[dns-operations] Cname errors?

Robert Edmonds edmonds at mycre.ws
Wed Sep 30 17:22:55 UTC 2015 

Paul Vixie wrote:
> since every one of these log messages corresponds to an outbound
> SERVFAIL, i'd like non-expert users to be able to correlate the failures
> they see in their web browsers to log file messages on their server.

Are you sure about that?  Given these records:

    156.38.89.in-addr.arpa. 172800  IN      NS      ns.alsys.ro.
    156.38.89.in-addr.arpa. 172800  IN      NS      router-civile.utcb.ro.
    156.38.89.in-addr.arpa. 172800  IN      NS      router-adm.utcb.ro.

    ns.alsys.ro.            86400   IN      AAAA    2a00:ff0::1
    ns.alsys.ro.            86400   IN      RP      gabi.alsys.ro. Net_Engineer.
    ns.alsys.ro.            86400   IN      HINFO   "Intel_Pentium" "Linux"
    ns.alsys.ro.            86400   IN      A       195.234.188.1
    ns.alsys.ro.            86400   IN      A       93.190.144.1

    router-civile.utcb.ro.  7200    IN      CNAME   ns2.utcb.ro.

    router-adm.utcb.ro.     7200    IN      CNAME   ns1.utcb.ro.

BIND generates an outbound SERVFAIL, because:

    30-Sep-2015 12:39:53.528 REFUSED unexpected RCODE resolving '169.156.38.89.in-addr.arpa/PTR/IN': 195.234.188.1#53
    30-Sep-2015 12:39:53.815 REFUSED unexpected RCODE resolving '169.156.38.89.in-addr.arpa/PTR/IN': 2a00:ff0::1#53
    30-Sep-2015 12:39:54.119 REFUSED unexpected RCODE resolving '169.156.38.89.in-addr.arpa/PTR/IN': 93.190.144.1#53
    30-Sep-2015 12:39:54.119 skipping nameserver 'router-adm.utcb.ro' because it is a CNAME, while resolving '169.156.38.89.in-addr.arpa/PTR'
    30-Sep-2015 12:39:54.119 skipping nameserver 'router-civile.utcb.ro' because it is a CNAME, while resolving '169.156.38.89.in-addr.arpa/PTR'

1) The three addresses for one of the nameservers, ns.alsys.ro, REFUSE'd
the query, and,

2) The other two nameservers, router-civile.utcb.ro and
router-adm.utcb.ro, are CNAMEs, which BIND refuses to follow.

If I understand correctly, the "skipping nameserver ... because it is a
CNAME" log message can be generated even if no SERVFAIL is eventually
generated.  That is, BIND appears to skip an NS *RR* if it points to a
CNAME, it doesn't skip the entire NS RRset.

-- 
Robert Edmonds

More information about the dns-operations mailing list