BIND 8.2.1 not handling NXDOMAIN as per auth-nxdomain?
Greg A. Woods
woods at most.weird.com
Mon Aug 30 06:20:10 UTC 1999
I was just trying out the "new" version (990701) version of 'host' with
BIND-8.2.1. The client system is NetBSD-1.3I (-current as of
approximately Dec. 21, 1998) and I used BIND-8.2.1's -lbind (and the
correct headers too, of course!) to build 'host'. It turns out though
that 'host' is not the problem -- named is.
What I'm seeing is that with a freshly started named only the very
first query (or sometimes the second query, oddly enough) for a
non-existant RR has the authority flag set in the reply. Subsequent
replies do not have the authority flag set.
This also happens even if the local server has a "stub" zone declared
for the zone in question. Luckily they do not happen if the server is
indeed authoritative (either master or slave) for the zone!
So far as I can tell (at least without actually going to the trouble of
running named under a debugger) I have *not* turned off the
"auth-nxdomain" option either. I certainly don't have it mentioned in
my named.conf, nor have I made any changes to the source code.
So far I don't see any mention of any changes related to this this in
the 8.2.2-t2b, nor does any quick attempt to look at the code reveal any
obvious problem to my eye.
Here's an example where the local server times out during the first
query (it did say it was ready to answer, but the remote auth server is
quite some distance away), then answers as expected on the second
attempt, and finally fails to set the 'aa' flag on any subsequent
replies.
01:13 [234] $ ./host -d -t ptr 4.204.167.207.in-addr.arpa
;; res_nmkquery(QUERY, 4.204.167.207.in-addr.arpa, IN, PTR)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4235
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; 4.204.167.207.in-addr.arpa, type = PTR, class = IN
;; Querying server (# 1) address = 204.92.254.15
;; timeout
;; Querying server (# 2) address = 204.92.254.2
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4235
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; 4.204.167.207.in-addr.arpa, type = PTR, class = IN
204.167.207.in-addr.arpa. 59m51s IN SOA ns.tvo.org. online.tvo.org. (
1999080401 ; serial
1H ; refresh
15M ; retry
1W ; expiry
2H ) ; minimum
;; Query failed, 0 answers, status: non-existent domain
4.204.167.207.in-addr.arpa does not exist, try again
01:14 [235] $ ./host -d -t ptr 4.204.167.207.in-addr.arpa
;; res_nmkquery(QUERY, 4.204.167.207.in-addr.arpa, IN, PTR)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4236
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; 4.204.167.207.in-addr.arpa, type = PTR, class = IN
;; Querying server (# 1) address = 204.92.254.15
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4236
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; 4.204.167.207.in-addr.arpa, type = PTR, class = IN
204.167.207.in-addr.arpa. 2H IN SOA ns.tvo.org. online.tvo.org. (
1999080401 ; serial
1H ; refresh
15M ; retry
1W ; expiry
2H ) ; minimum
;; Query failed, 0 answers, authoritative status: non-existent domain
4.204.167.207.in-addr.arpa does not exist (Authoritative answer)
01:14 [236] $ ./host -d -t ptr 4.204.167.207.in-addr.arpa
;; res_nmkquery(QUERY, 4.204.167.207.in-addr.arpa, IN, PTR)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4237
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; 4.204.167.207.in-addr.arpa, type = PTR, class = IN
;; Querying server (# 1) address = 204.92.254.15
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4237
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; 4.204.167.207.in-addr.arpa, type = PTR, class = IN
204.167.207.in-addr.arpa. 1h59m49s IN SOA ns.tvo.org. online.tvo.org. (
1999080401 ; serial
1H ; refresh
15M ; retry
1W ; expiry
2H ) ; minimum
;; Query failed, 0 answers, status: non-existent domain
4.204.167.207.in-addr.arpa does not exist, try again
01:14 [237] $ ./host -d -t ptr 4.204.167.207.in-addr.arpa
;; res_nmkquery(QUERY, 4.204.167.207.in-addr.arpa, IN, PTR)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4238
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; 4.204.167.207.in-addr.arpa, type = PTR, class = IN
;; Querying server (# 1) address = 204.92.254.15
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4238
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; 4.204.167.207.in-addr.arpa, type = PTR, class = IN
204.167.207.in-addr.arpa. 1h59m47s IN SOA ns.tvo.org. online.tvo.org. (
1999080401 ; serial
1H ; refresh
15M ; retry
1W ; expiry
2H ) ; minimum
;; Query failed, 0 answers, status: non-existent domain
4.204.167.207.in-addr.arpa does not exist, try again
at this point any further queries, even after waiting 15 minutes,
continue to return a non-auth NXDOMAIN.
After doing a short "scan" of the zone a named_dump.db contains:
$ORIGIN 204.167.207.in-addr.arpa.
;6 7182 IN SOA ns.tvo.org. online.tvo.org. (
; 1999080401 3600 900 604800 7200 );204.167.207.in-addr.arpa.;NXDOMAIN ;-$ ;Cr=auth [206.235.86.11]
;7 7186 IN SOA ns.tvo.org. online.tvo.org. (
; 1999080401 3600 900 604800 7200 );204.167.207.IN-ADDR.ARPA.;NXDOMAIN ;-$ ;Cr=auth [207.167.204.59]
;8 7192 IN SOA ns.tvo.org. online.tvo.org. (
; 1999080401 3600 900 604800 7200 );204.167.207.in-addr.arpa.;NXDOMAIN ;-$ ;Cr=auth [206.235.86.11]
;9 7198 IN SOA ns.tvo.org. online.tvo.org. (
; 1999080401 3600 900 604800 7200 );204.167.207.IN-ADDR.ARPA.;NXDOMAIN ;-$ ;Cr=auth [207.167.204.59]
1 7150 IN PTR onyx.tvo.org. ;Cr=auth [206.235.86.12]
;2 7159 IN SOA ns.tvo.org. online.tvo.org. (
; 1999080401 3600 900 604800 7200 );204.167.207.in-addr.arpa.;NXDOMAIN ;-$ ;Cr=auth [206.235.86.11]
;3 7169 IN SOA ns.tvo.org. online.tvo.org. (
; 1999080401 3600 900 604800 7200 );204.167.207.IN-ADDR.ARPA.;NXDOMAIN ;-$ ;Cr=auth [207.167.204.59]
;4 5619 IN SOA ns.tvo.org. online.tvo.org. (
; 1999080401 3600 900 604800 7200 );204.167.207.in-addr.arpa.;NXDOMAIN ;-$ ;Cr=auth [206.235.86.11]
5 7177 IN PTR tube.tvontario.org. ;Cr=auth [207.167.204.59]
These examples happen to be of PTR records in a reverse zone, but
there's nothing really unique about them -- the same error seems to
happen with forward zones too (in this case the server being queried has
a stub zone declared for "weird.com" and the resolver code is the old
original NetBSD 1.3.3 one thus the less informative debug output):
02:06 [40] $ host -d -a furby.weird.com
;; Query failed, 0 answers, authoritative status: non-existent domain
furby.weird.com does not exist (Authoritative answer)
02:07 [41] $ host -d -a furby.weird.com
;; Query failed, 0 answers, status: non-existent domain
furby.weird.com does not exist, try again
02:07 [42] $ host -d -a furby.weird.com
;; Query failed, 0 answers, status: non-existent domain
furby.weird.com does not exist, try again
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods at acm.org> <robohack!woods>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>
More information about the bind-workers
mailing list