Re: Trouble with incomplete additional section data

Scottie Lu wrote:

> Dear All:
>
>         Following is the situation I encountered:
>
> Question : NS RR of domain "capital.com.tw"
>
> When I sent the above question to authoritative name servers of 'com.tw',
> b.twnic.net.tw or c.twnic.net.tw, I got the following anwser:
>
> ============================================
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18133
> ;; flags: qr; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
> ;; QUERY SECTION:
> ;;      capital.com.tw, type = NS, class = IN
>
> ;; ANSWER SECTION:
> capital.com.tw.         1D IN NS        dns03.capital.com.tw.
> capital.com.tw.         1D IN NS        dns01.capital.com.tw.
> capital.com.tw.         1D IN NS        dns02.capital.com.tw.
>
> ;; ADDITIONAL SECTION:
> dns03.capital.com.tw.   1D IN A         218.32.197.86
> dns01.capital.com.tw.   1D IN A         211.72.241.88
> dns02.capital.com.tw.   1D IN A         211.72.241.89
> =============================================
>
> But, when I send the same Question to my name server, I got following
> different answer :
>
> *****************************************************
> ;; ANSWER SECTION:
> capital.com.tw.         17h5m47s IN NS  dns01.capital.com.tw.
> capital.com.tw.         17h5m47s IN NS  dns02.capital.com.tw.
> capital.com.tw.         17h5m47s IN NS  dns03.capital.com.tw.
>
> ;; ADDITIONAL SECTION:     <---   incomplete
> dns03.capital.com.tw.   15h51s IN A     218.32.197.86
> *****************************************************
>
> and I knew  the dns03 is broken!!
>
> Well, the Question is here
>
> -- Why is there only one A record of NS RRs in additional section?

I'm surprised you got any. The TTL on those A records is set to 0, which is a
really bad idea for nameserver A records...

> -- How does named build its ADDITIONAL SECTION data while the 'Fetch-Glue'
> option is 'NO' ( This is my configuration now )?

See above. The records probably expired from the cache before named had a
chance to construct the Additional Section. As for the dns03.capital.com.tw
record, that might have come from a less credible source than the domain
servers themselves (e.g. from a referral).

>
> -- By using tcpdump, I found that named would send queries of A?
> dns02.capital.com.tw, A? dns01.capital.com.tw, AND A? www.capital.com.tw.
> WHILE it received a request 'A? www.capital.com.tw. ' sent by dig. AND the
> query destination was dns03.capital.com.tw. Following is the packets
> exchanged.
>
> 10:48:09.219521 192.168.64.30.4700 > dns03.capital.com.tw.domain:  10032
> [1au] A? dns02.capital.com.tw. (49)
> 10:48:09.219548 192.168.64.30.4700 > dns03.capital.com.tw.domain:  20861
> [1au] A? dns01.capital.com.tw. (49)
> 10:48:09.219588 192.168.64.30.4700 > dns03.capital.com.tw.domain:  51515
> [1au] A? www.capital.com.tw.
>
> Of course, my named would NOT got any response while dns03.capital.com.tw
> was BROKEN !! At last, my dig would 'Operation timeout' !!
>
> _My Question is :
> Why didn't my named send query of A? dns01.capital.com.tw, A?

If dns03 was the only nameserver of the set for which it had an A record, then
that's the one that will be given preference.

>
> dns02.capital.com.tw TO authoritative name servers, like b.twnic.net.tw,
> c.twnic.net.tw to get the correct IP Addresses ?

Those nameservers not authoritative for the capital.com.tw zone are they?

> It did NOT do this and still ONLY send queries to the "Broken" name server,
> dns03.capital.com.tw., while it could not get any response. It is NOT SMART
> enough to change the query destination although it has THREE NS records to
> use.
> How could my named get the IP Addresses of dns01, dns02.capital.com.tw ????

Given the 0-TTL issue, the only workaround that comes to mind is to construct
your own dummy zones for this. But, if you're going to go this far, a slightly
less ugly hack would be to simply forward capital.com.tw to the relevant
nameservers, and hope that they don't delegate any subzones to other
nameservers (or that they are slaves for those other domains or are willing to
recurse for them).


- Kevin