Question on Bind validating resolver
dot at dotat.at
Thu Jan 26 10:48:55 UTC 2017
Volker Janzen <volker at janzen.onl> wrote:
> when my Bind resolver tries to get the A record for info.nominet.uk the
> syslog gets lots of messages like this:
> Jan 25 21:15:52 box named: DNS format error from 220.127.116.11#53
> resolving info.nominet.uk/DS: invalid response
OK, this is interesting.
The domain is hosted by Cloudflare who have their own DNS implementation,
and they try to make their responses as small as possible.
In this case the response from the Cloudflare servers is quoted below.
There is a fun feature in the NSEC record - they are using minimal
covering NSEC records, hence the info\000.nominet.uk which is the DNS name
lexically following info.nominet.uk - yes, that is a null byte! But this
isn't relevant to the problem.
The actual problem is to do with how BIND classifies negative responses
according to RFC 2308 - see https://tools.ietf.org/html/rfc2308#page-6
Cloudflare are trying to generate a Type 3 response (the smallest, with no
SOA or NS records in the authority section) - this isn't great because it
means the negative answer cannot be cached :-(
BIND detects a Type 3 response by looking for empty answer and authority
sections - but in this case there is a DNSSEC proof of nonexistence in the
authority section! So BIND's response classification fails.
I'm inclined to blame Cloudflare for omitting the SOA record from the
response, which breaks negative caching, as well as making BIND think
Cloudflare's DNS server is insane.
In fact Cloudflare do return SOA records with other kinds of negative
response, so I guess it is just a bug/omission in their DS negative
For those who like code, the Type 3 classification happens here
and eventually BIND ends up generating the SERVFAIL error here
; <<>> DiG 9.12.0-dev <<>> +multiline +dnssec +norec @18.104.22.168 info.nominet.uk DS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59655
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;info.nominet.uk. IN DS
;; AUTHORITY SECTION:
info.nominet.uk. 3600 IN NSEC info\000.nominet.uk. NS RRSIG NSEC
info.nominet.uk. 3600 IN RRSIG NSEC 13 3 3600 (
20170127110035 20170125090035 35273 nominet.uk.
;; Query time: 3 msec
;; SERVER: 22.214.171.124#53(126.96.36.199)
;; WHEN: Thu Jan 26 10:00:47 GMT 2017
;; MSG SIZE rcvd: 188
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Shannon, Rockall, Malin, Hebrides, Bailey: Southerly or southeasterly,
becoming cyclonic, 7 to severe gale 9, occasionally storm 10 at first in
Rockall and Bailey, becoming variable 4 for a time in west Shannon, west
Rockall and west Bailey. Very rough or high, occasionally rough except in
Bailey. Rain or squally showers. Good, occasionally poor.
More information about the bind-users