[RndTbl] help! dns zone delegation wonky for AAAA

Adam Thompson athompso at athompso.net
Mon Nov 21 07:32:01 CST 2016


Sounds like a bug in host(1), which has been deprecated for several years now.  Recommended solution: switch to "dig +short" instead.
-Adam

On November 21, 2016 3:57:42 AM CST, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>I'm seeing some weird behaviour related to AAAA and delegation I'd like
>to 
>correct with a BIND DNS setup.  I have no AAAA records anywhere.  Some 
>lookup tools/libraries insist on looking up AAAA, I want them to fail 
>immediately.  All servers/clients involved are run with the -4 option
>to 
>run all traffic over IPv4.
>
>The problem is that I'm seeing occassional lookup delays for AAAA
>records 
>on some boxes (the ones that delegate), but not other ones (every other
>
>box).
>
>On my box (BOX1) I'm authoritative for foo.com (only for my internal 
>networks).
>On the same box, I delegate sub.foo.com to ns.com (BOX2).
>
>BOX2 is authoritative for foo.com and sub.foo.com.  I do this so BOX1
>can 
>have local dynamic DNS for local Windows boxes, etc, on foo.com. 
>Whereas 
>the BOX2 view is for the whole world, to which I don't want to share
>the 
>existence of windows.foo.com, etc.  A bit messy, but this has worked
>for 
>me for 15 years.
>
>The problem symptoms:
>
>I run "host bar.sub.foo.com " on the boxes:
>
>BOX1:
>bar.sub.foo.com has address 1.2.3.4
>Host bar.sub.foo.com not found: 2(SERVFAIL)
>bar.sub.foo.com mail is handled by 5 bar.sub.foo.com.
><often delays 5-10sec before giving the SERVFAIL
>
>BOX2 (and every other box in the world except BOX1!!):
>bar.sub.foo.com has address 1.2.3.4
>bar.sub.foo.com mail is handled by 5 bar.sub.foo.com.
>
>I don't want the delay or the SERVFAIL on BOX1.
>
>The host command by default does a lookup of AA, AAAA and MX in that 
>order.  That's fine.  But I want them all to run without delay, and the
>
>AAAA to be ignored like it is on BOX2.  Again, there are no AAAA
>records 
>in any of these zone files.
>
>I think I'm seeing the precise bug discussed here:
>
>https://tools.ietf.org/html/draft-ietf-dnsop-misbehavior-against-aaaa-00
>search to:  4.4 Make Lame Delegation
>
>That document doesn't seem to provide any solutions.
>
>I think the issue is when BOX2 (or any box but BOX1) does a lookup, it 
>checks only with BOX2, sees there's no AAAA and happily ignores AAAA. 
>I 
>think in essence it's like "I'm BOX2, I'm authoritative and I have no 
>AAAA".  host is happy with this.
>
>With BOX1, it does a lookup with BOX1's named which recurses out to the
>
>delegation on BOX2.  BOX2 says the same as it did above, but this time 
>it's talking to BOX1 named, not the host command.  BOX1 named must be 
>saying "I thought BOX2 was authoritative, but I find no AAAA so it's
>not 
>authoritative after all, and I don't know anyone who is so I'm spewing 
>this error SERVFAIL".  I'm just guessing here.
>
>I want the host command on BOX1 to behave the same as BOX2.  Can it be 
>done?  I actually was seeing the exact same problem with the 
>nonexistent bar.sub.foo.com MX record and I solved it by adding an MX 
>record for it on BOX2.  However, I don't want any AAAA record on any
>box, 
>as none of them have IPv6 addresses!  Surely there must be a solution
>to 
>this weird problem.
>
>Possibly relevant is how dig behaves with different usage:
>
>
>BOX1#dig -tAAAA @localhost bar.sub.foo.com
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2619
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>;; QUESTION SECTION:
>;bar.sub.foo.com.	IN	AAAA
>
>
>BOX1#dig -tAAAA @ns.com bar.sub.foo.com
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5477
>;; flags: qr aa 
>rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>;; WARNING: recursion requested but not available
>
>;; QUESTION SECTION:
>;bar.sub.foo.com.	IN	AAAA
>
>;; AUTHORITY SECTION:
>foo.com.		86400	IN	SOA	ns.com. 17 1800 300 604800 86400
>
>
>BOX2#dig -tAAAA @localhost bar.sub.foo.com
>**pretty much the same output as above 2nd example, NOERROR**
>BOX2#dig -tAAAA @ns.com bar.sub.foo.com
>**pretty much the same output as above 2nd example, NOERROR**
>
>
>It's that SERVFAIL in example dig #1 above that I want to eliminate,
>and 
>thus also the SERVFAIL with host.
>
>Thanks!
>_______________________________________________
>Roundtable mailing list
>Roundtable at muug.ca
>https://muug.ca/mailman/listinfo/roundtable

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20161121/c4e9e8a1/attachment.html>


More information about the Roundtable mailing list