incorrect NXDOMAIN response from DNS server
the issue was originally raised on 6bone@isi.edu. there are name server implementations (probably load balancing product) that responds with NXDOMAIN, when it should respond with NOERROR with empty reply. one example is news.bbc.co.uk. this symptom not only confuse IPv6-ready client resolvers, but also has bad effect against negative caching and email delivery (if MX is responded with NODOMAIN). do you know: - name of particular implementation which have/had this bug? - other examples of nameservers that behave like this? (windowsupdate.microsoft.com behaved like this in Feb 2002, but they are already fixed) - how can we get people to fix it? (client side workaround should not be populated, just to be sure) itojun % dig news.bbc.co.uk. aaaa ; <<>> DiG 9.1.2 <<>> news.bbc.co.uk. aaaa ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60945 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;news.bbc.co.uk. IN AAAA ;; ANSWER SECTION: news.bbc.co.uk. 1770 IN CNAME newswww.bbc.net.uk. ;; Query time: 2362 msec ;; SERVER: 127.0.0.1#53(0.0.0.0) ;; WHEN: Thu Apr 25 11:25:45 2002 ;; MSG SIZE rcvd: 62 % dig news.bbc.co.uk. a ; <<>> DiG 9.1.2 <<>> news.bbc.co.uk. a ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11225 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;news.bbc.co.uk. IN A ;; ANSWER SECTION: news.bbc.co.uk. 1761 IN CNAME newswww.bbc.net.uk. newswww.bbc.net.uk. 300 IN A 212.58.240.33 ;; AUTHORITY SECTION: bbc.net.uk. 14360 IN NS ns0.thny.bbc.co.uk. bbc.net.uk. 14360 IN NS ns0.thdo.bbc.co.uk. ;; ADDITIONAL SECTION: ns0.thdo.bbc.co.uk. 6362 IN A 212.58.224.20 ns0.thny.bbc.co.uk. 6362 IN A 38.160.150.20 ;; Query time: 2341 msec ;; SERVER: 127.0.0.1#53(0.0.0.0) ;; WHEN: Thu Apr 25 11:25:53 2002 ;; MSG SIZE rcvd: 156
On Thu Apr 25, 2002 at 11:30:27AM +0900, Jun-ichiro itojun Hagino wrote:
there are name server implementations (probably load balancing product) that responds with NXDOMAIN, when it should respond with NOERROR with empty reply. one example is news.bbc.co.uk.
Guilty as charged. Seems to only have been a problem since the deployment of IPv6
do you know: - name of particular implementation which have/had this bug?
"BBC Intelligent Load Balancing DNS Server"
- other examples of nameservers that behave like this? (windowsupdate.microsoft.com behaved like this in Feb 2002, but they are already fixed)
Oh, so it's not just us.
- how can we get people to fix it? (client side workaround should not be populated, just to be sure)
Name and shame seems to work ;-) I believe I have now fixed it. Please let me know if you think otherwise. Simon -- Simon Lockhart | Tel: +44 (0)1737 839676 Internet Engineering Manager | Fax: +44 (0)1737 839516 BBC Internet Services | Email: Simon.Lockhart@bbc.co.uk Kingswood Warren,Tadworth,Surrey,UK | URL: http://support.bbc.co.uk/
do you know: - name of particular implementation which have/had this bug? "BBC Intelligent Load Balancing DNS Server"
i heard that it was based on lbnamed 1.2. i have confirmed that lbnamed 1.2 distribution contains buggy sample config file (perl5/lbnamed.conf{,.example} in the distribution). if any of you are running load balancing nameserver based on lbnamed 1.2, please fix it. thanks! itojun
On Thu, 25 Apr 2002 11:30:27 +0900, Jun-ichiro itojun Hagino <itojun@itojun.org> said:
there are name server implementations (probably load balancing product) that responds with NXDOMAIN, when it should respond with NOERROR with empty reply. one example is news.bbc.co.uk. this symptom not only confuse IPv6-ready client resolvers, but also has bad effect against negative caching and email delivery (if MX is responded with NODOMAIN).
do you know: - name of particular implementation which have/had this bug? - other examples of nameservers that behave like this? (windowsupdate.microsoft.com behaved like this in Feb 2002, but they are already fixed) - how can we get people to fix it? (client side workaround should not be populated, just to be sure)
There are apparently several products that have this problem, some of which are sufficiently widely enough deployed that since Sendmail 8.11.3 or so, there has been a configure option 'WorkAroundBrokenAAAA' (available as a FFR in 8.11.3, and in the base code as of 8.12.0. I am told by people who have tripped over this problem more often than I have that *early* releases of djbdns did this - but that it is fixed in anything resembling a current release so the "right" fix is getting the offender to upgrade his software (which is often futile...) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
participants (3)
-
Jun-ichiro itojun Hagino -
Simon Lockhart -
Valdis.Kletnieks@vt.edu