Sorry, responded to the wrong message before.
> If I recursively through a resolver (bind 8.2.2, 8.2.3. or 9.1.0) send
> the request
>
> ns1.obol-net.net. MX ?
>
> the response is SERVFAIL. When I direct the request directly to the
> servers I see no problem with the response.
The stub resolver is just displaying the answer that it gets back from
whatever server it queried.
When the resolver queries a BIND (8.1->?) server, it displays the answer
that BIND returns. BIND sees this particular response as a malformed
NODATA response, which it treats as a referral. When the referrals fail
the proper response is to return SERVFAIL, since none of the auth servers
were able to answer the query.
RFC 2308, 2.2 - No Data
NODATA is indicated by an answer with the RCODE set to NOERROR and no
relevant answers in the answer section. The authority section will
contain an SOA record, or there will be no NS records there.
Your auth servers are returning NS RRs in the auth section. BIND sees this
response format as a referral and tries to query the listed servers.
When your resolver queries the original auth servers, they are just
returning NODATA/NOERROR, but the resover doesn't have the smarts from
RFC-2308 to parse the response and restart the query (iteratively). It's
just a dumb stub so it just prints the answer it got.
You will have to fix your auth servers so that they return properly
formatted NODATA response if you want them to interoperate with
2308-compliant DNS servers in the query path.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
