[dns-operations] Very strange DNS bug at Hurricane Electric

Mark Andrews marka at isc.org
Mon Mar 21 21:41:59 UTC 2016 

In message <87vb4f92kg.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Stephane Bortzmeyer:
>
> > The authoritative name servers do reply, but only empty responses:
> >
> > % dig @216.218.130.2             NS he.net
> >
> > ; <<>> DiG 9.10.2-P2 <<>> @216.218.130.2 NS he.net
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42388
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> > ;; WARNING: recursion requested but not available
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 1680
> > ;; QUESTION SECTION:
> > ;he.net.                        IN NS
> >
> > ;; Query time: 162 msec
> > ;; SERVER: 216.218.130.2#53(216.218.130.2)
> > ;; WHEN: Mon Mar 21 17:23:29 CET 2016
> > ;; MSG SIZE  rcvd: 35
>
> This test is not valid for an authoritative server because you sent an
> RD=1 query.  The server appears to be subject to anycast, so maybe try
> again with +norecurse +nsid?

Absolute garbage.  If you don't offer recursion then all answers
should be generate as if the query had RD=0. Which is the case here
as RA is zero.  See RFC 1034.

If you do offer recursion then answers from authoritative zones
should still be returned independent of the RD state.

What gets difficult is if you offer recursion and you ask for the
for a answers at or below the delegation point.  Named returns
answers from the cache if RD=1 and delegations if RD=0.

> The cause for such a response could be that the server tries to
> construct a response from existing cache contents, without performing
> recursion because the server configuration does not allow recursion
> for this particular client.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list