There’s no AA flag in the response in the response and there are RD and RA flags. Hence bácl to what I wrote earlier - there’s transparent DNS proxy on your network ne your DNS traffic is being intercepted and rewritten. -- Ondřej Surý (He/Him) [email protected]
ADHD brain at work: I sometimes lose track of my inbox. Please feel free to send a gentle nudge if you're waiting on a reply! My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 6. 5. 2026, at 2:41, Mark Strohm <[email protected]> wrote: > Hello Greg- > > Thanks for the reply. I switched named.conf to the Homebrew default, > set the log severity to debug 11, and monitored with Wireshark. > > Two things: > 1) bind is querying the root servers for something, and getting back > the list of root servers. Hence some of the "non-improving referral" > errors. > 2) For isc.org ns, it receives a very reasonable looking response, > then declares a "format error". See below. > > > ----- > > named.conf: > > logging { > category default { > _default_log; > }; > channel _default_log { > file "/usr/local/var/log/named/named.log" versions 10 size 1m; > severity debug 11; > print-time yes; > }; > }; > > options { > directory "/usr/local/var/named"; > }; > > ----- > > dig @127.0.0.1 isc.org ns: > > ; <<>> DiG 9.20.22 <<>> @127.0.0.1 isc.org ns > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15506 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: 12bf134d8ab82a1f0100000069fa702b7af885273613e7a0 (good) > ;; QUESTION SECTION: > ;isc.org. IN NS > > ;; Query time: 270 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) > ;; WHEN: Tue May 05 15:33:15 PDT 2026 > ;; MSG SIZE rcvd: 64 > > ----- > > From the log file: > > 05-May-2026 15:33:14.946 sending packet to 51.75.79.143#53 > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18818 > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ; COOKIE: 37203429eaaac686 > ;; QUESTION SECTION: > ;isc.org. IN NS > > > 05-May-2026 15:33:15.000 received packet from 51.75.79.143#53 > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18818 > ;; flags: qr rd ra; QUESTION: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 13 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ;; QUESTION SECTION: > ;isc.org. IN NS > > ;; ANSWER SECTION: > ;isc.org. 253 IN NS nsp.dnsnode.net. > ;isc.org. 253 IN NS ns.isc.afilias-nst.info. > ;isc.org. 253 IN NS ns3.isc.org. > ;isc.org. 253 IN NS ns1.isc.org. > ;isc.org. 253 IN NS ns2.isc.org. > ;isc.org. 253 IN RRSIG NS 13 2 7200 ( > ; 20260517224622 20260503222353 27566 isc.org. > ; TaBtsBPDE7jaRThZXwtEr6AOmhlQ > ; LVC7OixA12UQGaySbobHaEMAzBWM > ; s09WxV3Lx/ID0RcXbLQ7Rln2kNT9 > ; iw== ) > > ;; ADDITIONAL SECTION: > ;ns1.isc.org. 253 IN A 149.20.2.26 > ;ns1.isc.org. 253 IN AAAA 2001:500:6b:2::26 > ;ns1.isc.org. 253 IN RRSIG A 13 3 7200 ( > ; 20260518111515 20260504104234 27566 isc.org. > ; rvGvhZFmzoCp+o0sXy48v1z2fAUo > ; JeNJdvCk9akPpkq/MYcrkP3Zwdwi > ; Og+rRtnaVdsmVSRZtos9a5zAIM0x > ; wg== ) > ;ns1.isc.org. 253 IN RRSIG AAAA 13 3 7200 ( > ; 20260518111515 20260504104234 27566 isc.org. > ; X60RcyIUKZQwOsb5YRHYBJHKMvOF > ; 6kN1yzW7qjMcu7p+fWV+/DjTG5Sc > ; ERZeEgz127O7Y8Cf/Cjz4NNgJnQQ > ; Bg== ) > ;ns2.isc.org. 253 IN A 199.6.1.52 > ;ns2.isc.org. 253 IN AAAA 2001:500:60:d::52 > ;ns2.isc.org. 253 IN RRSIG A 13 3 7200 ( > ; 20260518111759 20260504105029 27566 isc.org. > ; 9RqgaC0qRsNhr+wnD1NU4pccHyPh > ; JjSHjjgO2/CalXQzT+KCWc/v4Hic > ; gcC0eln4YTRQ91N///eXLnTUsD1z > ; lA== ) > ;ns2.isc.org. 253 IN RRSIG AAAA 13 3 7200 ( > ; 20260518111515 20260504104234 27566 isc.org. > ; wFxIauHbPMI1ccRccaO0VEzumAhp > ; xw/T5L3HUKKH2UASaXjc1hU6Kw42 > ; hEYhg2g7uKJ+b3YaH8FD6Babuxwg > ; iQ== ) > ;ns3.isc.org. 253 IN A 51.75.79.143 > ;ns3.isc.org. 253 IN AAAA 2001:41d0:701:1100::2c92 > ;ns3.isc.org. 253 IN RRSIG A 13 3 7200 ( > ; 20260518111515 20260504104234 27566 isc.org. > ; QSq3Op3j2mJCrc12Meiz6jYy2B/K > ; lEHEcWXV3YRuN06uuxpGamhVw0IG > ; fbru0ZwpNjDMC1FofIITk1zo7hyS > ; DQ== ) > ;ns3.isc.org. 253 IN RRSIG AAAA 13 3 7200 ( > ; 20260518111515 20260504104234 27566 isc.org. > ; /9Spkv/tFLBQS+us5Heo4tP9yvkd > ; tTxbCFfE0kJUPVpQNKA0edC9wTNB > ; U8NW3nCaOokXCNEC/pxqoRv32I3f > ; 9g== ) > > > 05-May-2026 15:33:15.000 log_ns_ttl: fctx 0x2cfd35000: > rctx_answer_none: isc.org (in 'isc.org'?): 1 254 > 05-May-2026 15:33:15.000 DNS format error from 51.75.79.143#53 > resolving isc.org/NS for 127.0.0.1#51070: non-improving referral > 05-May-2026 15:33:15.000 FORMERR resolving 'isc.org/NS/IN': 51.75.79.143#53 > > >> Greg Choules <[email protected]> >> >> 9:25 AM (8 hours ago) >> to me, bind-users >> Hello Mark. >> I have the current MacOS on Apple Silicon and 9.20.22, installed via >> Homebrew, and it works for > me. >> Perhaps you could share your config, dig test and results and maybe a pcap. >> >> Cheers, Greg > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
