"not subdomain of zone {XXXX} -- invalid response" errors found in named.run log

同屋 39223722 at qq.com
Wed Jan 6 10:01:54 UTC 2021

The version of bind is BIND 9.10.5-P3 id:7d5676f 

One day, I found that the size of named.run is increasing very quickly. And a lot of "invalid response" entries were spotted in the log. Details is as follows (I replace the sensitive info with  {xxxx},{AAA} etc.)
DNS format error from {IP}#53 resolving {XXXX}.bf.bf.node.epc.mnc{AAA}.mcc{BBB}.3gppnetwork.org/AAAA for client Name epc.mnc{AAA}.mcc{BBB}.3gppnetwork.org (SOA) not subdomain of zone node.epc.mnc{AAA}.mcc{BBB}.3gppnetwork.org -- invalid response
The response related to the above log is as follows:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  50664 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;{XXXX}.bf.bf.node.epc.mnc{AAA}.mcc{BBB}.3gppnetwork.org. IN AAAA
;; AUTHORITY SECTION: ;epc.mnc{AAA}.mcc{BBB}.3gppnetwork.org. 86400 IN SOA	.mnc{AAA}.mcc{BBB}.gprs. dns-admin. ( ;						2020122704 ; serial ;						10800      ; refresh (3 hours) ;						3600       ; retry (1 hour) ;						604800     ; expire (1 week) ;						86400      ; minimum (1 day) ;						)

Normally, the FQDN should be cached as a NXRRSET record as follows: 

{XXXX}.bf.bf.node.epc.mnc{AAA}.mcc{BBB}.3gppnetwork.org. 8412 -AAAA ;-$NXRRSET
But when the issue happens, it cannot be cached, I guess it's related to the "invalid response" log.
From the error log, it mentions "zone node.epc.mnc{AAA}.mcc{BBB}.3gppnetwork.org", but I'm wondering where the zone "node.epc.mnc{AAA}.mcc{BBB}.3gppnetwork.org" comes from? I cannot found the related SOA record in the dump file.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210106/75302276/attachment.htm>

More information about the bind-users mailing list