<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Veronique.</p>
<p>I'm not an expert, but to me the 9.16 behaviour is what I would
expect to happen, based on:</p>
<ul>
<li>When you issue the non-recursive query for "spectrum.cern.ch",
it is answered from the "cern.ch" zone, which only knows the
CNAME (returned in the ANSWER section) and the NS records for
the zone that the CNAME points to (presumably returned in the
ADDITIONAL section?).</li>
<li>A [hypothetical] subsequent non-recursive query for "spectrum-lb.cern.ch"
would be answered from the "spectrum-lb.cern.ch" zone which
contains the A records (which should be returned in the ANSWER
section of that query).<br>
</li>
</ul>
<p>(A recursive resolver would be expected to make both of the
queries above to give a complete answer to the query for
"spectrum.cern.ch".)</p>
<p>But aside from the observation that the responses from 9.11 and
9.16 aren't the same, what is the actual problem you are trying to
solve? i.e. Why does it matter if the A record is or isn't
returned in a <i>non-recursive</i> query for "spectrum.cern.ch"?<br>
</p>
Nick.
<p><br>
</p>
<div class="moz-cite-prefix">On 28/10/22 01:28, Veronique Lefebure
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:65922700.81707.1666873690602@cernmail.cern.ch">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="UTF-8">
<div> Well, </div>
<div class="default-style"> <br>
</div>
<div class="default-style"> So here a bit more details. </div>
<div class="default-style"> Sorry, I cannot take an example with a
DNS server accessible to you (*) because they have all been
upgraded to 9.16. </div>
<div class="default-style"> <br>
</div>
<div class="default-style"> The .cern.ch contains: </div>
<div class="default-style"> <br>
</div>
<div class="default-style"> <span style="font-family:
"courier new", courier;">spectrum-lb IN NS
ip-dns-1.cern.ch.</span> <br>
<span style="font-family: "courier new", courier;">spectrum-lb
IN NS ip-dns-2.cern.ch.</span> <br>
<span style="font-family: "courier new", courier;">spectrum
IN CNAME spectrum-lb.cern.ch.</span> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> and </div>
<div class="default-style"> <br>
</div>
<div class="default-style"> spectrum-lb.cern.ch contains: </div>
<div class="default-style"> <br>
<span style="font-family: "courier new", courier;">$ORIGIN
.</span> <br>
<span style="font-family: "courier new", courier;">$TTL
60 ; 1 minute</span> <br>
<span style="font-family: "courier new", courier;">spectrum-lb.cern.ch
IN SOA ip-dns-1.cern.ch. internal-dns.cern.ch. (</span> <br>
<span style="font-family: "courier new", courier;">273
; serial</span> <br>
<span style="font-family: "courier new", courier;">3600
; refresh (1 hour)</span> <br>
<span style="font-family: "courier new", courier;">300
; retry (5 minutes)</span> <br>
<span style="font-family: "courier new", courier;">3600000
; expire (5 weeks 6 days 16 hours)</span> <br>
<span style="font-family: "courier new", courier;">60
; minimum (1 minute)</span> <br>
<span style="font-family: "courier new", courier;">)</span>
<br>
<span style="font-family: "courier new", courier;">NS
ip-dns-1.cern.ch.</span> <br>
<span style="font-family: "courier new", courier;">NS
ip-dns-2.cern.ch.</span> <br>
<span style="font-family: "courier new", courier;">A
xxx.xxx.xx.140</span> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> named configuration file is identical
between 9.11 and 9.16 except for the following options that we
have added for 9.16: </div>
<div class="default-style"> <br>
</div>
<div class="default-style"> <span style="font-family:
"courier new", courier;"> #BIND916 options</span> <br>
<span style="font-family: "courier new", courier;">qname-minimization
disabled;</span> <br>
<span style="font-family: "courier new", courier;">stale-answer-enable
no;</span> <br>
<span style="font-family: "courier new", courier;">stale-refresh-time
0; #default is 30</span> <br>
<span style="font-family: "courier new", courier;">max-stale-ttl
1w;</span> <br>
<span style="font-family: "courier new", courier;">dnssec-policy
none;</span> <br>
<span style="font-family: "courier new", courier;">synth-from-dnssec
no;</span> <br>
<span style="font-family: "courier new", courier;">min-cache-ttl
0;</span> <br>
<span style="font-family: "courier new", courier;">min-ncache-ttl
0;</span> <br>
<span style="font-family: "courier new", courier;">minimal-responses
no;</span> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style">
<div class="default-style"> (*) On an external DNS server you
can try with the following similar case: </div>
<div class="default-style"> <br>
</div>
<div class="default-style"> Running DiG 9.11.21 on a linux
client </div>
<div class="default-style"> </div>
<div class="default-style"> ext-dns-1 (<span style="font-family:
'courier new', courier;">192.65.187.5) </span>runs
BIND9.16: </div>
<div class="default-style"> </div>
<div class="default-style"> <span style="font-family:
"courier new", courier;">dig @ext-dns-1
foundservices.cern.ch | grep flags | grep ANSWER</span> <br>
<span style="font-family: "courier new", courier;">;;
flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0,
ADDITIONAL: 1</span> <br>
</div>
<div class="default-style"> </div>
<div class="default-style"> <span style="font-family:
"courier new", courier;">dig @ext-dns-1
foundservices.cern.ch <strong>+norecurse</strong> | grep
flags | grep ANSWER</span> <br>
<span style="font-family: "courier new", courier;">;;
flags: qr aa ra; QUERY: 1, ANSWER: <span style="color:
rgb(255, 0, 0);"><strong>1</strong></span>, AUTHORITY: 0,
ADDITIONAL: 1</span> <br>
</div>
<div class="default-style"> </div>
<div class="default-style"> </div>
<div class="default-style"> <span style="font-family: arial,
helvetica, sans-serif;">Full output:</span> </div>
<div class="default-style"> </div>
<div class="default-style">
<div class="default-style"> <span style="font-family:
"courier new", courier;">dig @192.65.187.5
foundservices.cern.ch +norecurse</span> </div>
<div class="default-style"> <span style="font-family:
"courier new", courier;">; <<>> DiG
9.11.21 <<>> @192.65.187.5
foundservices.cern.ch +norecurse</span> <br>
<span style="font-family: "courier new", courier;">;
(1 server found)</span> <br>
<span style="font-family: "courier new", courier;">;;
global options: +cmd</span> <br>
<span style="font-family: "courier new", courier;">;;
Got answer:</span> <br>
<span style="font-family: "courier new", courier;">;;
->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 9899</span> <br>
<span style="font-family: "courier new", courier;">;;
flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 1</span> </div>
<div class="default-style"> <span style="font-family:
"courier new", courier;">;; OPT PSEUDOSECTION:</span>
<br>
<span style="font-family: "courier new", courier;">;
EDNS: version: 0, flags:; udp: 1232</span> <br>
<span style="font-family: "courier new", courier;">;
COOKIE: 8786b980a1a80a7901000000635a7898a512a21aa6138faf
(good)</span> <br>
<span style="font-family: "courier new", courier;">;;
QUESTION SECTION:</span> <br>
<span style="font-family: "courier new", courier;">;foundservices.cern.ch.
IN A</span> </div>
<div class="default-style"> <span style="font-family:
"courier new", courier;">;; ANSWER SECTION:</span>
<br>
<span style="font-family: "courier new", courier;">foundservices.cern.ch.
900 IN CNAME db-lb-1234.cern.ch.</span> </div>
<div class="default-style"> <span style="font-family:
"courier new", courier;">;; Query time: 2 msec</span>
<br>
<span style="font-family: "courier new", courier;">;;
SERVER: 192.65.187.5#53(192.65.187.5)</span> <br>
<span style="font-family: "courier new", courier;">;;
WHEN: Thu Oct 27 14:24:56 CEST 2022</span> <br>
<span style="font-family: "courier new", courier;">;;
MSG SIZE rcvd: 103</span> <br>
</div>
</div>
<div class="default-style"> </div>
<div class="default-style"> </div>
<div class="default-style"> ip-dns-0 runs BIND9.11: </div>
<div class="default-style"> </div>
<div class="default-style"> <span style="font-family:
"courier new", courier;">dig @ip-dns-0
foundservices.cern.ch | grep flags | grep ANSWER</span> <br>
<span style="font-family: "courier new", courier;">;;
flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2,
ADDITIONAL: 4</span> <br>
</div>
<div class="default-style"> </div>
<div class="default-style"> <span style="font-family:
"courier new", courier;">dig @ip-dns-0
foundservices.cern.ch <strong>+norecurse</strong> | grep
flags | grep ANSWER</span> <br>
<span style="font-family: "courier new", courier;">;;
flags: qr aa; QUERY: 1, ANSWER:<span style="color: rgb(255,
0, 0);"> <strong>2</strong></span>, AUTHORITY: 2,
ADDITIONAL: 4</span> <br>
</div>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> Does that help ? </div>
<div class="default-style"> <br>
</div>
<div class="default-style"> Greg, can I send you a pcap file in a
private email ? </div>
<div class="default-style"> <br>
</div>
<div class="default-style"> <br>
</div>
<div class="default-style"> Thanks, </div>
<div class="default-style"> Veronique </div>
<blockquote type="cite">
<div> On 27/10/2022 10:09 Greg Choules
<a class="moz-txt-link-rfc2396E" href="mailto:gregchoules+bindusers@googlemail.com"><gregchoules+bindusers@googlemail.com></a> wrote: </div>
<div> <br>
</div>
<div> <br>
</div>
<div dir="ltr"> Hi Veronique.
<div> No, we cannot easily reproduce this behaviour because we
have no knowledge of the configs of either of those servers,
the details of the zones you have configured, the contents
of those zones or of the system on which you are running the
dig command. <br>
<div> <br>
</div>
<div> As I said, we need to see everything please: </div>
<div> - Full digs, not +short </div>
<div> - you have specified @ip-dns0 and @ip-dns1 - the full
configs of both of those servers please, including zone
definitions and contents for where "<a target="_blank"
href="http://spectrum.cern.ch/" rel="noopener"
moz-do-not-send="true">spectrum.cern.ch</a>" lives as it
is not a name that can be resolved from the public
Internet </div>
<div> - a binary pcap file, using the -w option of tcpdump,
capturing all port 53 traffic (UDP and TCP) between this
machine and both DNS servers. </div>
<div> <br>
</div>
<div> By the way, when using the @<server> option of
dig please use explicit IP addresses, not names. If you
use a name, then dig first has to resolve that name and
the place it will go to do that is resolv.conf. So it is
now dependent on your system DNS setup to get an IP
address to send the dig to. </div>
<div> Also, you have specified @<simple_host_name>
not @<FQDN>. This suggests to me that in resolv.conf
you have a 'search' list. Personally I don't like search
lists because they potentially increase the workload of
the DNS system generally, lengthen query times and mean
that you can't be sure exactly where an answer came from.
</div>
<div> <br>
</div>
<div> Thanks, Greg <br>
<a class="gmail_plusreply" moz-do-not-send="true"><br>
</a> </div>
</div>
</div>
<br>
<div class="gmail_quote">
<div class="gmail_attr" dir="ltr"> On Thu, 27 Oct 2022 at
08:08, Veronique Lefebure <<a target="_blank"
href="mailto:veronique.lefebure@cern.ch" rel="noopener"
moz-do-not-send="true" class="moz-txt-link-freetext">veronique.lefebure@cern.ch</a>>
wrote: <br>
</div>
<blockquote>
<div>
<div> Hi all, </div>
<div> <br>
</div>
<div> yes, here is a concrete example: </div>
<div> <br>
</div>
<div> # ip-dns-1 runs BIND 9.16.33: </div>
<div> <br>
</div>
<div> dig @ip-dns-1 <a target="_blank"
href="http://spectrum.cern.ch" rel="noopener"
moz-do-not-send="true">spectrum.cern.ch</a> +short
+norecurse <br>
<a target="_blank" href="http://spectrum-lb.cern.ch"
rel="noopener" moz-do-not-send="true">spectrum-lb.cern.ch</a>.
<------------- Here we get only the CNAME <br>
</div>
<div> <br>
</div>
<div> # ip-dns-0 runs BIND 9.11: </div>
<div> <br>
</div>
<div> dig @ip-dns-0 <a target="_blank"
href="http://spectrum.cern.ch" rel="noopener"
moz-do-not-send="true">spectrum.cern.ch</a> +short
+norecurse <br>
<a target="_blank" href="http://spectrum-lb.cern.ch"
rel="noopener" moz-do-not-send="true">spectrum-lb.cern.ch</a>.
<br>
xxx.xxx.xx.140 <-------- Here we get in
addition the IP of <a target="_blank"
href="http://spectrum-lb.cern.ch" rel="noopener"
moz-do-not-send="true">spectrum-lb.cern.ch</a>. <br>
</div>
<div> <br>
</div>
<div> <br>
</div>
<div> And yes, a capture shows confirms indeed that dig
returns less information when the BIND 9.16.33 DNS
server is used. </div>
<div> <br>
</div>
<div> I guess you can easily reproduce that behaviour,
unless it is due to a mis-configuration bit on our DNS
server ? </div>
<div> <br>
</div>
<div> Thanks, </div>
<div> Véronique </div>
<div> <br>
</div>
<blockquote type="cite">
<div> On 26/10/2022 21:04 Greg Choules <<a
target="_blank"
href="mailto:gregchoules%2Bbindusers@googlemail.com"
rel="noopener" moz-do-not-send="true">gregchoules+bindusers@googlemail.com</a>>
wrote: </div>
<div> <br>
</div>
<div> <br>
</div>
<div dir="ltr"> Hi Veronique.
<div> As other people have said, more details please.
</div>
<div> <br>
</div>
<div> To have a complete picture of what is going on,
not only would we need to know what your dig tests
look like, but also where dig is sending its queries
and how that DNS server is configured. </div>
<div> <br>
</div>
<div> You can tell dig to send queries anywhere,
using @<server>. However, if you don't use
that it will default to using the nameservers in
/etc/resolv.conf. So it may be useful to see the
contents of that. </div>
<div> <br>
</div>
<div> Wherever dig is sending its queries, we would
need to know what that server will do with them. So
its configuration would also be useful. </div>
<div> <br>
</div>
<div> Lastly, the best way to see queries and
responses, right down to the nuts and bolts, is with
a packet capture. <br>
</div>
<div> <br>
</div>
<div>
<div> You thought this was an easy question, huh ;)
</div>
<div> <br>
</div>
Can you provide at least some of these things, to
get started? </div>
<div> <br>
</div>
<div> Cheers, Greg </div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr"> On Wed, 26 Oct 2022
at 16:41, Veronique Lefebure <<a target="_blank"
href="mailto:veronique.lefebure@cern.ch"
rel="noopener" moz-do-not-send="true"
class="moz-txt-link-freetext">veronique.lefebure@cern.ch</a>>
wrote: <br>
</div>
<blockquote>
<div>
<div> Hi, </div>
<div> <br>
</div>
<div> dig answer is different between BIND 9.11
and BIND 9.16(.33) when +norecurse option is
used. </div>
<div> Is this documented somewhere ? </div>
<div> <br>
</div>
<div> Is there an option that needs to be set so
that the behaviour of 9.16 is the same as the
one in 9.11. </div>
<div> <br>
</div>
<div> The change is that with 9.16, if the
requested name is a CNAME, only the CNAME value
is returned by dig, while with 9.11 dig would
return both the CNAME value and the IP of the
CNAME. </div>
<div> <br>
</div>
<div> Thanks, </div>
<div> Veronique </div>
</div>
-- <br>
Visit <a target="_blank"
href="https://lists.isc.org/mailman/listinfo/bind-users"
rel="noopener" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list <br>
<br>
ISC funds the development of this software with paid
support subscriptions. Contact us at <a
target="_blank"
href="https://www.isc.org/contact/" rel="noopener"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://www.isc.org/contact/</a>
for more information. <br>
<br>
<br>
bind-users mailing list <br>
<a target="_blank"
href="mailto:bind-users@lists.isc.org"
rel="noopener" moz-do-not-send="true"
class="moz-txt-link-freetext">bind-users@lists.isc.org</a>
<br>
<a target="_blank"
href="https://lists.isc.org/mailman/listinfo/bind-users"
rel="noopener" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
</body>
</html>