[47059] in North American Network Operators' Group
incorrect NXDOMAIN response from DNS server
daemon@ATHENA.MIT.EDU (Jun-ichiro itojun Hagino)
Wed Apr 24 22:31:58 2002
To: nanog@nanog.org
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0"
Content-ID: <26624.1019701819.0@itojun.org>
Date: Thu, 25 Apr 2002 11:30:27 +0900
Message-ID: <26629.1019701827@itojun.org>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
Errors-To: owner-nanog-outgoing@merit.edu
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <26624.1019701819.1@itojun.org>
the issue was originally raised on 6bone@isi.edu.
there are name server implementations (probably load balancing product)
that responds with NXDOMAIN, when it should respond with NOERROR with
empty reply. one example is news.bbc.co.uk. this symptom not only
confuse IPv6-ready client resolvers, but also has bad effect against
negative caching and email delivery (if MX is responded with NODOMAIN).
do you know:
- name of particular implementation which have/had this bug?
- other examples of nameservers that behave like this?
(windowsupdate.microsoft.com behaved like this in Feb 2002, but
they are already fixed)
- how can we get people to fix it? (client side workaround should
not be populated, just to be sure)
itojun
% dig news.bbc.co.uk. aaaa
; <<>> DiG 9.1.2 <<>> news.bbc.co.uk. aaaa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60945
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;news.bbc.co.uk. IN AAAA
;; ANSWER SECTION:
news.bbc.co.uk. 1770 IN CNAME newswww.bbc.net.uk.
;; Query time: 2362 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Thu Apr 25 11:25:45 2002
;; MSG SIZE rcvd: 62
% dig news.bbc.co.uk. a
; <<>> DiG 9.1.2 <<>> news.bbc.co.uk. a
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11225
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;news.bbc.co.uk. IN A
;; ANSWER SECTION:
news.bbc.co.uk. 1761 IN CNAME newswww.bbc.net.uk.
newswww.bbc.net.uk. 300 IN A 212.58.240.33
;; AUTHORITY SECTION:
bbc.net.uk. 14360 IN NS ns0.thny.bbc.co.uk.
bbc.net.uk. 14360 IN NS ns0.thdo.bbc.co.uk.
;; ADDITIONAL SECTION:
ns0.thdo.bbc.co.uk. 6362 IN A 212.58.224.20
ns0.thny.bbc.co.uk. 6362 IN A 38.160.150.20
;; Query time: 2341 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Thu Apr 25 11:25:53 2002
;; MSG SIZE rcvd: 156
------- =_aaaaaaaaaa0
Content-Type: message/rfc822
Content-ID: <26624.1019701819.2@itojun.org>
Return-Path: <owner-users@ipv6.org>
Delivered-To: itojun@itojun.org
Received: from brev.stacken.kth.se (brev.stacken.kth.se [130.237.234.84])
by coconut.itojun.org (Postfix) with ESMTP id 3E6604B22
for <itojun@itojun.org>; Thu, 18 Apr 2002 00:27:47 +0900 (JST)
Received: (from majordom@localhost)
by brev.stacken.kth.se (8.9.3/8.9.3) id RAA09150
for users-list; Wed, 17 Apr 2002 17:02:45 +0200 (MET DST)
Received: from marduk.litech.org (IDENT:mail@marduk.cs.cornell.edu [128.84.154.54])
by brev.stacken.kth.se (8.9.3/8.9.3) with ESMTP id RAA09146
for <users@ipv6.org>; Wed, 17 Apr 2002 17:02:35 +0200 (MET DST)
Received: from lutchann by marduk.litech.org with local (Exim 3.22 #1)
id 16xqwp-0006qg-00
for users@ipv6.org; Wed, 17 Apr 2002 11:02:15 -0400
Date: Wed, 17 Apr 2002 11:02:15 -0400
From: Nathan Lutchansky <lutchann-ipv6users@litech.org>
To: users@ipv6.org
Subject: Broken DNS prevents IPv6 deployment
Message-ID: <20020417110215.C29302@litech.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="MnLPg7ZWsaic7Fhd"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
Sender: owner-users@ipv6.org
Precedence: bulk
X-Filter: mailagent [version 3.0 PL73] for itojun@itojun.org
--MnLPg7ZWsaic7Fhd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi all,
We've noticed that some sites like news.bbc.co.uk are running broken DNS=20
servers that return NXDOMAIN for AAAA queries rather than NOERROR with=20
zero answers. The NXDOMAIN reply indicates that there are no records of=20
any type for the requested name, which is clearly not true since A records=
=20
exist and are returned with an A query.
Unfortunately, this means that applications that attempt AAAA queries are=
=20
unable to resolve addresses that reside within these broken servers. And=
=20
that includes WinXP with the IPv6 stack enabled. We would like to deploy=
=20
IPv6 on Windows XP machines here, but our users complain loudly when they=
=20
are not able to access BBC.
Has anybody found a workaround for this problem? Judging by newsgroup=20
messages, BBC has known about this problem for months and has neglected to=
=20
fix it. At the very least, does anybody have an idea of how widespread is=
=20
this problem? -Nathan
--=20
+-------------------+---------------------+------------------------+
| Nathan Lutchansky | lutchann@litech.org | Lithium Technologies |
+------------------------------------------------------------------+
| I dread success. To have succeeded is to have finished one's |
| business on earth... I like a state of continual becoming, |
| with a goal in front and not behind. - George Bernard Shaw |
+------------------------------------------------------------------+
--MnLPg7ZWsaic7Fhd
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8vY53TviDkW8mhycRAk7zAJ4im8ZOR11YT81vMUjPIP1r0U7qKACfS77t
duFmc1X1cR1Gv9vF0wiJtas=
=EPxA
-----END PGP SIGNATURE-----
--MnLPg7ZWsaic7Fhd--
---------------------------------------------------------------------
The IPv6 Users Mailing List
Unsubscribe by sending "unsubscribe users" to majordomo@ipv6.org
------- =_aaaaaaaaaa0--
