dig +trace = Bad Referral orBad Horizontal referral

Matthew Pounsett matt at conundrum.com
Tue Sep 20 13:58:57 UTC 2016


On 16 September 2016 at 11:12, project722 <project722 at gmail.com> wrote:

> I have an interesting problem. I started noticing that when I do a dig
> +trace against one of the domains we are authoritative for, we get errors
> from our nameservers for "Bad Referral" and you can see where it forwarded
> the request back up the namespace tree instead of giving the answer.
> Unfortunately I am unable to reproduce this problem at the moment. However
> I can reproduce the Bad (HORIZONTAL) referral. Basically once the query is
> referred to our name server I see this:
>
> ;; BAD (HORIZONTAL) REFERRAL
> ;; Received 187 bytes from x.x.x.x#53(ns.example.com in 2 ms
>

A horizontal referral is when one authoritative zone (the parent) delegates
a subdomain to a server that responds out of the same parent zone, rather
than a subzone.  The DNS is an inverted tree structure, and delegations are
always supposed to be "down" the tree toward the leaves.  If a delegation
ends up being across, then you get a horizontal referral error.

Since you obfuscated your configuration nobody is going to be able to
provide you with specific advice on where the problem is.  If you can find
the error in your authoritative data (or share which zone is giving you
problems so that someone here can point it out) that should clear up your
issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160920/27b04b81/attachment.html>


More information about the bind-users mailing list