Maintained by: NLnet Labs

[Unbound-users] unbound and newegg.com

Olafur Gudmundsson
Wed Jun 25 15:21:26 CEST 2008


At 09:06 25/06/2008, Geoffrey Sisson wrote:
>edmonds at debian.org (Robert Edmonds) wrote:
>
> > these servers will answer authoritatively for the A records www and
> > secure, but provide root referrals when asked about the AAAA records.
>
>I've come across the same bad behaviour from the servers for
>www.usps.com: they report that they're lame for the AAAA RR rather than
>providing a NOERROR/NODATA response.  (Note: fpdns can't id the DNS server
>implementation involved.)  Here are dnscap traces from Unbound and BIND:

This "server" will only answer A query, even though it is target of
a delegation. ie: usps.com gives out

;; AUTHORITY SECTION:
www.usps.com.           3600    IN      NS      nssam.usps.com.
www.usps.com.           3600    IN      NS      nseag.usps.com.


Then if you ask the server you get:
; <<>> DiG 9.4.0b2 <<>> @nseag.usps.com. www.usps.com. NS
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63452
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.usps.com.                  IN      NS

;; AUTHORITY SECTION:
.                       3600000 IN      NS      a.root-servers.net.
.                       3600000 IN      NS      b.root-servers.net.


This server does not even have the SOA or NS that are required to exist
at the top of a zone it only answers query for A correctly.

IMHO it is wrong to a fix in resolver for such badly behaving
load balancer.

Please do not do it, tell people to report the error to the site
and instruct them to report the equipment they has a broken DNS
server.

         Olafur