DNS queries for . IN A return rcode 2 SERVFAIL from windows DNS recursing resolvers

Mailman List Mirror (Read Only)
1

Hey all,

This must be old news for everyone else. While looking at a dns monitor on a load balancer that defaulted to . A queries to check liveliness on DNS resolvers, it became quite clear that windows 2000/2003 DNS server appears to return rcode=2 for queries looking for an A record for the root. The resolvers appear to work properly in all other regards.

So the monitors were switched to localhost. A

(Is this a bad idea?)

A little testing later and the results for . A are:

Windows NT 4, ancount=0, authority=1, rcode=0
Windows 2000, rcode=2
Windows 2003, rcode=2
bind, ancount=0, authority=1, rcode=0

To my (inexpert) eyes that doesnt seem quite right.

I cant seem to find any online information regarding this difference of behavior.

Enlightenment appreciated.

Joe

Here is the output.

fpdns -c -s 64.95.32.34 && dig @64.95.32.34 . a
64.95.32.34 Microsoft Windows DNS NT4

; <<>> DiG 9.6.1-P2 <<>> @64.95.32.34 . a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35180
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN A

;; AUTHORITY SECTION:
. 86400 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2010010500 1800 900 604800 86400

;; Query time: 114 msec
;; SERVER: 64.95.32.34#53(64.95.32.34)
;; WHEN: Tue Jan 5 07:40:33 2010
;; MSG SIZE rcvd: 92

fpdns -c -s 216.222.144.16 && dig @216.222.144.16 . a
216.222.144.16 ISC BIND 9.2.3rc1 -- 9.6.1-P1 [recursion enabled] id: "9.5.1-P2"

; <<>> DiG 9.6.1-P2 <<>> @216.222.144.16 . a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49220
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN A

;; AUTHORITY SECTION:
. 2314 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2010010500 1800 900 604800 86400

;; Query time: 38 msec
;; SERVER: 216.222.144.16#53(216.222.144.16)
;; WHEN: Tue Jan 5 07:42:08 2010
;; MSG SIZE rcvd: 92

fpdns -c -s joe.jmaimon.com && dig @joe.jmaimon.com . a
216.222.150.100 ISC BIND 9.2.3rc1 -- 9.6.1-P1 [recursion enabled] id: "9.5.0-P2-W2"

; <<>> DiG 9.6.1-P2 <<>> @joe.jmaimon.com . a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39125
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN A

;; AUTHORITY SECTION:
. 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2010010500 1800 900 604800 86400

;; Query time: 40 msec
;; SERVER: 216.222.150.100#53(216.222.150.100)
;; WHEN: Tue Jan 5 07:57:52 2010
;; MSG SIZE rcvd: 92

  fpdns -c -s 64.95.32.130 && dig @64.95.32.130 . a
64.95.32.130 Microsoft Windows DNS 2000

; <<>> DiG 9.6.1-P2 <<>> @64.95.32.130 . a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30535
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN A

;; Query time: 35 msec
;; SERVER: 64.95.32.130#53(64.95.32.130)
;; WHEN: Tue Jan 5 07:43:51 2010
;; MSG SIZE rcvd: 17

  fpdns -c -s 72.26.241.205 && dig @72.26.241.205 . a
72.26.241.205 No match found

; <<>> DiG 9.6.1-P1 <<>> @72.26.241.205 . a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12807
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN A

;; Query time: 0 msec
;; SERVER: 72.26.241.205#53(72.26.241.205)
;; WHEN: Tue Jan 5 08:13:06 2010
;; MSG SIZE rcvd: 17

2

Joe Maimon <jmaimon@ttec.com> writes:

Hey all,

This must be old news for everyone else. While looking at a dns monitor
on a load balancer that defaulted to . A queries to check liveliness on
DNS resolvers, it became quite clear that windows 2000/2003 DNS server
appears to return rcode=2 for queries looking for an A record for the
root. The resolvers appear to work properly in all other regards.

well, there is no A RR for the root domain. RCODE=2 is still an error,
you should receive RCODE=0 ANCOUNT=0 for an unused RR type. but many
resolvers get confused when the root domain is the QNAME, so let's assume
that you're using one of those.

So the monitors were switched to localhost. A

(Is this a bad idea?)

probably. there is no "localhost" in the root zone. this name is a TCP/IP
stack convention, not a standard. for health monitoring purposes you should
probably choose one of your own local names, since there's almost certainly
no local intelligence in your resolver about them. that means to look up
one of your own names the resolver probably has to iterate downward from the
root zone to the top level and all the way down to your authority nameservers.
(the problem here is, you may be testing more than you intend, and a failure
in your own authority server or in the delegation path to it would look the
same as an IP path failure or a resolver problem.)

A little testing later and the results for . A are:

Windows NT 4, ancount=0, authority=1, rcode=0
Windows 2000, rcode=2
Windows 2003, rcode=2
bind, ancount=0, authority=1, rcode=0

To my (inexpert) eyes that doesnt seem quite right.

probably resolver bugs, either in those TCP/IP stacks or in the "recursive
nameserver" they are using. (is the same recursive nameserver used in all
four tests?)

I cant seem to find any online information regarding this difference of
behavior.

Enlightenment appreciated.

i suggest re-asking this over on dns-operations@lists.dns-oarc.net, since it
a bit deep in the DNS bits for a general purpose list like NANOG.