TLD resource records not usable


D

Dr Pizza

A bug.

http://groups-beta.google.com/group...61df7dbab87/96a2e79ebf3b5542#96a2e79ebf3b5542

And not a new one either.

Why does no-one care to fix it?

To summarize:

Queries made of a Windows 2000 (all SPs and versions) and 2003 DNS (all SPs
and versions) server for any record type other than NS will SERVFAIL if the
name being looked up is made of a single label.

For example:

[C:\]nslookup
Default Server: quiscalus.quiscalusmexicanus.local
Address: 10.0.0.1
set d2
set type=any
ai.
Server: quiscalus.quiscalusmexicanus.local
Address: 10.0.0.1

------------
SendRequest(), len 20
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
ai, type = ANY, class = IN

------------
------------
Got answer (20 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = SERVFAIL
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
ai, type = ANY, class = IN

------------
*** quiscalus.quiscalusmexicanus.local can't find ai.: Server failed
Server: quiscalus.quiscalusmexicanus.local
Address: 10.0.0.1

------------
SendRequest(), len 20
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
tm, type = ANY, class = IN

------------
------------
Got answer (20 bytes):
HEADER:
opcode = QUERY, id = 3, rcode = SERVFAIL
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
tm, type = ANY, class = IN

------------
*** quiscalus.quiscalusmexicanus.local can't find tm.: Server failed
Server: quiscalus.quiscalusmexicanus.local
Address: 10.0.0.1

------------
SendRequest(), len 20
HEADER:
opcode = QUERY, id = 4, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
cx, type = ANY, class = IN

------------
------------
Got answer (20 bytes):
HEADER:
opcode = QUERY, id = 4, rcode = SERVFAIL
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
cx, type = ANY, class = IN
[/QUOTE]

10.0.0.1 is my Windows DNS server.

If I switch to NS lookups, all is well:
set type=ns
ai.
Server: quiscalus.quiscalusmexicanus.local
Address: 10.0.0.1

------------
SendRequest(), len 20
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
ai, type = NS, class = IN

------------
------------
Got answer (146 bytes):
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 3, authority records = 0, additional = 3

QUESTIONS:
ai, type = NS, class = IN
ANSWERS:
-> ai
type = NS, class = IN, dlen = 14
nameserver = ns1.pair.com
ttl = 84990 (23 hours 36 mins 30 secs)
-> ai
type = NS, class = IN, dlen = 13
nameserver = ns1.redhat.com
ttl = 84990 (23 hours 36 mins 30 secs)
-> ai
type = NS, class = IN, dlen = 15
nameserver = ns1.offshore.ai
ttl = 84990 (23 hours 36 mins 30 secs)
ADDITIONAL RECORDS:
-> ns1.pair.com
type = A, class = IN, dlen = 4
internet address = 209.68.1.11
ttl = 84990 (23 hours 36 mins 30 secs)
-> ns1.redhat.com
type = A, class = IN, dlen = 4
internet address = 66.187.233.210
ttl = 84990 (23 hours 36 mins 30 secs)
-> ns1.offshore.ai
type = A, class = IN, dlen = 4
internet address = 209.88.68.34
ttl = 84990 (23 hours 36 mins 30 secs)

------------
Non-authoritative answer:
ai
type = NS, class = IN, dlen = 14
nameserver = ns1.pair.com
ttl = 84990 (23 hours 36 mins 30 secs)
ai
type = NS, class = IN, dlen = 13
nameserver = ns1.redhat.com
ttl = 84990 (23 hours 36 mins 30 secs)
ai
type = NS, class = IN, dlen = 15
nameserver = ns1.offshore.ai
ttl = 84990 (23 hours 36 mins 30 secs)

ns1.pair.com
type = A, class = IN, dlen = 4
internet address = 209.68.1.11
ttl = 84990 (23 hours 36 mins 30 secs)
ns1.redhat.com
type = A, class = IN, dlen = 4
internet address = 66.187.233.210
ttl = 84990 (23 hours 36 mins 30 secs)
ns1.offshore.ai
type = A, class = IN, dlen = 4
internet address = 209.88.68.34
ttl = 84990 (23 hours 36 mins 30 secs)
Server: quiscalus.quiscalusmexicanus.local
Address: 10.0.0.1

------------
SendRequest(), len 20
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
tm, type = NS, class = IN

------------
------------
Got answer (294 bytes):
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 7, authority records = 0, additional = 7

QUESTIONS:
tm, type = NS, class = IN
ANSWERS:
-> tm
type = NS, class = IN, dlen = 16
nameserver = ns2.uucp.ne.jp
ttl = 85517 (23 hours 45 mins 17 secs)
-> tm
type = NS, class = IN, dlen = 15
nameserver = ns3.icb.co.uk
ttl = 85517 (23 hours 45 mins 17 secs)
-> tm
type = NS, class = IN, dlen = 8
nameserver = a.nic.tm
ttl = 85517 (23 hours 45 mins 17 secs)
-> tm
type = NS, class = IN, dlen = 10
nameserver = b.nic.ac
ttl = 85517 (23 hours 45 mins 17 secs)
-> tm
type = NS, class = IN, dlen = 10
nameserver = b.nic.io
ttl = 85517 (23 hours 45 mins 17 secs)
-> tm
type = NS, class = IN, dlen = 10
nameserver = b.nic.sh
ttl = 85517 (23 hours 45 mins 17 secs)
-> tm
type = NS, class = IN, dlen = 9
nameserver = ns2.jp.io
ttl = 85517 (23 hours 45 mins 17 secs)
ADDITIONAL RECORDS:
-> ns2.uucp.ne.jp
type = A, class = IN, dlen = 4
internet address = 221.117.39.211
ttl = 85517 (23 hours 45 mins 17 secs)
-> ns3.icb.co.uk
type = A, class = IN, dlen = 4
internet address = 217.199.188.61
ttl = 85517 (23 hours 45 mins 17 secs)
-> a.nic.tm
type = A, class = IN, dlen = 4
internet address = 64.251.31.180
ttl = 85517 (23 hours 45 mins 17 secs)
-> b.nic.ac
type = A, class = IN, dlen = 4
internet address = 217.160.203.158
ttl = 85517 (23 hours 45 mins 17 secs)
-> b.nic.io
type = A, class = IN, dlen = 4
internet address = 66.235.201.216
ttl = 85517 (23 hours 45 mins 17 secs)
-> b.nic.sh
type = A, class = IN, dlen = 4
internet address = 216.117.156.206
ttl = 85517 (23 hours 45 mins 17 secs)
-> ns2.jp.io
type = A, class = IN, dlen = 4
internet address = 210.146.53.19
ttl = 85517 (23 hours 45 mins 17 secs)

------------
Non-authoritative answer:
tm
type = NS, class = IN, dlen = 16
nameserver = ns2.uucp.ne.jp
ttl = 85517 (23 hours 45 mins 17 secs)
tm
type = NS, class = IN, dlen = 15
nameserver = ns3.icb.co.uk
ttl = 85517 (23 hours 45 mins 17 secs)
tm
type = NS, class = IN, dlen = 8
nameserver = a.nic.tm
ttl = 85517 (23 hours 45 mins 17 secs)
tm
type = NS, class = IN, dlen = 10
nameserver = b.nic.ac
ttl = 85517 (23 hours 45 mins 17 secs)
tm
type = NS, class = IN, dlen = 10
nameserver = b.nic.io
ttl = 85517 (23 hours 45 mins 17 secs)
tm
type = NS, class = IN, dlen = 10
nameserver = b.nic.sh
ttl = 85517 (23 hours 45 mins 17 secs)
tm
type = NS, class = IN, dlen = 9
nameserver = ns2.jp.io
ttl = 85517 (23 hours 45 mins 17 secs)

ns2.uucp.ne.jp
type = A, class = IN, dlen = 4
internet address = 221.117.39.211
ttl = 85517 (23 hours 45 mins 17 secs)
ns3.icb.co.uk
type = A, class = IN, dlen = 4
internet address = 217.199.188.61
ttl = 85517 (23 hours 45 mins 17 secs)
a.nic.tm
type = A, class = IN, dlen = 4
internet address = 64.251.31.180
ttl = 85517 (23 hours 45 mins 17 secs)
b.nic.ac
type = A, class = IN, dlen = 4
internet address = 217.160.203.158
ttl = 85517 (23 hours 45 mins 17 secs)
b.nic.io
type = A, class = IN, dlen = 4
internet address = 66.235.201.216
ttl = 85517 (23 hours 45 mins 17 secs)
b.nic.sh
type = A, class = IN, dlen = 4
internet address = 216.117.156.206
ttl = 85517 (23 hours 45 mins 17 secs)
ns2.jp.io
type = A, class = IN, dlen = 4
internet address = 210.146.53.19
ttl = 85517 (23 hours 45 mins 17 secs)
Server: quiscalus.quiscalusmexicanus.local
Address: 10.0.0.1

------------
SendRequest(), len 20
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
cx, type = NS, class = IN

------------
------------
Got answer (270 bytes):
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 6, authority records = 0, additional = 6

QUESTIONS:
cx, type = NS, class = IN
ANSWERS:
-> cx
type = NS, class = IN, dlen = 16
nameserver = ns1.cx-nic.org
ttl = 85692 (23 hours 48 mins 12 secs)
-> cx
type = NS, class = IN, dlen = 20
nameserver = estia.ics.forth.gr
ttl = 85692 (23 hours 48 mins 12 secs)
-> cx
type = NS, class = IN, dlen = 18
nameserver = ns.cx-nic.org.nz
ttl = 85692 (23 hours 48 mins 12 secs)
-> cx
type = NS, class = IN, dlen = 16
nameserver = cx1.tlddns.net
ttl = 85692 (23 hours 48 mins 12 secs)
-> cx
type = NS, class = IN, dlen = 6
nameserver = cx2.tlddns.net
ttl = 85692 (23 hours 48 mins 12 secs)
-> cx
type = NS, class = IN, dlen = 6
nameserver = cx3.tlddns.net
ttl = 85692 (23 hours 48 mins 12 secs)
ADDITIONAL RECORDS:
-> ns1.cx-nic.org
type = A, class = IN, dlen = 4
internet address = 216.64.163.225
ttl = 85692 (23 hours 48 mins 12 secs)
-> estia.ics.forth.gr
type = A, class = IN, dlen = 4
internet address = 139.91.191.3
ttl = 85692 (23 hours 48 mins 12 secs)
-> ns.cx-nic.org.nz
type = A, class = IN, dlen = 4
internet address = 203.63.5.10
ttl = 85692 (23 hours 48 mins 12 secs)
-> cx1.tlddns.net
type = A, class = IN, dlen = 4
internet address = 63.208.196.89
ttl = 85692 (23 hours 48 mins 12 secs)
-> cx2.tlddns.net
type = A, class = IN, dlen = 4
internet address = 209.69.32.136
ttl = 85692 (23 hours 48 mins 12 secs)
-> cx3.tlddns.net
type = A, class = IN, dlen = 4
internet address = 63.209.15.209
ttl = 85692 (23 hours 48 mins 12 secs)

------------
Non-authoritative answer:
cx
type = NS, class = IN, dlen = 16
nameserver = ns1.cx-nic.org
ttl = 85692 (23 hours 48 mins 12 secs)
cx
type = NS, class = IN, dlen = 20
nameserver = estia.ics.forth.gr
ttl = 85692 (23 hours 48 mins 12 secs)
cx
type = NS, class = IN, dlen = 18
nameserver = ns.cx-nic.org.nz
ttl = 85692 (23 hours 48 mins 12 secs)
cx
type = NS, class = IN, dlen = 16
nameserver = cx1.tlddns.net
ttl = 85692 (23 hours 48 mins 12 secs)
cx
type = NS, class = IN, dlen = 6
nameserver = cx2.tlddns.net
ttl = 85692 (23 hours 48 mins 12 secs)
cx
type = NS, class = IN, dlen = 6
nameserver = cx3.tlddns.net
ttl = 85692 (23 hours 48 mins 12 secs)

ns1.cx-nic.org
type = A, class = IN, dlen = 4
internet address = 216.64.163.225
ttl = 85692 (23 hours 48 mins 12 secs)
estia.ics.forth.gr
type = A, class = IN, dlen = 4
internet address = 139.91.191.3
ttl = 85692 (23 hours 48 mins 12 secs)
ns.cx-nic.org.nz
type = A, class = IN, dlen = 4
internet address = 203.63.5.10
ttl = 85692 (23 hours 48 mins 12 secs)
cx1.tlddns.net
type = A, class = IN, dlen = 4
internet address = 63.208.196.89
ttl = 85692 (23 hours 48 mins 12 secs)
cx2.tlddns.net
type = A, class = IN, dlen = 4
internet address = 209.69.32.136
ttl = 85692 (23 hours 48 mins 12 secs)
cx3.tlddns.net
type = A, class = IN, dlen = 4
internet address = 63.209.15.209
ttl = 85692 (23 hours 48 mins 12 secs)
And if I use each of the tlds' name servers to do my ANY query I do see
RRs.
set type=any
server 209.68.1.11
------------
SendRequest(), len 42
HEADER:
opcode = QUERY, id = 9, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
11.1.68.209.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (140 bytes):
HEADER:
opcode = QUERY, id = 9, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion
avail.
questions = 1, answers = 1, authority records = 2, additional = 2

QUESTIONS:
11.1.68.209.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 11.1.68.209.in-addr.arpa
type = PTR, class = IN, dlen = 14
name = pri.pair.com
ttl = 7200 (2 hours)
AUTHORITY RECORDS:
-> 1.68.209.in-addr.arpa
type = NS, class = IN, dlen = 6
nameserver = ns1.pair.com
ttl = 7200 (2 hours)
-> 1.68.209.in-addr.arpa
type = NS, class = IN, dlen = 10
nameserver = ns0.ns0.com
ttl = 7200 (2 hours)
ADDITIONAL RECORDS:
-> ns0.ns0.com
type = A, class = IN, dlen = 4
internet address = 209.197.64.1
ttl = 7200 (2 hours)
-> ns1.pair.com
type = A, class = IN, dlen = 4
internet address = 209.68.1.11
ttl = 7200 (2 hours)

------------
Default Server: pri.pair.com
Address: 209.68.1.11
Server: pri.pair.com
Address: 209.68.1.11

------------
SendRequest(), len 20
HEADER:
opcode = QUERY, id = 10, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
ai, type = ANY, class = IN

------------
------------
Got answer (241 bytes):
HEADER:
opcode = QUERY, id = 10, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion
avail.
questions = 1, answers = 6, authority records = 0, additional = 4

QUESTIONS:
ai, type = ANY, class = IN
ANSWERS:
-> ai
type = SOA, class = IN, dlen = 43
ttl = 14400 (4 hours)
primary name server = ns1.offshore.ai
responsible mail addr = vince.offshore.ai
serial = 2005032264
refresh = 36000 (10 hours)
retry = 3600 (1 hour)
expire = 3600000 (41 days 16 hours)
default TTL = 86400 (1 day)
-> ai
type = NS, class = IN, dlen = 14
nameserver = ns1.pair.com
ttl = 14400 (4 hours)
-> ai
type = NS, class = IN, dlen = 13
nameserver = ns1.redhat.com
ttl = 14400 (4 hours)
-> ai
type = NS, class = IN, dlen = 2
nameserver = ns1.offshore.ai
ttl = 14400 (4 hours)
-> ai
type = A, class = IN, dlen = 4
internet address = 209.88.68.34
ttl = 14400 (4 hours)
-> ai
type = MX, class = IN, dlen = 9
MX preference = 10, mail exchanger = mail.offshore.ai
ttl = 14400 (4 hours)
ADDITIONAL RECORDS:
-> ns1.pair.com
type = A, class = IN, dlen = 4
internet address = 209.68.1.11
ttl = 7200 (2 hours)
-> ns1.redhat.com
type = A, class = IN, dlen = 4
internet address = 66.187.233.210
ttl = 131483 (1 day 12 hours 31 mins 23 secs)
-> ns1.offshore.ai
type = A, class = IN, dlen = 4
internet address = 209.88.68.34
ttl = 215 (3 mins 35 secs)
-> mail.offshore.ai
type = A, class = IN, dlen = 4
internet address = 209.88.68.34
ttl = 215 (3 mins 35 secs)

------------
ai
type = SOA, class = IN, dlen = 43
ttl = 14400 (4 hours)
primary name server = ns1.offshore.ai
responsible mail addr = vince.offshore.ai
serial = 2005032264
refresh = 36000 (10 hours)
retry = 3600 (1 hour)
expire = 3600000 (41 days 16 hours)
default TTL = 86400 (1 day)
ai
type = NS, class = IN, dlen = 14
nameserver = ns1.pair.com
ttl = 14400 (4 hours)
ai
type = NS, class = IN, dlen = 13
nameserver = ns1.redhat.com
ttl = 14400 (4 hours)
ai
type = NS, class = IN, dlen = 2
nameserver = ns1.offshore.ai
ttl = 14400 (4 hours)
ai
type = A, class = IN, dlen = 4
internet address = 209.88.68.34
ttl = 14400 (4 hours)
ai
type = MX, class = IN, dlen = 9
MX preference = 10, mail exchanger = mail.offshore.ai
ttl = 14400 (4 hours)
ns1.pair.com
type = A, class = IN, dlen = 4
internet address = 209.68.1.11
ttl = 7200 (2 hours)
ns1.redhat.com
type = A, class = IN, dlen = 4
internet address = 66.187.233.210
ttl = 131483 (1 day 12 hours 31 mins 23 secs)
ns1.offshore.ai
type = A, class = IN, dlen = 4
internet address = 209.88.68.34
ttl = 215 (3 mins 35 secs)
mail.offshore.ai
type = A, class = IN, dlen = 4
internet address = 209.88.68.34
ttl = 215 (3 mins 35 secs)
server 217.199.188.61
------------
SendRequest(), len 45
HEADER:
opcode = QUERY, id = 11, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
61.188.199.217.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (156 bytes):
HEADER:
opcode = QUERY, id = 11, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 2, additional = 2

QUESTIONS:
61.188.199.217.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 61.188.199.217.in-addr.arpa
type = PTR, class = IN, dlen = 14
name = ns.icb.co.uk
ttl = 86400 (1 day)
AUTHORITY RECORDS:
-> 188.199.217.in-addr.arpa
type = NS, class = IN, dlen = 23
nameserver = ns1.magic-moments.com
ttl = 86400 (1 day)
-> 188.199.217.in-addr.arpa
type = NS, class = IN, dlen = 6
nameserver = ns0.magic-moments.com
ttl = 86400 (1 day)
ADDITIONAL RECORDS:
-> ns0.magic-moments.com
type = A, class = IN, dlen = 4
internet address = 217.199.161.27
ttl = 134160 (1 day 13 hours 16 mins)
-> ns1.magic-moments.com
type = A, class = IN, dlen = 4
internet address = 212.67.202.220
ttl = 134160 (1 day 13 hours 16 mins)

------------
Default Server: ns.icb.co.uk
Address: 217.199.188.61
Server: ns.icb.co.uk
Address: 217.199.188.61

------------
SendRequest(), len 20
HEADER:
opcode = QUERY, id = 12, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
tm, type = ANY, class = IN

------------
truncated answer
------------
Got answer (858 bytes):
HEADER:
opcode = QUERY, id = 12, rcode = NOERROR
header flags: response, auth. answer, want recursion
questions = 1, answers = 16, authority records = 0, additional =
4

QUESTIONS:
tm, type = ANY, class = IN
ANSWERS:
-> tm
type = A, class = IN, dlen = 4
internet address = 64.251.31.234
ttl = 86400 (1 day)
-> tm
type = SOA, class = IN, dlen = 37
ttl = 86400 (1 day)
primary name server = ns.nic.tm
responsible mail addr = admin.nic.tm
serial = 2005061401
refresh = 43200 (12 hours)
retry = 3600 (1 hour)
expire = 3600000 (41 days 16 hours)
default TTL = 86400 (1 day)
-> tm
type = NS, class = IN, dlen = 10
nameserver = b.nic.sh
ttl = 86400 (1 day)
-> tm
type = NS, class = IN, dlen = 11
nameserver = ns2.jp.io
ttl = 86400 (1 day)
-> tm
type = NS, class = IN, dlen = 16
nameserver = ns2.uucp.ne.jp
ttl = 86400 (1 day)
-> tm
type = NS, class = IN, dlen = 15
nameserver = ns3.icb.co.uk
ttl = 86400 (1 day)
-> tm
type = NS, class = IN, dlen = 8
nameserver = nstm6.icb.co.uk
ttl = 86400 (1 day)
-> tm
type = NS, class = IN, dlen = 4
nameserver = a.nic.tm
ttl = 86400 (1 day)
-> tm
type = NS, class = IN, dlen = 10
nameserver = b.nic.ac
ttl = 86400 (1 day)
-> tm
type = NS, class = IN, dlen = 8
nameserver = b.nic.io
ttl = 86400 (1 day)
-> tm
type = TXT, class = IN, dlen = 244
text =

"Access to the .TM Zone File information does not in itself convey
any rights to any party to use, store, manipulate, such i
nformation without the explicit written consent of TM Domain Registry
Limited, P.O. Box 6000, Christchurch, BH23 1WB, UK"
ttl = 86400 (1 day)
-> tm
type = TXT, class = IN, dlen = 12
text =

"v=spf1 -all"
ttl = 86400 (1 day)
-> tm
type = TXT, class = IN, dlen = 22
text =

"$CHOICE: ns1c.nic.ac$"
ttl = 86400 (1 day)
-> tm
type = TXT, class = IN, dlen = 22
text =

"$CHOICE: ns2c.nic.ac$"
ttl = 86400 (1 day)
-> tm
type = TXT, class = IN, dlen = 64
text =

"(c) Copyright 2004, The TM Domain Registry - All Right Reserved"
ttl = 86400 (1 day)
-> tm
type = TXT, class = IN, dlen = 95
text =

"The .TM zone file is protected under national and international law
as a database compilation."
ttl = 86400 (1 day)
ADDITIONAL RECORDS:
-> a.nic.tm
type = A, class = IN, dlen = 4
internet address = 64.251.31.180
ttl = 604800 (7 days)
-> b.nic.ac
type = A, class = IN, dlen = 4
internet address = 217.160.203.158
ttl = 3600 (1 hour)
-> b.nic.io
type = A, class = IN, dlen = 4
internet address = 66.235.201.216
ttl = 3600 (1 hour)
-> b.nic.sh
type = A, class = IN, dlen = 4
internet address = 216.117.156.206
ttl = 3600 (1 hour)

------------
tm
type = A, class = IN, dlen = 4
internet address = 64.251.31.234
ttl = 86400 (1 day)
tm
type = SOA, class = IN, dlen = 37
ttl = 86400 (1 day)
primary name server = ns.nic.tm
responsible mail addr = admin.nic.tm
serial = 2005061401
refresh = 43200 (12 hours)
retry = 3600 (1 hour)
expire = 3600000 (41 days 16 hours)
default TTL = 86400 (1 day)
tm
type = NS, class = IN, dlen = 10
nameserver = b.nic.sh
ttl = 86400 (1 day)
tm
type = NS, class = IN, dlen = 11
nameserver = ns2.jp.io
ttl = 86400 (1 day)
tm
type = NS, class = IN, dlen = 16
nameserver = ns2.uucp.ne.jp
ttl = 86400 (1 day)
tm
type = NS, class = IN, dlen = 15
nameserver = ns3.icb.co.uk
ttl = 86400 (1 day)
tm
type = NS, class = IN, dlen = 8
nameserver = nstm6.icb.co.uk
ttl = 86400 (1 day)
tm
type = NS, class = IN, dlen = 4
nameserver = a.nic.tm
ttl = 86400 (1 day)
tm
type = NS, class = IN, dlen = 10
nameserver = b.nic.ac
ttl = 86400 (1 day)
tm
type = NS, class = IN, dlen = 8
nameserver = b.nic.io
ttl = 86400 (1 day)
tm
type = TXT, class = IN, dlen = 244
text =

"Access to the .TM Zone File information does not in itself convey
any rights to any party to use, store, manipulate, such i
nformation without the explicit written consent of TM Domain Registry
Limited, P.O. Box 6000, Christchurch, BH23 1WB, UK"
ttl = 86400 (1 day)
tm
type = TXT, class = IN, dlen = 12
text =

"v=spf1 -all"
ttl = 86400 (1 day)
tm
type = TXT, class = IN, dlen = 22
text =

"$CHOICE: ns1c.nic.ac$"
ttl = 86400 (1 day)
tm
type = TXT, class = IN, dlen = 22
text =

"$CHOICE: ns2c.nic.ac$"
ttl = 86400 (1 day)
tm
type = TXT, class = IN, dlen = 64
text =

"(c) Copyright 2004, The TM Domain Registry - All Right Reserved"
ttl = 86400 (1 day)
tm
type = TXT, class = IN, dlen = 95
text =

"The .TM zone file is protected under national and international law
as a database compilation."
ttl = 86400 (1 day)
a.nic.tm
type = A, class = IN, dlen = 4
internet address = 64.251.31.180
ttl = 604800 (7 days)
b.nic.ac
type = A, class = IN, dlen = 4
internet address = 217.160.203.158
ttl = 3600 (1 hour)
b.nic.io
type = A, class = IN, dlen = 4
internet address = 66.235.201.216
ttl = 3600 (1 hour)
b.nic.sh
type = A, class = IN, dlen = 4
internet address = 216.117.156.206
ttl = 3600 (1 hour)
server 216.64.163.225
------------
SendRequest(), len 45
HEADER:
opcode = QUERY, id = 13, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
225.163.64.216.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (256 bytes):
HEADER:
opcode = QUERY, id = 13, rcode = NOERROR
header flags: response, want recursion
questions = 1, answers = 0, authority records = 13, additional =
0

QUESTIONS:
225.163.64.216.in-addr.arpa, type = PTR, class = IN
AUTHORITY RECORDS:
-> (root)
type = NS, class = IN, dlen = 20
nameserver = L.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = M.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = A.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = B.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = C.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = D.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = E.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = F.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = G.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = H.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = I.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = J.ROOT-SERVERS.NET
ttl = 518400 (6 days)
-> (root)
type = NS, class = IN, dlen = 4
nameserver = K.ROOT-SERVERS.NET
ttl = 518400 (6 days)

------------
(root)
type = NS, class = IN, dlen = 20
nameserver = L.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = M.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = A.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = B.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = C.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = D.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = E.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = F.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = G.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = H.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = I.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = J.ROOT-SERVERS.NET
ttl = 518400 (6 days)
(root)
type = NS, class = IN, dlen = 4
nameserver = K.ROOT-SERVERS.NET
ttl = 518400 (6 days)
Default Server: [216.64.163.225]
Address: 216.64.163.225
Server: [216.64.163.225]
Address: 216.64.163.225

------------
SendRequest(), len 20
HEADER:
opcode = QUERY, id = 14, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
cx, type = ANY, class = IN

------------
------------
Got answer (367 bytes):
HEADER:
opcode = QUERY, id = 14, rcode = NOERROR
header flags: response, auth. answer, want recursion
questions = 1, answers = 9, authority records = 0, additional = 6

QUESTIONS:
cx, type = ANY, class = IN
ANSWERS:
-> cx
type = SOA, class = IN, dlen = 53
ttl = 86400 (1 day)
primary name server = ns1.cx-nic.org
responsible mail addr = hostmaster.nic.cx
serial = 2237430188
refresh = 21600 (6 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
-> cx
type = MX, class = IN, dlen = 9
MX preference = 5, mail exchanger = mail.nic.cx
ttl = 86400 (1 day)
-> cx
type = NS, class = IN, dlen = 18
nameserver = ns.cx-nic.org.nz
ttl = 86400 (1 day)
-> cx
type = NS, class = IN, dlen = 13
nameserver = ns.anycast.nic.cx
ttl = 86400 (1 day)
-> cx
type = NS, class = IN, dlen = 16
nameserver = cx1.tlddns.net
ttl = 86400 (1 day)
-> cx
type = NS, class = IN, dlen = 6
nameserver = cx2.tlddns.net
ttl = 86400 (1 day)
-> cx
type = NS, class = IN, dlen = 6
nameserver = cx3.tlddns.net
ttl = 86400 (1 day)
-> cx
type = NS, class = IN, dlen = 2
nameserver = ns1.cx-nic.org
ttl = 86400 (1 day)
-> cx
type = NS, class = IN, dlen = 20
nameserver = estia.ics.forth.gr
ttl = 86400 (1 day)
ADDITIONAL RECORDS:
-> ns.cx-nic.org.nz
type = A, class = IN, dlen = 4
internet address = 203.63.5.10
ttl = 43200 (12 hours)
-> cx1.tlddns.net
type = A, class = IN, dlen = 4
internet address = 63.208.196.89
ttl = 7614 (2 hours 6 mins 54 secs)
-> cx2.tlddns.net
type = A, class = IN, dlen = 4
internet address = 209.69.32.136
ttl = 7614 (2 hours 6 mins 54 secs)
-> cx3.tlddns.net
type = A, class = IN, dlen = 4
internet address = 63.209.15.209
ttl = 7614 (2 hours 6 mins 54 secs)
-> ns1.cx-nic.org
type = A, class = IN, dlen = 4
internet address = 216.64.163.225
ttl = 43200 (12 hours)
-> estia.ics.forth.gr
type = A, class = IN, dlen = 4
internet address = 139.91.191.3
ttl = 11152 (3 hours 5 mins 52 secs)

------------
cx
type = SOA, class = IN, dlen = 53
ttl = 86400 (1 day)
primary name server = ns1.cx-nic.org
responsible mail addr = hostmaster.nic.cx
serial = 2237430188
refresh = 21600 (6 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
cx
type = MX, class = IN, dlen = 9
MX preference = 5, mail exchanger = mail.nic.cx
ttl = 86400 (1 day)
cx
type = NS, class = IN, dlen = 18
nameserver = ns.cx-nic.org.nz
ttl = 86400 (1 day)
cx
type = NS, class = IN, dlen = 13
nameserver = ns.anycast.nic.cx
ttl = 86400 (1 day)
cx
type = NS, class = IN, dlen = 16
nameserver = cx1.tlddns.net
ttl = 86400 (1 day)
cx
type = NS, class = IN, dlen = 6
nameserver = cx2.tlddns.net
ttl = 86400 (1 day)
cx
type = NS, class = IN, dlen = 6
nameserver = cx3.tlddns.net
ttl = 86400 (1 day)
cx
type = NS, class = IN, dlen = 2
nameserver = ns1.cx-nic.org
ttl = 86400 (1 day)
cx
type = NS, class = IN, dlen = 20
nameserver = estia.ics.forth.gr
ttl = 86400 (1 day)
ns.cx-nic.org.nz
type = A, class = IN, dlen = 4
internet address = 203.63.5.10
ttl = 43200 (12 hours)
cx1.tlddns.net
type = A, class = IN, dlen = 4
internet address = 63.208.196.89
ttl = 7614 (2 hours 6 mins 54 secs)
cx2.tlddns.net
type = A, class = IN, dlen = 4
internet address = 209.69.32.136
ttl = 7614 (2 hours 6 mins 54 secs)
cx3.tlddns.net
type = A, class = IN, dlen = 4
internet address = 63.209.15.209
ttl = 7614 (2 hours 6 mins 54 secs)
ns1.cx-nic.org
type = A, class = IN, dlen = 4
internet address = 216.64.163.225
ttl = 43200 (12 hours)
estia.ics.forth.gr
type = A, class = IN, dlen = 4
internet address = 139.91.191.3
ttl = 11152 (3 hours 5 mins 52 secs)
Notice the records of interest; ai. has an A record (http://ai./ is
"Offshore Information Services Ltd."); .tm has some TXT records describing
who the registrar is; .cx has an MX record so one can in principal send mail
to [username]@cx.

All of which are invisible to Windows DNS.

The DNS cache I think has no problem; if it is using a bind DNS server, for
example, the names can be resolved properly. I believe that if Windows DNS
is authoritative for the TLD in question then there's also no problem; it
can return all record types.

But whenever the DNS server recursively resolves records it fails completely
spuriously.

Is there some resolution?
 
Ad

Advertisements

A

Ace Fekay [MVP]

In
Dr Pizza said:
A bug.

http://groups-beta.google.com/group...61df7dbab87/96a2e79ebf3b5542#96a2e79ebf3b5542

And not a new one either.

Why does no-one care to fix it?

To summarize:

Queries made of a Windows 2000 (all SPs and versions) and 2003 DNS
(all SPs and versions) server for any record type other than NS will
SERVFAIL if the name being looked up is made of a single label.

For example:
Notice the records of interest; ai. has an A record (http://ai./ is
"Offshore Information Services Ltd."); .tm has some TXT records
describing who the registrar is; .cx has an MX record so one can in
principal send mail to [username]@cx.

All of which are invisible to Windows DNS.

The DNS cache I think has no problem; if it is using a bind DNS
server, for example, the names can be resolved properly. I believe
that if Windows DNS is authoritative for the TLD in question then
there's also no problem; it can return all record types.

But whenever the DNS server recursively resolves records it fails
completely spuriously.

Is there some resolution?

Boy, that's an old thread you dug up, and I was actually in it!

If you ask me, it's by design, but then again, I'm not sure.

But, keep in mind, (I don't think it has anyting to do with it, nor do I
know if this behavior is the same under NT4 DNS) after all, Microsoft
removed the ability to register into single label name zones, since it
queries the roots heavily when it attempts to because it was considering it
as a TLD to register into. This was discovered by ISC when they did a study
a few years back and pointed out that Microsoft DNS servers that were
configured with a single label name zone were causing all this excessive
non-necessary query traffic, hence Microsoft's decision with the release of
Windows 2000 SP4 disabled this registering into a single label name zone to
stay in line with the Internet community. There is a reg entry to disable
this change, but I don't think it will help querying a single label name,
such as a TLD.

As far as the code base, it's possible that it's based on 8.3.4, but I
really don't know.

I posted the question to our private forum and I'll let you know if anything
comes up about it, unless one of the engineers reads this thread out here in
the pub groups.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
 
K

Kevin D. Goodknecht Sr. [MVP]

In
Kevin D. Goodknecht Sr. said:
A Bug?
Maybe, but it is by design, and there is a "fix" You need to add this
Registry entry to allow MS DNS to recurse single-label DNS names. This
workaround is described in KB 251384. Yes, I tested and it works.

Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
On the Edit menu, click Add Value, and then add the following
registry
value:
Value Name: RecurseSingleLabel
Data Type: REG_DWORD
Value: 0 (Default)

Oops, set the value to "1"
 
D

Dr Pizza

Kevin D. Goodknecht Sr. said:
In

Oops, set the value to "1"

The problem listed isn't actually the problem experienced, though that does
indeed appear to fix the problem, so thanks for the article.

The reasons I say that the problem listed isn't the problem experienced are:

1) I'm not seeing 15 second delays in name resolution; I'm seeing flat out
refusal to recursively resolve anything but NS (and maybe SOA) records; an
instant SERVFAIL.
2) I'm not sending single label unqualified names to the server. I'm
sending single label fully qualified names to the server (notice that all my
queries include a terminal ".").
3) I'm not using any forwarders; I don't have anyone I can reliably forward
to, so instead my server does recursive lookups starting from the root
servers.

In spite of all this, changing the setting appears to make things work
properly. What I can't fathom is why I should need to set a frankly rather
obscure option in order to achieve what ought to the default behaviour....
 
K

Kevin D. Goodknecht Sr. [MVP]

In
Dr Pizza said:
The problem listed isn't actually the problem experienced, though
that does indeed appear to fix the problem, so thanks for the article.

The article does state that DNS will not recurse single-label names except
for NS and SOA RR types.
Maybe it is a bug, but it is a designed in bug. Like you, I'm not sure why
this would be the default behavior. I'm not sure if there is an RFC that
says DNS must recurse all RR types in a single-label domain.
The reasons I say that the problem listed isn't the problem
experienced are:

1) I'm not seeing 15 second delays in name resolution; I'm seeing
flat out refusal to recursively resolve anything but NS (and maybe
SOA) records; an instant SERVFAIL.

Maybe you're not seeing the delay is because you are not using a forwarder.
I cannot test this since all of my DNS servers are root servers and cannot
use forwarders.
 
A

Ace Fekay [MVP]

In
Kevin D. Goodknecht Sr. said:
In

The article does state that DNS will not recurse single-label names
except for NS and SOA RR types.
Maybe it is a bug, but it is a designed in bug. Like you, I'm not
sure why this would be the default behavior. I'm not sure if there is
an RFC that says DNS must recurse all RR types in a single-label
domain.


Maybe you're not seeing the delay is because you are not using a
forwarder. I cannot test this since all of my DNS servers are root
servers and cannot use forwarders.

I've tested it on W2k SP4 DNS, and on a W2k3 with and without the SP and
they all behave the same as posted. Bind doesn't do this. As for the reg
article, I don't think that it necessarily applies to this issue, since that
is more of a registration based fix.

I posted it in the private MVP group, but only one person responded, but
with nothing specific on it, and have therefore emailed our lead to see if
he can pass it up thru channels.

If I find something I can post, I'll get back to everyone.

Ace
 
Ad

Advertisements

K

Kevin D. Goodknecht Sr. [MVP]

In
Ace Fekay said:
I've tested it on W2k SP4 DNS, and on a W2k3 with and without the SP
and they all behave the same as posted. Bind doesn't do this. As for
the reg article, I don't think that it necessarily applies to this
issue, since that is more of a registration based fix.

I posted it in the private MVP group, but only one person responded,
but with nothing specific on it, and have therefore emailed our lead
to see if he can pass it up thru channels.

Hi Ace,
I wouldn't exactly say it was or was not for this exact issue, but it is for an issue _like_ this.
If I'm reading the article right, it states DNS will only recurse single-label names for NS and SOA RR types (default). Which explains why no MX or A RR is returned. The exception I have with the article it states "The client sends a single label unqualified name query to the DNS server" when actually it is a single-label qualified name because of the trailing dot.
In fact by default the system won't even send a single-label un-qualified name to DNS. I've tried querying for single-label unqualified name and I get nxdomain because the system appends the search list. If I query for single-label qualified name I get server fail.
I found another KB for a reg entry that allows the DNS Client to send an unqualified name to DNS. http://support.microsoft.com/kb/230744/EN-US/ I think that's another issue though.
Another question I have is, if the DNS client cannot send an un-qualified name to DNS without modifying the registry, why is this even an issue?
Of course, one would have to assume that all DNS clients cannot send an un-qualified name to DNS.


Take a look at the queries below, one to a DNS with the reg fix added one without the reg fix added.
By adding the entry, DNS will recurse a single-label name for all RR Types.
The real question in my mind, since it must be by design, is it RFC compliant or should it be called a bug?
If it is a bug, and it is not RFC compliant, why is it the default for NT4, Win2k and Win2k3, if they've known about it since NT4? I would think they would have to fix it.

If it is by design and is RFC compliant, does that make the ai. TLD non-complaint since they have other records beside NS and SOA records for the TLD?

You know, I haven't seen Jonathan in here in quite some time, I'd like to hear his take on this.


This is to a DNS with the Reg fix:

opcode: Query, status: NoError, id: 42
flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4

QUESTION SECTION:
ai. IN ANY

ANSWER SECTION:
ai. 14400 IN A 209.88.68.34
ai. 14400 IN NS ns1.offshore.ai.
ai. 14400 IN NS ns1.pair.com.
ai. 14400 IN NS ns1.redhat.com.
ai. 14400 IN SOA ns1.offshore.ai. vince.offshore.ai. 2005032264 36000 3600 3600000 86400
ai. 14400 IN MX 10 mail.offshore.ai.

ADDITIONAL SECTION:
ns1.offshore.ai. 86400 IN A 209.88.68.34
ns1.pair.com. 86400 IN A 209.68.1.11
ns1.redhat.com. 86400 IN A 66.187.233.210
mail.offshore.ai. 10966 IN A 209.88.68.34

Query time: 109 ms
Server : 192.168.0.2:53 udp (192.168.0.2)
When : 6/18/2005 8:14:05 AM
Size rcvd : 241

The same query to a DNS without I get Server Fail:

opcode: Query, status: ServFail, id: 42
flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

QUESTION SECTION:
ai. IN ANY

Query time: 0 ms
Server : 192.168.0.3:53 udp (192.168.0.3)
When : 6/18/2005 8:14:23 AM
Size rcvd : 20

If I query for MX:
opcode: Query, status: ServFail, id: 42
flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

QUESTION SECTION:
ai. IN MX

Query time: 0 ms
Server : 192.168.0.3:53 udp (192.168.0.3)
When : 6/18/2005 8:30:45 AM
Size rcvd : 20



If I query for NS or SOA I get the answer:

flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

QUESTION SECTION:
ai. IN NS

ANSWER SECTION:
ai. 86400 IN NS ns1.pair.com.
ai. 86400 IN NS ns1.redhat.com.
ai. 86400 IN NS ns1.offshore.ai.

ADDITIONAL SECTION:
ns1.pair.com. 86400 IN A 209.68.1.11
ns1.redhat.com. 86400 IN A 66.187.233.210
ns1.offshore.ai. 86400 IN A 209.88.68.34

Query time: 31 ms
Server : 192.168.0.3:53 udp (192.168.0.3)
When : 6/18/2005 8:14:47 AM
Size rcvd : 146

opcode: Query, status: NoError, id: 42
flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

QUESTION SECTION:
ai. IN SOA

ANSWER SECTION:
ai. 14400 IN SOA ns1.offshore.ai. vince.offshore.ai. 2005032264 36000 3600 3600000 86400

ADDITIONAL SECTION:
ns1.offshore.ai. 86400 IN A 209.88.68.34

Query time: 125 ms
Server : 192.168.0.3:53 udp (192.168.0.3)
When : 6/18/2005 8:15:03 AM
Size rcvd : 91
 
A

Ace Fekay [MVP]

Interesting article. I am starting to assume that it is assumed by the engineers that no unqualified queires would be sent, hence the default behavior. I would then imagine the only time we would use this reg entry is on a mail server, to allow it to look up possible TLD RR records, such as an MX.

Thanks for checking this out, and yes, I agree I would like to see Jonathan's take on this as well. I would be interesting to hear from him. Hope he eventually reads this thread.

Ace
In
Ace Fekay said:
I've tested it on W2k SP4 DNS, and on a W2k3 with and without the SP
and they all behave the same as posted. Bind doesn't do this. As for
the reg article, I don't think that it necessarily applies to this
issue, since that is more of a registration based fix.

I posted it in the private MVP group, but only one person responded,
but with nothing specific on it, and have therefore emailed our lead
to see if he can pass it up thru channels.

Hi Ace,
I wouldn't exactly say it was or was not for this exact issue, but it is for an issue _like_ this.
If I'm reading the article right, it states DNS will only recurse single-label names for NS and SOA RR types (default). Which explains why no MX or A RR is returned. The exception I have with the article it states "The client sends a single label unqualified name query to the DNS server" when actually it is a single-label qualified name because of the trailing dot.
In fact by default the system won't even send a single-label un-qualified name to DNS. I've tried querying for single-label unqualified name and I get nxdomain because the system appends the search list. If I query for single-label qualified name I get server fail.
I found another KB for a reg entry that allows the DNS Client to send an unqualified name to DNS. http://support.microsoft.com/kb/230744/EN-US/ I think that's another issue though.
Another question I have is, if the DNS client cannot send an un-qualified name to DNS without modifying the registry, why is this even an issue?
Of course, one would have to assume that all DNS clients cannot send an un-qualified name to DNS.


Take a look at the queries below, one to a DNS with the reg fix added one without the reg fix added.
By adding the entry, DNS will recurse a single-label name for all RR Types.
The real question in my mind, since it must be by design, is it RFC compliant or should it be called a bug?
If it is a bug, and it is not RFC compliant, why is it the default for NT4, Win2k and Win2k3, if they've known about it since NT4? I would think they would have to fix it.

If it is by design and is RFC compliant, does that make the ai. TLD non-complaint since they have other records beside NS and SOA records for the TLD?

You know, I haven't seen Jonathan in here in quite some time, I'd like to hear his take on this.


This is to a DNS with the Reg fix:

opcode: Query, status: NoError, id: 42
flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4

QUESTION SECTION:
ai. IN ANY

ANSWER SECTION:
ai. 14400 IN A 209.88.68.34
ai. 14400 IN NS ns1.offshore.ai.
ai. 14400 IN NS ns1.pair.com.
ai. 14400 IN NS ns1.redhat.com.
ai. 14400 IN SOA ns1.offshore.ai. vince.offshore.ai. 2005032264 36000 3600 3600000 86400
ai. 14400 IN MX 10 mail.offshore.ai.

ADDITIONAL SECTION:
ns1.offshore.ai. 86400 IN A 209.88.68.34
ns1.pair.com. 86400 IN A 209.68.1.11
ns1.redhat.com. 86400 IN A 66.187.233.210
mail.offshore.ai. 10966 IN A 209.88.68.34

Query time: 109 ms
Server : 192.168.0.2:53 udp (192.168.0.2)
When : 6/18/2005 8:14:05 AM
Size rcvd : 241

The same query to a DNS without I get Server Fail:

opcode: Query, status: ServFail, id: 42
flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

QUESTION SECTION:
ai. IN ANY

Query time: 0 ms
Server : 192.168.0.3:53 udp (192.168.0.3)
When : 6/18/2005 8:14:23 AM
Size rcvd : 20

If I query for MX:
opcode: Query, status: ServFail, id: 42
flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

QUESTION SECTION:
ai. IN MX

Query time: 0 ms
Server : 192.168.0.3:53 udp (192.168.0.3)
When : 6/18/2005 8:30:45 AM
Size rcvd : 20



If I query for NS or SOA I get the answer:

flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

QUESTION SECTION:
ai. IN NS

ANSWER SECTION:
ai. 86400 IN NS ns1.pair.com.
ai. 86400 IN NS ns1.redhat.com.
ai. 86400 IN NS ns1.offshore.ai.

ADDITIONAL SECTION:
ns1.pair.com. 86400 IN A 209.68.1.11
ns1.redhat.com. 86400 IN A 66.187.233.210
ns1.offshore.ai. 86400 IN A 209.88.68.34

Query time: 31 ms
Server : 192.168.0.3:53 udp (192.168.0.3)
When : 6/18/2005 8:14:47 AM
Size rcvd : 146

opcode: Query, status: NoError, id: 42
flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

QUESTION SECTION:
ai. IN SOA

ANSWER SECTION:
ai. 14400 IN SOA ns1.offshore.ai. vince.offshore.ai. 2005032264 36000 3600 3600000 86400

ADDITIONAL SECTION:
ns1.offshore.ai. 86400 IN A 209.88.68.34

Query time: 125 ms
Server : 192.168.0.3:53 udp (192.168.0.3)
When : 6/18/2005 8:15:03 AM
Size rcvd : 91
 
D

Dr Pizza

Kevin D. Goodknecht Sr. said:
In

The article does state that DNS will not recurse single-label names except
for NS and SOA RR types.
Yes, but the article only describes this occurring when using forwarders,
which I'm not.
Maybe it is a bug, but it is a designed in bug. Like you, I'm not sure why
this would be the default behavior. I'm not sure if there is an RFC that
says DNS must recurse all RR types in a single-label domain.
I don't see why an RFC would say that. It doesn't say that a DNS server
must recurse all RR types in a two-label domain. Or a three-label domain.
Or....
Maybe you're not seeing the delay is because you are not using a
forwarder.
I cannot test this since all of my DNS servers are root servers and cannot
use forwarders.
That may be the reason, I suppose. It's not really obvious why it'd
introduce a 15 second delay, mind you.
 
Ad

Advertisements

D

Dr Pizza

"Ace Fekay [MVP]"
I've tested it on W2k SP4 DNS, and on a W2k3 with and without the SP and
they all behave the same as posted. Bind doesn't do this. As for the reg
article, I don't think that it necessarily applies to this issue, since
that is more of a registration based fix.

The article describes a slightly *different* problem, but it provides the
*correct* resolution. If nothing else, the list of problems listed in the
article need to be broadened and the title of the article changed.

Further, I can't believe that SERVFAIL is the most appropriate response to
give in such a situation. If the server isn't going to recurse single label
domains (and hence can't tell you about any entries in such domains) and
this behaviour is by design then it shouldn't give a SERVFAIL (which is "due
to a problem with the name server"--and I don't think a by-design behaviour
is really a "problem with the server"; a more accurate reply would be
REFUSED (because the server will refuse to do recursive single-label queries
by default).
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top