In message <17894D6D30484DDFBBE95BEF987FF5D1@se179>, "Shaoquan Lin" writes: > Ryan, > > Have you solved your problem? I have similar problems. I run BIND = > 9.6..1-P3 on my Solaris 10 and can not resolve anything in domain = > nyc.gov. One thing I noticed is: BIND 9.3 send query to = > b.gov-servers.net with no Additional records and got a response with A = > records for the nyc.gov NS servers in the Additional records; but BIND = > 9.6 send query with type OPT Additional records and got a response with = > also a type OPT but no A in the Additional records. So the BIND 9.6 can = > not find the IP addresses of the nyc.gov NS servers and therefore can = > not resolve anything in that domain. Using options "max-udp-size 512" = > and "edns-udp-size 512" does not solve the problem. > > The following are the what I captured. Anyone have any suggestions to = > solve the problem? =20 > > Shaoquan Lin
This is really a DNS protocol bug. Glue is not optional when returning a referral and failure to add glue should result in "tc" being set. Note: named should set "tc" in the case to work around this protocol bug. It's useful to have a real life example rather than a contrived example. 2784. [bug] TC was not always being set when required glue was dropped. [RT #20655] 1804. [bug] Ensure that if we are queried for glue that it fits in the additional section or TC is set to tell the client to retry using TCP. [RT #10114] > BIND 9.3 query: > Domain Name System (query) > > Transaction ID: 0x94ca > > Flags: 0x0000 (Standard query) > > 0... .... .... .... =3D Response: Message is a query > > .000 0... .... .... =3D Opcode: Standard query (0) > > .... ..0. .... .... =3D Truncated: Message is not truncated > > .... ...0 .... .... =3D Recursion desired: Don't do query recursively > > .... .... .0.. .... =3D Z: reserved (0) > > .... .... ...0 .... =3D Non-authenticated data OK: Non-authenticated = > data is unacceptable > > Questions: 1 > > Answer RRs: 0 > > Authority RRs: 0 > > Additional RRs: 0 > > Queries > > vwall4a.nyc.gov: type A, class IN > > Name: vwall4a.nyc.gov > > Type: A (Host address) > > Class: IN (0x0001) > > BIND 9.3 response: > > Domain Name System (response) > > Transaction ID: 0x94ca > > Flags: 0x8000 (Standard query response, No error) > > 1... .... .... .... =3D Response: Message is a response > > .000 0... .... .... =3D Opcode: Standard query (0) > > .... .0.. .... .... =3D Authoritative: Server is not an authority for = > domain > > .... ..0. .... .... =3D Truncated: Message is not truncated > > .... ...0 .... .... =3D Recursion desired: Don't do query recursively > > .... .... 0... .... =3D Recursion available: Server can't do recursive = > queries > > .... .... .0.. .... =3D Z: reserved (0) > > .... .... ..0. .... =3D Answer authenticated: Answer/authority portion = > was not authenticated by the server > > .... .... .... 0000 =3D Reply code: No error (0) > > Questions: 1 > > Answer RRs: 0 > > Authority RRs: 4 > > Additional RRs: 4 > > Queries > > vwall4a.nyc.gov: type A, class IN > > Name: vwall4a.nyc.gov > > Type: A (Host address) > > Class: IN (0x0001) > > Authoritative nameservers > > nyc.gov: type NS, class IN, ns vwall1a.nyc.gov > > Name: nyc.gov > > Type: NS (Authoritative name server) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 10 > > Name server: vwall1a.nyc.gov > > nyc.gov: type NS, class IN, ns vwall2a.nyc.gov > > Name: nyc.gov > > Type: NS (Authoritative name server) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 10 > > Name server: vwall2a.nyc.gov > > nyc.gov: type NS, class IN, ns vwall3a.nyc.gov > > Name: nyc.gov > > Type: NS (Authoritative name server) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 10 > > Name server: vwall3a.nyc.gov > > nyc.gov: type NS, class IN, ns vwall4a.nyc.gov > > Name: nyc.gov > > Type: NS (Authoritative name server) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 10 > > Name server: vwall4a.nyc.gov > > Additional records > > vwall1a.nyc.gov: type A, class IN, addr 161.185.1.3 > > Name: vwall1a.nyc.gov > > Type: A (Host address) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 4 > > Addr: 161.185.1.3 > > vwall2a.nyc.gov: type A, class IN, addr 161.185.1.12 > > Name: vwall2a.nyc.gov > > Type: A (Host address) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 4 > > Addr: 161.185.1.12 > > vwall3a.nyc.gov: type A, class IN, addr 167.153.130.12 > > Name: vwall3a.nyc.gov > > Type: A (Host address) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 4 > > Addr: 167.153.130.12 > > vwall4a.nyc.gov: type A, class IN, addr 167.153.130.13 > > Name: vwall4a.nyc.gov > > Type: A (Host address) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 4 > > Addr: 167.153.130.13 > > BIND 9.6 query: > > Domain Name System (query) > > Transaction ID: 0x6427 > > Flags: 0x0000 (Standard query) > > 0... .... .... .... =3D Response: Message is a query > > .000 0... .... .... =3D Opcode: Standard query (0) > > .... ..0. .... .... =3D Truncated: Message is not truncated > > .... ...0 .... .... =3D Recursion desired: Don't do query recursively > > .... .... .0.. .... =3D Z: reserved (0) > > .... .... ...0 .... =3D Non-authenticated data OK: Non-authenticated = > data is unacceptable > > Questions: 1 > > Answer RRs: 0 > > Authority RRs: 0 > > Additional RRs: 1 > > Queries > > vwall4a.nyc.gov: type A, class IN > > Name: vwall4a.nyc.gov > > Type: A (Host address) > > Class: IN (0x0001) > > Additional records > > <Root>: type OPT > > Name: <Root> > > Type: OPT (EDNS0 option) > > UDP payload size: 512 > > Higher bits in extended RCODE: 0x0 > > EDNS0 version: 0 > > Z: 0x8000 > > Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs) > > Bits 1-15: 0x0 (reserved) > > Data length: 0 > > BIND 9.6 response: > > Domain Name System (response) > > Transaction ID: 0x6427 > > Flags: 0x8000 (Standard query response, No error) > > 1... .... .... .... =3D Response: Message is a response > > .000 0... .... .... =3D Opcode: Standard query (0) > > .... .0.. .... .... =3D Authoritative: Server is not an authority for = > domain > > .... ..0. .... .... =3D Truncated: Message is not truncated > > .... ...0 .... .... =3D Recursion desired: Don't do query recursively > > .... .... 0... .... =3D Recursion available: Server can't do recursive = > queries > > .... .... .0.. .... =3D Z: reserved (0) > > .... .... ..0. .... =3D Answer authenticated: Answer/authority portion = > was not authenticated by the server > > .... .... .... 0000 =3D Reply code: No error (0) > > Questions: 1 > > Answer RRs: 0 > > Authority RRs: 6 > > Additional RRs: 1 > > Queries > > vwall4a.nyc.gov: type A, class IN > > Name: vwall4a.nyc.gov > > Type: A (Host address) > > Class: IN (0x0001) > > Authoritative nameservers > > nyc.gov: type NS, class IN, ns vwall1a.nyc.gov > > Name: nyc.gov > > Type: NS (Authoritative name server) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 10 > > Name server: vwall1a.nyc.gov > > nyc.gov: type NS, class IN, ns vwall2a.nyc.gov > > Name: nyc.gov > > Type: NS (Authoritative name server) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 10 > > Name server: vwall2a.nyc.gov > > nyc.gov: type NS, class IN, ns vwall3a.nyc.gov > > Name: nyc.gov > > Type: NS (Authoritative name server) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 10 > > Name server: vwall3a.nyc.gov > > nyc.gov: type NS, class IN, ns vwall4a.nyc.gov > > Name: nyc.gov > > Type: NS (Authoritative name server) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 10 > > Name server: vwall4a.nyc.gov > > rq2651faaj4nen6tfis8ju5005qccn8j.gov: type Unknown (50), class IN > > Name: rq2651faaj4nen6tfis8ju5005qccn8j.gov > > Type: Unknown (50) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 35 > > Data > > rq2651faaj4nen6tfis8ju5005qccn8j.gov: type RRSIG, class IN > > Name: rq2651faaj4nen6tfis8ju5005qccn8j.gov > > Type: RRSIG (RR signature) > > Class: IN (0x0001) > > Time to live: 1 day > > Data length: 279 > > Type covered: Unknown (50) > > Algorithm: Unknown (0x07) > > Labels: 2 > > Original TTL: 1 day > > Signature expiration: Feb 22, 2011 05:00:22.000000000 > > Time signed: Feb 17, 2011 05:00:22.000000000 > > Id of signing key(footprint): 47602 > > Signer's name: gov > > Signature > > Additional records > > <Root>: type OPT > > Name: <Root> > > Type: OPT (EDNS0 option) > > UDP payload size: 1472 > > Higher bits in extended RCODE: 0x0 > > EDNS0 version: 0 > > Z: 0x0 > > Data length: 0 > > ------=_NextPart_000_0116_01CBCF84.31A5E720 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <HTML><HEAD> > <META content=3D"text/html; charset=3Diso-8859-1" = > http-equiv=3DContent-Type> > <META name=3DGENERATOR content=3D"MSHTML 8.00.6001.19019"> > <STYLE></STYLE> > </HEAD> > <BODY bgColor=3D#ffffff> > <DIV><FONT size=3D2 face=3DArial>Ryan,</FONT></DIV> > <DIV><FONT size=3D2 face=3DArial></FONT> </DIV> > <DIV><FONT size=3D2 face=3DArial>Have you solved your problem? I = > have similar=20 > problems. I run BIND 9.6..1-P3 on my Solaris 10 and can not resolve = > anything in=20 > domain nyc.gov. One thing I noticed is: BIND 9.3 send query = > to=20 > b.gov-servers.net with no Additional records and got a response=20 > with A records for the nyc.gov NS servers in the Additional = > records;=20 > but BIND 9.6 send query with type OPT Additional records and got a = > response with=20 > also a type OPT but no A in the Additional records. So the BIND = > 9.6 can=20 > not find the IP addresses of the nyc.gov NS servers and therefore can = > not=20 > resolve anything in that domain. Using options "<FONT=20 > size=3D3>max-udp-size 512" and "edns-udp-size 512" = > does not=20 > solve the problem.</FONT></FONT></DIV> > <DIV><FONT face=3DArial></FONT> </DIV> > <DIV><FONT face=3DArial>The following are the what I captured. = > Anyone have=20 > any suggestions to solve the=20 > problem? = > </FONT></DIV> > <DIV><FONT face=3DArial></FONT> </DIV> > <DIV><FONT face=3DArial>Shaoquan Lin</FONT></DIV> > <DIV><FONT face=3DArial></FONT> </DIV> > <DIV><FONT face=3DArial>BIND 9.3 query:</FONT></DIV> > <DIV><FONT size=3D2 face=3DArial><SPAN lang=3DEN> > <P>Domain Name System (query)</P> > <P>Transaction ID: 0x94ca</P> > <P>Flags: 0x0000 (Standard query)</P> > <P>0... .... .... .... =3D Response: Message is a query</P> > <P>.000 0... .... .... =3D Opcode: Standard query (0)</P> > <P>.... ..0. .... .... =3D Truncated: Message is not truncated</P> > <P>.... ...0 .... .... =3D Recursion desired: Don't do query = > recursively</P> > <P>.... .... .0.. .... =3D Z: reserved (0)</P> > <P>.... .... ...0 .... =3D Non-authenticated data OK: Non-authenticated = > data is=20 > unacceptable</P> > <P>Questions: 1</P> > <P>Answer RRs: 0</P> > <P>Authority RRs: 0</P> > <P>Additional RRs: 0</P> > <P>Queries</P> > <P>vwall4a.nyc.gov: type A, class IN</P> > <P>Name: vwall4a.nyc.gov</P> > <P>Type: A (Host address)</P> > <P>Class: IN (0x0001)</P> > <P>BIND 9.3 response:</P><SPAN lang=3DEN> > <P>Domain Name System (response)</P> > <P>Transaction ID: 0x94ca</P> > <P>Flags: 0x8000 (Standard query response, No error)</P> > <P>1... .... .... .... =3D Response: Message is a response</P> > <P>.000 0... .... .... =3D Opcode: Standard query (0)</P> > <P>.... .0.. .... .... =3D Authoritative: Server is not an authority for = > > domain</P> > <P>.... ..0. .... .... =3D Truncated: Message is not truncated</P> > <P>.... ...0 .... .... =3D Recursion desired: Don't do query = > recursively</P> > <P>.... .... 0... .... =3D Recursion available: Server can't do = > recursive=20 > queries</P> > <P>.... .... .0.. .... =3D Z: reserved (0)</P> > <P>.... .... ..0. .... =3D Answer authenticated: Answer/authority = > portion was not=20 > authenticated by the server</P> > <P>.... .... .... 0000 =3D Reply code: No error (0)</P> > <P>Questions: 1</P> > <P>Answer RRs: 0</P> > <P>Authority RRs: 4</P> > <P>Additional RRs: 4</P> > <P>Queries</P> > <P>vwall4a.nyc.gov: type A, class IN</P> > <P>Name: vwall4a.nyc.gov</P> > <P>Type: A (Host address)</P> > <P>Class: IN (0x0001)</P> > <P>Authoritative nameservers</P> > <P>nyc.gov: type NS, class IN, ns vwall1a.nyc.gov</P> > <P>Name: nyc.gov</P> > <P>Type: NS (Authoritative name server)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 10</P> > <P>Name server: vwall1a.nyc.gov</P> > <P>nyc.gov: type NS, class IN, ns vwall2a.nyc.gov</P> > <P>Name: nyc.gov</P> > <P>Type: NS (Authoritative name server)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 10</P> > <P>Name server: vwall2a.nyc.gov</P> > <P>nyc.gov: type NS, class IN, ns vwall3a.nyc.gov</P> > <P>Name: nyc.gov</P> > <P>Type: NS (Authoritative name server)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 10</P> > <P>Name server: vwall3a.nyc.gov</P> > <P>nyc.gov: type NS, class IN, ns vwall4a.nyc.gov</P> > <P>Name: nyc.gov</P> > <P>Type: NS (Authoritative name server)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 10</P> > <P>Name server: vwall4a.nyc.gov</P> > <P>Additional records</P> > <P>vwall1a.nyc.gov: type A, class IN, addr 161.185.1.3</P> > <P>Name: vwall1a.nyc.gov</P> > <P>Type: A (Host address)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 4</P> > <P>Addr: 161.185.1.3</P> > <P>vwall2a.nyc.gov: type A, class IN, addr 161.185.1.12</P> > <P>Name: vwall2a.nyc.gov</P> > <P>Type: A (Host address)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 4</P> > <P>Addr: 161.185.1.12</P> > <P>vwall3a.nyc.gov: type A, class IN, addr 167.153.130.12</P> > <P>Name: vwall3a.nyc.gov</P> > <P>Type: A (Host address)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 4</P> > <P>Addr: 167.153.130.12</P> > <P>vwall4a.nyc.gov: type A, class IN, addr 167.153.130.13</P> > <P>Name: vwall4a.nyc.gov</P> > <P>Type: A (Host address)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 4</P> > <P>Addr: 167.153.130.13</P></SPAN></SPAN></FONT></DIV> > <DIV><FONT size=3D2 face=3DArial>BIND 9.6 query:</FONT></DIV> > <DIV> </DIV> > <DIV><SPAN lang=3DEN> > <P>Domain Name System (query)</P> > <P>Transaction ID: 0x6427</P> > <P>Flags: 0x0000 (Standard query)</P> > <P>0... .... .... .... =3D Response: Message is a query</P> > <P>.000 0... .... .... =3D Opcode: Standard query (0)</P> > <P>.... ..0. .... .... =3D Truncated: Message is not truncated</P> > <P>.... ...0 .... .... =3D Recursion desired: Don't do query = > recursively</P> > <P>.... .... .0.. .... =3D Z: reserved (0)</P> > <P>.... .... ...0 .... =3D Non-authenticated data OK: Non-authenticated = > data is=20 > unacceptable</P> > <P>Questions: 1</P> > <P>Answer RRs: 0</P> > <P>Authority RRs: 0</P> > <P>Additional RRs: 1</P> > <P>Queries</P> > <P>vwall4a.nyc.gov: type A, class IN</P> > <P>Name: vwall4a.nyc.gov</P> > <P>Type: A (Host address)</P> > <P>Class: IN (0x0001)</P> > <P>Additional records</P> > <P><Root>: type OPT</P> > <P>Name: <Root></P> > <P>Type: OPT (EDNS0 option)</P> > <P>UDP payload size: 512</P> > <P>Higher bits in extended RCODE: 0x0</P> > <P>EDNS0 version: 0</P> > <P>Z: 0x8000</P> > <P>Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)</P> > <P>Bits 1-15: 0x0 (reserved)</P> > <P>Data length: 0</P> > <P>BIND 9.6 response:</P><SPAN lang=3DEN> > <P>Domain Name System (response)</P> > <P>Transaction ID: 0x6427</P> > <P>Flags: 0x8000 (Standard query response, No error)</P> > <P>1... .... .... .... =3D Response: Message is a response</P> > <P>.000 0... .... .... =3D Opcode: Standard query (0)</P> > <P>.... .0.. .... .... =3D Authoritative: Server is not an authority for = > > domain</P> > <P>.... ..0. .... .... =3D Truncated: Message is not truncated</P> > <P>.... ...0 .... .... =3D Recursion desired: Don't do query = > recursively</P> > <P>.... .... 0... .... =3D Recursion available: Server can't do = > recursive=20 > queries</P> > <P>.... .... .0.. .... =3D Z: reserved (0)</P> > <P>.... .... ..0. .... =3D Answer authenticated: Answer/authority = > portion was not=20 > authenticated by the server</P> > <P>.... .... .... 0000 =3D Reply code: No error (0)</P> > <P>Questions: 1</P> > <P>Answer RRs: 0</P> > <P>Authority RRs: 6</P> > <P>Additional RRs: 1</P> > <P>Queries</P> > <P>vwall4a.nyc.gov: type A, class IN</P> > <P>Name: vwall4a.nyc.gov</P> > <P>Type: A (Host address)</P> > <P>Class: IN (0x0001)</P> > <P>Authoritative nameservers</P> > <P>nyc.gov: type NS, class IN, ns vwall1a.nyc.gov</P> > <P>Name: nyc.gov</P> > <P>Type: NS (Authoritative name server)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 10</P> > <P>Name server: vwall1a.nyc.gov</P> > <P>nyc.gov: type NS, class IN, ns vwall2a.nyc.gov</P> > <P>Name: nyc.gov</P> > <P>Type: NS (Authoritative name server)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 10</P> > <P>Name server: vwall2a.nyc.gov</P> > <P>nyc.gov: type NS, class IN, ns vwall3a.nyc.gov</P> > <P>Name: nyc.gov</P> > <P>Type: NS (Authoritative name server)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 10</P> > <P>Name server: vwall3a.nyc.gov</P> > <P>nyc.gov: type NS, class IN, ns vwall4a.nyc.gov</P> > <P>Name: nyc.gov</P> > <P>Type: NS (Authoritative name server)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 10</P> > <P>Name server: vwall4a.nyc.gov</P> > <P>rq2651faaj4nen6tfis8ju5005qccn8j.gov: type Unknown (50), class IN</P> > <P>Name: rq2651faaj4nen6tfis8ju5005qccn8j.gov</P> > <P>Type: Unknown (50)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 35</P> > <P>Data</P> > <P>rq2651faaj4nen6tfis8ju5005qccn8j.gov: type RRSIG, class IN</P> > <P>Name: rq2651faaj4nen6tfis8ju5005qccn8j.gov</P> > <P>Type: RRSIG (RR signature)</P> > <P>Class: IN (0x0001)</P> > <P>Time to live: 1 day</P> > <P>Data length: 279</P> > <P>Type covered: Unknown (50)</P> > <P>Algorithm: Unknown (0x07)</P> > <P>Labels: 2</P> > <P>Original TTL: 1 day</P> > <P>Signature expiration: Feb 22, 2011 05:00:22.000000000</P> > <P>Time signed: Feb 17, 2011 05:00:22.000000000</P> > <P>Id of signing key(footprint): 47602</P> > <P>Signer's name: gov</P> > <P>Signature</P> > <P>Additional records</P> > <P><Root>: type OPT</P> > <P>Name: <Root></P> > <P>Type: OPT (EDNS0 option)</P> > <P>UDP payload size: 1472</P> > <P>Higher bits in extended RCODE: 0x0</P> > <P>EDNS0 version: 0</P> > <P>Z: 0x0</P> > <P>Data length: 0</P></SPAN></SPAN></DIV></BODY></HTML> > > ------=_NextPart_000_0116_01CBCF84.31A5E720-- > > > > --===============7478579667512691322== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > --===============7478579667512691322==-- > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users