In message <5b818b25da9e40ebbff0e3d6dfec1...@pvsvrexc06.ad.tmres.my>, Elias Ahm ed Kamal writes: > Even with a broken delegation its like always resolvable with Google DNS or= > even Open DNS. Are there any BIND specific workarounds?
The other nameservers will also fail with the right query sequence. Just because something resolves, it doesn't mean that there is not a error. It is just good luck that Google's server resolve. It's so broken that http://dnscheck.ripe.net can't even start checking the delegation. Delegation Begin testing delegation for wip.fis.com.my. Name servers listed at parent: wan1.fis.com.my,wan2.fis.com.my,wan3.fis.com.my,wan4.fis.com.my Failed to find name servers of wip.fis.com.my/IN. No name servers found at child. Not enough nameserver information was found to test the zone wip.fis.com.my, but an IP address lookup succeeded in spite of that. Done testing delegation for wip.fis.com.my. This is a case of Garbage-In - Garbage Out (lookup failure). RFC 1035 states that nameserver each side of the delegation need to stay the same. This rule is there in part to stop issues like this. Fis.com.my need to fix their nameservers. The NS records need to be made consistent. There needs to be address records for the nameservers. Mark > -----Original Message----- > From: Mark Andrews [mailto:ma...@isc.org] > Sent: Wednesday, November 18, 2015 6:26 PM > To: Elias Ahmed Kamal > Cc: bind-users@lists.isc.org > Subject: Re: Query on ignoring additional section returned in replies > > > In message <659dec986e9347369634488991f6e...@pvsvrexc06.ad.tmres.my>, Elias= > Ahm ed Kamal writes: > > Hi guys, > > > > I'm having issues resolving www.fis.com.my. I'm trying to tell > > fis.com.my tha t its an issue at their end, but when checking against > > 8.8.8.8 it resolves fi ne....so it MUST be a problem with me. > > > > 1. Lookups fail, this is clear enough > > > > root@sputnik # dig @localhost www.fis.com.my > > > > ; <<>> DiG 9.9.5-P1 <<>> @localhost www.fis.com.my ; (1 server found) > > ;; global options: +cmd ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51246 ;; flags: > > qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;www.fis.com.my. IN A > > > > ;; Query time: 0 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > ;; WHEN: Wed Nov 18 17:40:58 MYT 2015 > > ;; MSG SIZE rcvd: 43 > > > > > > 2. All of fis.com.my's authoritative nameservers answer and are consisten= > t > > It tells me that www.wip.fis.com.my is a CNAME for www.fis.com.my > > And that wan1-wan4.fis.com.my is the authoritative servers for > > *.wip.fis.c om.my > > > > root@sputnik # dig @ns1.fis.com.my www.fis.com.my > > > > ; <<>> DiG 9.9.5-P1 <<>> @ns1.fis.com.my www.fis.com.my ; (1 server > > found) ;; global options: +cmd ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33357 ;; flags: qr > > aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5 ;; WARNING: > > recursion requested but not available > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;www.fis.com.my. IN A > > > > ;; ANSWER SECTION: > > www.fis.com.my. 38400 IN CNAME www.wip.fis.com.my. > > > > ;; AUTHORITY SECTION: > > wip.fis.com.my. 38400 IN NS wan1.fis.com.my. > > wip.fis.com.my. 38400 IN NS wan4.fis.com.my. > > wip.fis.com.my. 38400 IN NS wan3.fis.com.my. > > wip.fis.com.my. 38400 IN NS wan2.fis.com.my. > > > > ;; ADDITIONAL SECTION: > > wan1.fis.com.my. 38400 IN A 202.188.242.130 > > wan2.fis.com.my. 38400 IN A 210.19.86.114 > > wan3.fis.com.my. 38400 IN A 175.143.6.162 > > wan4.fis.com.my. 38400 IN A 219.92.28.106 > > > > ;; Query time: 8 msec > > ;; SERVER: 202.188.242.135#53(202.188.242.135) > > ;; WHEN: Wed Nov 18 17:41:09 MYT 2015 > > ;; MSG SIZE rcvd: 205 > > > > > > 3. I now do a 3rd lookup test against wan1.fis.com.my for > > www.wip.fis.com.my and get the answers > > BUT, the nameserver is also returning an authority section saying wip.= > fis. > > com.my is now served by ns1.wip.fis.com.my > > [Previously I know wip.fis.com.my was served by > > wan1-wan4.fis.com.my, but now somehow I'm caching ns1.wip.fis.com.my inst= > ead] > > [Question: Is it the expected behaviour that this new NS will > > override the previous NS for wip.fis.com.my? And is there any way to > > ignore authority/add itional answers that I get from replies?] > > Yes. The delegation is broken. Having a NS pointing at a nonexistant name= > is a big no no. It's just a matter of time for a delegation like this to = > break. > > > root@cbj-cdns21 # dig @wan1.fis.com.my www.wip.fis.com.my > > > > ; <<>> DiG 9.9.5-P1 <<>> @wan1.fis.com.my www.wip.fis.com.my ; (1 > > server found) ;; global options: +cmd ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43777 ;; flags: qr > > aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: > > recursion requested but not available > > > > ;; QUESTION SECTION: > > ;www.wip.fis.com.my. IN A > > > > ;; ANSWER SECTION: > > www.wip.fis.com.my. 5 IN A 175.143.6.165 > > www.wip.fis.com.my. 5 IN A 202.188.242.137 > > www.wip.fis.com.my. 5 IN A 210.19.86.117 > > > > ;; AUTHORITY SECTION: > > wip.fis.com.my. 3600 IN NS ns1.wip.fis.com.my. > > > > ;; Query time: 7 msec > > ;; SERVER: 202.188.242.130#53(202.188.242.130) > > ;; WHEN: Wed Nov 18 17:44:59 MYT 2015 > > ;; MSG SIZE rcvd: 102 > > > > > > 4. Lo and behold, ns1.wip.fis.com.my doesn't exist! And because of > > this all m y queries for www.fis.com.my are failing. Am I correct? > > > > root@sputnik # dig @wan1.fis.com.my ns1.wip.fis.com.my > > > > ; <<>> DiG 9.9.5-P1 <<>> @wan1.fis.com.my ns1.wip.fis.com.my ; (1 > > server found) ;; global options: +cmd ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37457 ;; flags: > > qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: > > recursion requested but not available > > > > ;; QUESTION SECTION: > > ;ns1.wip.fis.com.my. IN A > > > > ;; AUTHORITY SECTION: > > wip.fis.com.my. 3600 IN SOA ns1.wip.fis.com.my. webma= > ster > > . 2015111825 16384 2048 1048576 2560 > > > > ;; Query time: 6 msec > > ;; SERVER: 202.188.242.130#53(202.188.242.130) > > ;; WHEN: Wed Nov 18 17:47:45 MYT 2015 > > ;; MSG SIZE rcvd: 81 > > > > We only send and receive email on the basis of the terms set out at > > http://ww w.tm.com.my/email_disclaimer. > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > We only send and receive email on the basis of the terms set out at http://= > www.tm.com.my/email_disclaimer. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
