仅通过 TCP 的 DNS SERVFAIL 和错误标志：损坏的 DNS 服务器？

Question

仅通过 TCP 的 DNS SERVFAIL 和错误标志：损坏的 DNS 服务器？

Rob*_*mos 1 domain-name-system root tcp udp zones

在指向另一个域的 CNAME 查找的附加部分中返回根名称服务器是否配置不佳？特别是我看到的一个是由 Network Solutions 托管的 CNAME，CNAME 指向不同的域和 TLD。

我问这是否是糟糕的配置，因为所有这些额外的记录都会导致超过 UDP 数据包的大小，从而迫使使用 TCP 重新完成查询。

dig www.unitedstatesartists.org +trace

名称服务器响应：

example.org. 86400  IN      NS      ns15.worldnic.com.
example.org. 86400  IN      NS      ns16.worldnic.com.
;; Received 95 bytes from 199.249.120.1#53(b2.org.afilias-nst.org) in 79 ms

;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
www.example.org. 7200 IN    CNAME   load-01-123.us-west-1.elb.amazonaws.com.
.  518400  IN      NS      a.root-servers.net.
.  518400  IN      NS      b.root-servers.net.
.  518400  IN      NS      c.root-servers.net.
.  518400  IN      NS      d.root-servers.net.
.  518400  IN      NS      e.root-servers.net.
.  518400  IN      NS      f.root-servers.net.
.  518400  IN      NS      g.root-servers.net.
.  518400  IN      NS      h.root-servers.net.
.  518400  IN      NS      i.root-servers.net.
.  518400  IN      NS      j.root-servers.net.
.  518400  IN      NS      k.root-servers.net.
.  518400  IN      NS      l.root-servers.net.
.  518400  IN      NS      m.root-servers.net.
;; Received 526 bytes from 205.178.190.8#53(ns15.worldnic.com) in 173 ms

Run Code Online (Sandbox Code Playgroud)

是否返回附加记录是随机的。有时，当他们不返回额外的内容时，仍然会出现截断的响应并在 TCP 中进行挖掘重试。

example.org. 86400  IN      NS      ns15.worldnic.com.
example.org. 86400  IN      NS      ns16.worldnic.com.
;; Received 95 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 82 ms

;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
www.example.org. 7200 IN    CNAME   load-01-123.us-west-1.elb.amazonaws.com.
;; Received 107 bytes from 205.178.190.8#53(ns15.worldnic.com) in 164 ms

Run Code Online (Sandbox Code Playgroud)

更新 2010-12-08

随着更多的测试发现：

Network Solutions 使用递归查询（如果不是 +trace 则为 dig 的默认值）以 SERVFAIL（服务器故障）进行响应，但仍给出正确答案。
设置 dig 的 +norecurse 工作正常，但并非总是如此。有时会返回 SERVFAIL -不好。可能原因的详细信息如下
Network Solutions 在权威和附加部分中包含根服务器会导致 UDP 截断并需要 TCP 才能完成。

以下捕获概述：

来自 ns15 的非递归请求记录
ns15 答案包括身份验证和附加中的根服务器，并将回复标记为已截断
由于截断的 UDP，非递归请求在 TCP 中重试
来自使用 TCP 的 ns15 的类似答案，除了“期望递归”设置不正确，并且还设置了“服务器故障”代码

我们已经与他们一起创建了一张票，但我们会看看它是否会去任何地方。以下是之前来自 tshark 详细信息的 DNS 数据包：

第一个问题（通过UDP）：

Domain Name System (query)
    Transaction ID: 0x27ef
    Flags: 0x0000 (Standard query)
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable

Run Code Online (Sandbox Code Playgroud)

第一个答案（通过UDP）：

Domain Name System (response)
    [Request In: 1]
    [Time: 0.078623000 seconds]
    Transaction ID: 0x27ef
    Flags: 0x8600 (Standard query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..1. .... .... = Truncated: Message is truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... .... 0000 = Reply code: No error (0)

Run Code Online (Sandbox Code Playgroud)

第二个问题（通过TCP）：

Domain Name System (query)
    Length: 56
    Transaction ID: 0xbc37
    Flags: 0x0000 (Standard query)
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable

Run Code Online (Sandbox Code Playgroud)

第二个答案（通过 TCP，注意“递归愿望”）：

Domain Name System (response)
    [Request In: 6]
    [Time: 0.147357000 seconds]
    Length: 107
    Transaction ID: 0xbc37
    Flags: 0x8102 (Standard query response, Server failure)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... .... 0010 = Reply code: Server failure (2)

Run Code Online (Sandbox Code Playgroud)

Answer 1

Aln*_*tak 5

是的，这是糟糕的配置和/或实现——权威服务器没有理由在其他有效的响应中返回根引用。

此外，我还看到了这两个 Worldnic 服务器不应该发生的其他错误：

有时它会给出正确的答案，但带有SERVFAIL错误代码并且没有设置AA位。
UDP 回复总是被截断为 512 字节，即使指定了 EDNS0 ( RFC 2671 )。这意味着 DNSSEC 将无法与此名称服务器一起使用
这不仅仅是ADDITIONAL有问题的部分，而是将根名称服务器放在AUTHORITY权威（AA位集）答案的部分中。

归档时间：	15 年前
查看次数：	10919 次
最近记录：	15 年前