> @wan1.fis.com.my ns1.wip.fis.com.my
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37457
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;ns1.wip.fis.com.my.            IN      A
> 
> ;; AUTHORITY SECTION:
> wip.fis.com.my.         3600    IN      SOA     ns1.wip.fis.com.my. webmaster
> . 2015111825 16384 2048 1048576 2560
> 
> ;; Query time: 6 msec
> ;; SERVER: 202.188.242.130#53(202.188.242.130)
> ;; WHEN: Wed Nov 18 17:47:45 MYT 2015
> ;; MSG SIZE  rcvd: 81
> 
> We only send and receive email on the basis of the terms set out at http://ww
> w.tm.com.my/email_disclaimer.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list