Hi, I've semi-recently updated a public resolver to running a bit newer version of BIND, currently at 9.8.4-P3.
I've noticed that quite a number of query responses it receives are logged with "DNS format error" ... "invalid response". Some semi-random examples picked from the log: apis.markets.ft.com/AAAA 209.234.224.42 apis.markets.ft.com/AAAA 209.234.234.42 apis.markets.ft.com/AAAA 66.150.28.2 eu-sonar.sociomantic.com/AAAA 204.69.234.1 eu-sonar.sociomantic.com/AAAA 204.74.101.1 sn2.storage.msn.com/AAAA 207.46.0.139 sn2.storage.msn.com/AAAA 207.46.0.140 sn2.storage.msn.com/AAAA 65.55.195.203 sn2.storage.msn.com/AAAA 65.55.195.204 sb3-alt.map.media6degrees.com/AAAA 2001:500:90:1::27 sb3-alt.map.media6degrees.com/AAAA 2001:500:94:1::27 sb3-alt.map.media6degrees.com/AAAA 204.13.250.27 sb3-alt.map.media6degrees.com/AAAA 204.13.251.27 sb3-alt.map.media6degrees.com/AAAA 208.78.70.27 sb3-alt.map.media6degrees.com/AAAA 208.78.71.27 ws.mcafee.com/AAAA 161.69.13.53 ws.mcafee.com/AAAA 205.227.136.200 ws.mcafee.com/AAAA 67.97.80.200 www.euskadi.net/AAAA 195.77.108.238 www.euskadi.net/AAAA 212.55.29.238 These are the "queried-for name + type" and "IP address of name server response came from". Common for all of these is that the clients have quried for AAAA records (I've also seen a query for SRV which ended up in this category). Inspecting the output from "dig" when querying these name servers directly with e.g. +norec +dnssec, it doesn't look (to the naked eye, interpreting "dig" output) like there is anything wrong with the responses from these name servers. Common among them is that they have an empty answer section, and one SOA record in the authority section. The client after a while gets SERVFAIL for most of these, though for www.euskadi.net I get no response before the client times out, and BIND moans about FORMERR and "invalid response" in the log, many, many times per original client query. Now, I've on a test machine tried to instrument the noanswer_response() function in lib/dns/resolver.c with some code to log if it finds the SOA record in the authority section, but apparently that's not happening for these particular answers (but it hits for others). So we end up in the "no SOA, no NS, no CNAME, no answer => formerr" part of the code where log_formerr() is called with "invalid response" as argument. Unbound returns empty responses to the client with status=NOERROR when queried for these names + types, which I think is the correct behaviour. So I'm sitting here scrathing my head even more confused than usual. Anyone have any insights? Regards, - HÃ¥vard _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
