Tony, Thank you for your help. I was going *insane* trying to figure out where this was coming from, and I had literally just pulled down the source to look at the code. So now it looks like I need to find and kill any and all NXT records in my domain. Sigh... So it's part of the DNSSEC setup, and it's not clear how to do an 'fsck' like scan on a Windows DNS server to look for problems like this.
But trawling through my DNS tool on windows (which sucks... btw) I don't see any NXT records, though I see a ton of NSEC3 records. Does anyone have a clue how I can try to find these bad record(s)? I can do the following on my Linux secondary: dig AXFR foo.com @xxx.xxx.xxx.xxx > /tmp/foo.com And it does dump some errors too, which hopefully will give me an idea of where my crappy bad record is located, and no use hiding crap: www.cisco.toshiba.com. 3600 IN CNAME redirect.toshiba.com. www.cisco.toshiba.com. 3600 IN RRSIG CNAME 8 4 3600 20210517093721 20210507083721 38628 t oshiba.com. OEmGkGWSPtbjlCGVt5Ejkgncg2wRcbnfCMSm2By6Fl4gN8R1uXx/ucdN hVrdiiP8BHWTIte/fvoMrMXbMHxarPJ C6zJn9HHdC9o2dwBoGpknTwJM DYsy8wA5byhT9f8RVLi0WxLDmncWl2vJcZM6wsKfJ5HWAklGh9YxhOar nCM= ;; Got bad packet: bad bitmap 16358 bytes 46 98 80 00 00 01 00 97 00 00 00 00 07 74 6f 73 F............tos 68 69 62 61 03 63 6f 6d 00 00 fc 00 01 08 63 69 hiba.com......ci 74 69 62 61 6e 6b c0 0c 00 05 00 01 00 00 0e 10 tibank.......... 00 0b 08 72 65 64 69 72 65 63 74 c0 0c c0 1d 00 ...redirect..... 2e 00 01 00 00 0e 10 00 9f 00 05 08 03 00 00 0e ................ 10 60 a2 39 51 60 94 fc 41 96 e4 07 74 6f 73 68 .`.9Q`..A...tosh 69 62 61 03 63 6f 6d 00 83 b6 df 32 9f d9 2a 54 iba.com....2..*T 65 16 1b 28 09 ac aa b3 41 f0 85 60 e6 e2 18 ae e..(....A..`.... -----Original Message----- From: Tony Finch <fa...@hermes.cam.ac.uk> On Behalf Of Tony Finch Sent: Tuesday, May 11, 2021 5:24 PM To: Stoffel, John (TAI) <john.stof...@toshiba.com> Cc: bind-users@lists.isc.org Subject: Re: ISC Bind as secondary to Windows Server: bad bitmap error on named xfer. Stoffel, John (TAI) <john.stof...@toshiba.com> wrote: > failed while receiving responses: bad bitmap > > None of my googling has given me any hints on what this error could be. I had to look at the source, which told me it's to do with NXT records which are super obsolete, so I wonder what weird stuff is in the zone that might cause this. (The NXT record was a predecessor of NSEC; NXT was badly designed so it is unable to support all possible DNS RR types, which is why it needed replacing.) $ rg 'bad bitmap' lib/dns/result.c:137: "bad bitmap", /*%< 94 DNS_R_BADBITMAP */ $ rg BADBITMAP lib/dns/include/dns/result.h:132:#define DNS_R_BADBITMAP (ISC_RESULTCLASS_DNS + 94) lib/dns/rdata/generic/nxt_30.c:154: return (DNS_R_BADBITMAP); lib/dns/result.c:137: "bad bitmap", /*%< 94 DNS_R_BADBITMAP */ lib/dns/result.c:278: "DNS_R_BADBITMAP", Tony. -- f.anthony.n.finch <d...@dotat.at> https://urldefense.com/v3/__https://dotat.at/__;!!BiNunAf9XXY-!VH-JqRCMfVb-2Su9Du-D3OA4DlJi6q3lXIg4s9pjD9fwN1atleDmzsKASzloojK1C1WS$ Viking, North Utsire, South Utsire: Southerly or southeasterly 3 to 5 becoming variable 2 to 4, then northerly 5 to 7 later in Viking and northern North Utsire. Moderate or rough in Viking and northern North Utsire, slight or moderate elsewhere. Showers, fog patches. Moderate or good, occasionally very poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
