-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Jeffry,
On 6/22/12 1:25 PM, Spain, Dr. Jeffry A. wrote: > From what I observed I would conclude that dns11.one.microsoft.com > is a Windows DNS server since it behaves like mine except for the > AA flag not being set in theirs. It might even be a new Windows 2012 DNS server, and it might be an issue with this new version. This is just speculation, but if it is an issue with Windows 2012 DNS, it might be good to be able to isolate that issue soon (so that it can be fixed before Windows 2012 is released). > The missing AA flag and lack of authority and additional records in > their response seems like improper behavior to me, but I don't know > whether or not the DNS protocol actually requires this. Apparently > BIND 9.9.1-P1 is able to handle this situation. my BIND 9.9.1-P1 showed FORMERR yesterday, but shows the same good answers that you report today. What is see today when I send a direct query to dns10.one.microsoft.com. (or dns11/12/13) is that both AA (Authoritative Answer) and AD (Authenticated Data) flags are set, but the zone does not seem to be DNSSEC signed (no RRSIGs, no DNSKEY): bash-3.2# dig partners.extranet.microsoft.com. IN NS @dns11.one.microsoft.com. +dnssec ; <<>> DiG 9.9.1-P1 <<>> partners.extranet.microsoft.com. IN NS @dns11.one.microsoft.com. +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40230 ;; flags: qr aa ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. IN NS ;; ANSWER SECTION: partners.extranet.microsoft.com. 10 IN NS dns11.one.microsoft.com. partners.extranet.microsoft.com. 10 IN NS dns10.one.microsoft.com. partners.extranet.microsoft.com. 10 IN NS dns13.one.microsoft.com. partners.extranet.microsoft.com. 10 IN NS dns12.one.microsoft.com. dns11.one.microsoft.com. 10 IN A 94.245.124.49 dns10.one.microsoft.com. 10 IN A 131.107.125.65 dns13.one.microsoft.com. 10 IN A 65.55.31.17 dns12.one.microsoft.com. 10 IN A 207.46.55.10 ;; Query time: 37 msec ;; SERVER: 94.245.124.49#53(94.245.124.49) ;; WHEN: Sun Jun 24 10:00:54 2012 ;; MSG SIZE rcvd: 228 Having AD-Flag set on an non-DNSSEC zone might be a protocol violation, and that might be the cause of FORMERR. Best regards Carsten Strotmann -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/myqQACgkQsUJ3c+pomYGzyQCdF6q+TeWUmA4TWYgiOn6pA0ha HHgAn2Amo54kuiNEIJ4hU1kXOwjnY7Pb =7x6l -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
