BIND 8.2.1 not handling NXDOMAIN as per auth-nxdomain?

Greg A. Woods woods at most.weird.com
Mon Aug 30 06:20:10 UTC 1999


I was just trying out the "new" version (990701) version of 'host' with
BIND-8.2.1.  The client system is NetBSD-1.3I (-current as of
approximately Dec. 21, 1998) and I used BIND-8.2.1's -lbind (and the
correct headers too, of course!) to build 'host'.  It turns out though
that 'host' is not the problem -- named is.

What I'm seeing is that with a freshly started named only the very
first query (or sometimes the second query, oddly enough) for a
non-existant RR has the authority flag set in the reply.  Subsequent
replies do not have the authority flag set.

This also happens even if the local server has a "stub" zone declared
for the zone in question.  Luckily they do not happen if the server is
indeed authoritative (either master or slave) for the zone!

So far as I can tell (at least without actually going to the trouble of
running named under a debugger) I have *not* turned off the
"auth-nxdomain" option either.  I certainly don't have it mentioned in
my named.conf, nor have I made any changes to the source code.

So far I don't see any mention of any changes related to this this in
the 8.2.2-t2b, nor does any quick attempt to look at the code reveal any
obvious problem to my eye.

Here's an example where the local server times out during the first
query (it did say it was ready to answer, but the remote auth server is
quite some distance away), then answers as expected on the second
attempt, and finally fails to set the 'aa' flag on any subsequent
replies.


01:13 [234] $ ./host -d -t ptr 4.204.167.207.in-addr.arpa            
;; res_nmkquery(QUERY, 4.204.167.207.in-addr.arpa, IN, PTR)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4235
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;      4.204.167.207.in-addr.arpa, type = PTR, class = IN
;; Querying server (# 1) address = 204.92.254.15
;; timeout
;; Querying server (# 2) address = 204.92.254.2
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4235
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;;      4.204.167.207.in-addr.arpa, type = PTR, class = IN
204.167.207.in-addr.arpa.  59m51s IN SOA  ns.tvo.org. online.tvo.org. (
                                        1999080401      ; serial
                                        1H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        2H )            ; minimum

;; Query failed, 0 answers, status: non-existent domain
4.204.167.207.in-addr.arpa does not exist, try again

01:14 [235] $ ./host -d -t ptr 4.204.167.207.in-addr.arpa 
;; res_nmkquery(QUERY, 4.204.167.207.in-addr.arpa, IN, PTR)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4236
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;      4.204.167.207.in-addr.arpa, type = PTR, class = IN
;; Querying server (# 1) address = 204.92.254.15
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4236
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;;      4.204.167.207.in-addr.arpa, type = PTR, class = IN
204.167.207.in-addr.arpa.  2H IN SOA  ns.tvo.org. online.tvo.org. (
                                        1999080401      ; serial
                                        1H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        2H )            ; minimum

;; Query failed, 0 answers, authoritative status: non-existent domain
4.204.167.207.in-addr.arpa does not exist (Authoritative answer)

01:14 [236] $ ./host -d -t ptr 4.204.167.207.in-addr.arpa 
;; res_nmkquery(QUERY, 4.204.167.207.in-addr.arpa, IN, PTR)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4237
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;      4.204.167.207.in-addr.arpa, type = PTR, class = IN
;; Querying server (# 1) address = 204.92.254.15
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4237
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;;      4.204.167.207.in-addr.arpa, type = PTR, class = IN
204.167.207.in-addr.arpa.  1h59m49s IN SOA  ns.tvo.org. online.tvo.org. (
                                        1999080401      ; serial
                                        1H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        2H )            ; minimum

;; Query failed, 0 answers, status: non-existent domain
4.204.167.207.in-addr.arpa does not exist, try again

01:14 [237] $ ./host -d -t ptr 4.204.167.207.in-addr.arpa 
;; res_nmkquery(QUERY, 4.204.167.207.in-addr.arpa, IN, PTR)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4238
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;      4.204.167.207.in-addr.arpa, type = PTR, class = IN
;; Querying server (# 1) address = 204.92.254.15
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4238
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;;      4.204.167.207.in-addr.arpa, type = PTR, class = IN
204.167.207.in-addr.arpa.  1h59m47s IN SOA  ns.tvo.org. online.tvo.org. (
                                        1999080401      ; serial
                                        1H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        2H )            ; minimum

;; Query failed, 0 answers, status: non-existent domain
4.204.167.207.in-addr.arpa does not exist, try again


at this point any further queries, even after waiting 15 minutes,
continue to return a non-auth NXDOMAIN.

After doing a short "scan" of the zone a named_dump.db contains:

$ORIGIN 204.167.207.in-addr.arpa.
;6      7182    IN      SOA     ns.tvo.org. online.tvo.org. (
;               1999080401 3600 900 604800 7200 );204.167.207.in-addr.arpa.;NXDOMAIN    ;-$     ;Cr=auth [206.235.86.11]
;7      7186    IN      SOA     ns.tvo.org. online.tvo.org. (
;               1999080401 3600 900 604800 7200 );204.167.207.IN-ADDR.ARPA.;NXDOMAIN    ;-$     ;Cr=auth [207.167.204.59]
;8      7192    IN      SOA     ns.tvo.org. online.tvo.org. (
;               1999080401 3600 900 604800 7200 );204.167.207.in-addr.arpa.;NXDOMAIN    ;-$     ;Cr=auth [206.235.86.11]
;9      7198    IN      SOA     ns.tvo.org. online.tvo.org. (
;               1999080401 3600 900 604800 7200 );204.167.207.IN-ADDR.ARPA.;NXDOMAIN    ;-$     ;Cr=auth [207.167.204.59]
1       7150    IN      PTR     onyx.tvo.org.   ;Cr=auth [206.235.86.12]
;2      7159    IN      SOA     ns.tvo.org. online.tvo.org. (
;               1999080401 3600 900 604800 7200 );204.167.207.in-addr.arpa.;NXDOMAIN    ;-$     ;Cr=auth [206.235.86.11]
;3      7169    IN      SOA     ns.tvo.org. online.tvo.org. (
;               1999080401 3600 900 604800 7200 );204.167.207.IN-ADDR.ARPA.;NXDOMAIN    ;-$     ;Cr=auth [207.167.204.59]
;4      5619    IN      SOA     ns.tvo.org. online.tvo.org. (
;               1999080401 3600 900 604800 7200 );204.167.207.in-addr.arpa.;NXDOMAIN    ;-$     ;Cr=auth [206.235.86.11]
5       7177    IN      PTR     tube.tvontario.org.     ;Cr=auth [207.167.204.59]


These examples happen to be of PTR records in a reverse zone, but
there's nothing really unique about them -- the same error seems to
happen with forward zones too (in this case the server being queried has
a stub zone declared for "weird.com" and the resolver code is the old
original NetBSD 1.3.3 one thus the less informative debug output):

02:06 [40] $ host -d -a furby.weird.com
;; Query failed, 0 answers, authoritative status: non-existent domain
furby.weird.com does not exist (Authoritative answer)

02:07 [41] $ host -d -a furby.weird.com 
;; Query failed, 0 answers, status: non-existent domain
furby.weird.com does not exist, try again

02:07 [42] $ host -d -a furby.weird.com 
;; Query failed, 0 answers, status: non-existent domain
furby.weird.com does not exist, try again



-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>      <robohack!woods>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>


More information about the bind-workers mailing list