Query on ignoring additional section returned in replies
Elias Ahmed Kamal
eliasak at tm.com.my
Wed Nov 18 10:36:20 UTC 2015
Even with a broken delegation its like always resolvable with Google DNS or even Open DNS. Are there any BIND specific workarounds?
-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org]
Sent: Wednesday, November 18, 2015 6:26 PM
To: Elias Ahmed Kamal
Cc: bind-users at lists.isc.org
Subject: Re: Query on ignoring additional section returned in replies
In message <659dec986e9347369634488991f6ea5f at PVSVREXC06.AD.TMRES.MY>, Elias Ahm ed Kamal writes:
> Hi guys,
>
> I'm having issues resolving www.fis.com.my. I'm trying to tell
> fis.com.my tha t its an issue at their end, but when checking against
> 8.8.8.8 it resolves fi ne....so it MUST be a problem with me.
>
> 1. Lookups fail, this is clear enough
>
> root at sputnik # dig @localhost www.fis.com.my
>
> ; <<>> DiG 9.9.5-P1 <<>> @localhost www.fis.com.my ; (1 server found)
> ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51246 ;; flags:
> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.fis.com.my. IN A
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Nov 18 17:40:58 MYT 2015
> ;; MSG SIZE rcvd: 43
>
>
> 2. All of fis.com.my's authoritative nameservers answer and are consistent
> It tells me that www.wip.fis.com.my is a CNAME for www.fis.com.my
> And that wan1-wan4.fis.com.my is the authoritative servers for
> *.wip.fis.c om.my
>
> root at sputnik # dig @ns1.fis.com.my www.fis.com.my
>
> ; <<>> DiG 9.9.5-P1 <<>> @ns1.fis.com.my www.fis.com.my ; (1 server
> found) ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33357 ;; flags: qr
> aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5 ;; WARNING:
> recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.fis.com.my. IN A
>
> ;; ANSWER SECTION:
> www.fis.com.my. 38400 IN CNAME www.wip.fis.com.my.
>
> ;; AUTHORITY SECTION:
> wip.fis.com.my. 38400 IN NS wan1.fis.com.my.
> wip.fis.com.my. 38400 IN NS wan4.fis.com.my.
> wip.fis.com.my. 38400 IN NS wan3.fis.com.my.
> wip.fis.com.my. 38400 IN NS wan2.fis.com.my.
>
> ;; ADDITIONAL SECTION:
> wan1.fis.com.my. 38400 IN A 202.188.242.130
> wan2.fis.com.my. 38400 IN A 210.19.86.114
> wan3.fis.com.my. 38400 IN A 175.143.6.162
> wan4.fis.com.my. 38400 IN A 219.92.28.106
>
> ;; Query time: 8 msec
> ;; SERVER: 202.188.242.135#53(202.188.242.135)
> ;; WHEN: Wed Nov 18 17:41:09 MYT 2015
> ;; MSG SIZE rcvd: 205
>
>
> 3. I now do a 3rd lookup test against wan1.fis.com.my for
> www.wip.fis.com.my and get the answers
> BUT, the nameserver is also returning an authority section saying wip.fis.
> com.my is now served by ns1.wip.fis.com.my
> [Previously I know wip.fis.com.my was served by
> wan1-wan4.fis.com.my, but now somehow I'm caching ns1.wip.fis.com.my instead]
> [Question: Is it the expected behaviour that this new NS will
> override the previous NS for wip.fis.com.my? And is there any way to
> ignore authority/add itional answers that I get from replies?]
Yes. The delegation is broken. Having a NS pointing at a nonexistant name is a big no no. It's just a matter of time for a delegation like this to break.
> root at cbj-cdns21 # dig @wan1.fis.com.my www.wip.fis.com.my
>
> ; <<>> DiG 9.9.5-P1 <<>> @wan1.fis.com.my www.wip.fis.com.my ; (1
> server found) ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43777 ;; flags: qr
> aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING:
> recursion requested but not available
>
> ;; QUESTION SECTION:
> ;www.wip.fis.com.my. IN A
>
> ;; ANSWER SECTION:
> www.wip.fis.com.my. 5 IN A 175.143.6.165
> www.wip.fis.com.my. 5 IN A 202.188.242.137
> www.wip.fis.com.my. 5 IN A 210.19.86.117
>
> ;; AUTHORITY SECTION:
> wip.fis.com.my. 3600 IN NS ns1.wip.fis.com.my.
>
> ;; Query time: 7 msec
> ;; SERVER: 202.188.242.130#53(202.188.242.130)
> ;; WHEN: Wed Nov 18 17:44:59 MYT 2015
> ;; MSG SIZE rcvd: 102
>
>
> 4. Lo and behold, ns1.wip.fis.com.my doesn't exist! And because of
> this all m y queries for www.fis.com.my are failing. Am I correct?
>
> root at sputnik # dig @wan1.fis.com.my ns1.wip.fis.com.my
>
> ; <<>> DiG 9.9.5-P1 <<>> @wan1.fis.com.my ns1.wip.fis.com.my ; (1
> server found) ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37457 ;; flags:
> qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING:
> recursion requested but not available
>
> ;; QUESTION SECTION:
> ;ns1.wip.fis.com.my. IN A
>
> ;; AUTHORITY SECTION:
> wip.fis.com.my. 3600 IN SOA ns1.wip.fis.com.my. webmaster
> . 2015111825 16384 2048 1048576 2560
>
> ;; Query time: 6 msec
> ;; SERVER: 202.188.242.130#53(202.188.242.130)
> ;; WHEN: Wed Nov 18 17:47:45 MYT 2015
> ;; MSG SIZE rcvd: 81
>
> We only send and receive email on the basis of the terms set out at
> http://ww w.tm.com.my/email_disclaimer.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
We only send and receive email on the basis of the terms set out at http://www.tm.com.my/email_disclaimer.
More information about the bind-users
mailing list