Dnia 2010-12-30 11:45 Torinthiel napisał(a): >Dnia 2010-12-30 18:03 p...@mail.nsbeta.info napisał(a): > >>Sunil Shetye writes: >> >>> >>> Case 2: Lame Server Reply >>> >>> =================================================================== >>> $ dig +norecurse @a.iana-servers.net. example.org. >>> ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 >>> >>> ;; QUESTION SECTION: >>> ;example.org. IN A >>> >>> ;; ANSWER SECTION: >>> example.org. 172800 IN A 192.0.32.10 >>> >>> ;; AUTHORITY SECTION: >>> example.org. 172800 IN NS ns1.example.org. >>> example.org. 172800 IN NS ns2.example.org. >>> =================================================================== >>> >>> This is a lame server reply. bind ignores this reply. bind will give a >>> server fail reply to the client. >>> >> >> >>Would you please tell me why this is a lame server reply? why bind will >>give a server fail reply to the client? Thanks again a lot. > >Because it's contrary to itself. >You've specified norecurse, which means that if nameserver believes it has >authorative data it should return it, if it doesn't it should return a >referral (and no answer beside it). > >But the server returns answer (which means it believes it has authorative >data), but in authority section is not listed in nameservers, which states >it does not have authorative data. > >To sum up: >Question: Does the server have authorative data? >Answer 1: Server returns data when asked without recursion ->; YES >Answer 2: Server is not listed in authority section ->; NO >Real answer: Lame server.
And I was wrong about that one. There are two issues with that one. First, I get a different response from that command. different flags (no ra but aa instead), differend authority section. It's much simplier to tell if it's a 'lame nameserver response' although it can't be judged by a single query. Let's say that nameservers for .org domain (there are a lot of them), when asked for example.org give a.iana-servers.net and b.iana-servers.net (which is true, and by itself nothing special). Then lets assume (which is not true, but a good example) that a.iana-servers.net when asked for www.example.org gives something (doesn't matter if a true answer, or missing record, or anything), but with 'aa' flag not set. This, by itself, is still nothing special, no server is required to know everything. But from those two answers you have a contradiction, and this contradiction is a real lane nameserver issue. .org servers delegate answers to a.iana-servers.net, and a.iana-servers.net fails to deliver authorative response. So the delegation is in fact incorrect. Fortunately, a.iana-servers.net does not behave the way I've described here and does set 'aa' flag in it's response. Hope this clears up the issue a bit, and reduces misinformation caused by my previous answer. Regards, Torinthiel _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
