Hi, Some authoritative nameservers add incorrect nameservers in the authority section of their replies. Due to caching of the incorrect reply, further queries for that domain go to those incorrect nameservers. Is there a way to ignore / not cache such replies?
For example, if ns1.realserver.com gives this authoritative reply: ======================================================= $ dig a1.example.com. ;; QUESTION SECTION: ;a1.example.com. IN A ;; ANSWER SECTION: a1.example.com. 3600 IN A 10.10.10.10 ;; AUTHORITY SECTION: example.com. 3600 IN NS ns1.fakeserver.com. example.com. 3600 IN NS ns2.fakeserver.com. ======================================================= Further queries for example.com go to ns[12].fakeserver.com. ======================================================= $ dig a2.example.com. ;; QUESTION SECTION: ;a2.example.com. IN A unexpected RCODE (REFUSED) resolving 'a2.example.com/A/IN': ns1.fakeserver.com#53 ======================================================= ns[12].fakeserver.com. are not authoritative for example.com here. The symptoms are: 1. dig +trace a1.example.com. always works correctly. 2. dig a1.example.com. works correctly the first time. 2. dig a2.example.com. gives an error till the fake NS record expires. This is obviously a misconfiguration on ns1.realserver.com. The correct nameservers are listed in domain registration of example.com along with the correct glue records. Is there any solution to this problem without contacting the DNS administrator of that domain? I have seen this problem for many domains on the internet. -- Sunil Shetye. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
