Volker Janzen <vol...@janzen.onl> wrote: > > when my Bind resolver tries to get the A record for info.nominet.uk the > syslog gets lots of messages like this: > > Jan 25 21:15:52 box named[25097]: DNS format error from 173.245.58.93#53 > resolving info.nominet.uk/DS: invalid response
OK, this is interesting. The domain is hosted by Cloudflare who have their own DNS implementation, and they try to make their responses as small as possible. In this case the response from the Cloudflare servers is quoted below. There is a fun feature in the NSEC record - they are using minimal covering NSEC records, hence the info\000.nominet.uk which is the DNS name lexically following info.nominet.uk - yes, that is a null byte! But this isn't relevant to the problem. The actual problem is to do with how BIND classifies negative responses according to RFC 2308 - see https://tools.ietf.org/html/rfc2308#page-6 Cloudflare are trying to generate a Type 3 response (the smallest, with no SOA or NS records in the authority section) - this isn't great because it means the negative answer cannot be cached :-( BIND detects a Type 3 response by looking for empty answer and authority sections - but in this case there is a DNSSEC proof of nonexistence in the authority section! So BIND's response classification fails. I'm inclined to blame Cloudflare for omitting the SOA record from the response, which breaks negative caching, as well as making BIND think Cloudflare's DNS server is insane. In fact Cloudflare do return SOA records with other kinds of negative response, so I guess it is just a bug/omission in their DS negative response handling. For those who like code, the Type 3 classification happens here https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=lib/dns/resolver.c;hb=HEAD#l6444 and eventually BIND ends up generating the SERVFAIL error here https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=lib/dns/resolver.c;hb=HEAD#l6696 ; <<>> DiG 9.12.0-dev <<>> +multiline +dnssec +norec @173.245.58.93 info.nominet.uk DS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59655 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;info.nominet.uk. IN DS ;; AUTHORITY SECTION: info.nominet.uk. 3600 IN NSEC info\000.nominet.uk. NS RRSIG NSEC info.nominet.uk. 3600 IN RRSIG NSEC 13 3 3600 ( 20170127110035 20170125090035 35273 nominet.uk. oRPIbo4LJvBa+JKROY9ZRuKP8EzFCHbhLBD84rQRUriu he0MBbZdzkYWLdkHgP7v1aENGYNSASsTwMUgztFoXw== ) ;; Query time: 3 msec ;; SERVER: 173.245.58.93#53(173.245.58.93) ;; WHEN: Thu Jan 26 10:00:47 GMT 2017 ;; MSG SIZE rcvd: 188 Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Shannon, Rockall, Malin, Hebrides, Bailey: Southerly or southeasterly, becoming cyclonic, 7 to severe gale 9, occasionally storm 10 at first in Rockall and Bailey, becoming variable 4 for a time in west Shannon, west Rockall and west Bailey. Very rough or high, occasionally rough except in Bailey. Rain or squally showers. Good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
