[dns-operations] Command Line BIND Query to Delegating Name Servers Gives FORMERR - Is this Bad for Normal DNS Operations by Public Resolvers?
pspacek at isc.org
Mon Sep 20 14:15:26 UTC 2021
I think you already answered yourself in your blog post:
> This behavior appears to violate “Any OPTION-CODE values not
understood by a responder or requestor MUST be ignored.” from Section
6.1.2 of RFC 6891, but that is of small consolation for a non-working
So yes, the authoritative server most likely has a bug.
How to approach the operation in question - that's a hard problem. You
can either try various contacts you find, you can ask send name of the
domain here and ask them to contact you off-list. For TLDs this method
can work surprisingly well :-)
On 20. 09. 21 15:37, Jason Hynds wrote:
> I hope that the following conforms to the content expected of this list.
> I stumbled on some /name servers/ (a branch of a ccTLD, performing a
> public good service, as far as I know) which are giving a FORMat ERRor
> (FORMERR) to default /dig/ queries from the command line as described in
> the referenced webpage, see  below. The workaround of +nocookie
> described in the blog allows for a successful query response. /Nslookup/
> queries work fine.
> I should mention that I have no administrative authority of the name
> servers showing this condition. I'm just noticed the behaviour whilst
> checking on a DNS hosting migration for a client of the name servers
> exhibiting the behaviour.
> Would someone be able to advise me on:
> 1. How bad it may be for an authoritative or delegating name server to
> be exhibiting this behaviour?
> 2. Does this potentially cause a resolution outage, or would a BIND
> server adjust and re-query in order to obtain a usable result?
> 3. Is the BIND server non-compliant, or the likely Microsoft DNS
> non-compliant, to an RFC?
> 4. How would I explain such an issue to a name server operator who I do
> not know?
> I appreciate any guidance provided. I apologies in advance if I violated
> any list policy. Thanks for any assistance.
>  FORMERR from Microsoft DNS Server for DIG. Posted January 20,
> 2017 at 11:18 PM MST by Kevin Locke
> Jason Hynds.
More information about the dns-operations