[dns-operations] Command Line BIND Query to Delegating Name Servers Gives FORMERR - Is this Bad for Normal DNS Operations by Public Resolvers?

Petr Špaček pspacek at isc.org
Mon Sep 20 14:15:26 UTC 2021


Hi Jason,

I think you already answered yourself in your blog post:
https://kevinlocke.name/bits/2017/01/20/formerr-from-microsoft-dns-server-for-dig/

 >  This behavior appears to violate “Any OPTION-CODE values not 
understood by a responder or requestor MUST be ignored.” from Section 
6.1.2 of RFC 6891, but that is of small consolation for a non-working 
system.

So yes, the authoritative server most likely has a bug.

How to approach the operation in question - that's a hard problem. You 
can either try various contacts you find, you can ask send name of the 
domain here and ask them to contact you off-list. For TLDs this method 
can work surprisingly well :-)

Good luck.
Petr Špaček

On 20. 09. 21 15:37, Jason Hynds wrote:
> Hi,
> 
> I hope that the following conforms to the content expected of this list.
> 
> 
> I stumbled on some /name servers/ (a branch of a ccTLD, performing a 
> public good service, as far as I know) which are giving a FORMat ERRor 
> (FORMERR) to default /dig/ queries from the command line as described in 
> the referenced webpage, see [1] below. The workaround of +nocookie 
> described in the blog allows for a successful query response. /Nslookup/ 
> queries work fine.
> 
> 
> I should mention that I have no administrative authority of the name 
> servers showing this condition. I'm just noticed the behaviour whilst 
> checking on a DNS hosting migration for a client of the name servers 
> exhibiting the behaviour.
> 
> 
> Would someone be able to advise me on:
> 
>  1. How bad it may be for an authoritative or delegating name server to
>     be exhibiting this behaviour?
>  2. Does this potentially cause a resolution outage, or would a BIND
>     server adjust and re-query in order to obtain a usable result?
>  3. Is the BIND server non-compliant, or the likely Microsoft DNS
>     non-compliant, to an RFC?
>  4. How would I explain such an issue to a name server operator who I do
>     not know?
> 
> 
> I appreciate any guidance provided. I apologies in advance if I violated 
> any list policy. Thanks for any assistance.
> 
> 
> *REFERENCE*
> 
>     [1] FORMERR from Microsoft DNS Server for DIG. Posted January 20,
>     2017 at 11:18 PM MST by Kevin Locke
>     <https://kevinlocke.name/bits/2017/01/20/formerr-from-microsoft-dns-server-for-dig
>     <https://kevinlocke.name/bits/2017/01/20/formerr-from-microsoft-dns-server-for-dig>>.
> 
> 
> Regards,
> 
> 
> Jason Hynds.



More information about the dns-operations mailing list