服务器 Gind.cn
  1. 服务器 Gind.cn
  3. DNS SERVFAIL和不正确的标志只能通过TCP:损坏的DNS服务器?
Intereting Posts
HAProxy随机导致挂起的请求 Nginx重写/path?参数/longer/path.html?params 尝试列出Web服务,Web站点和应用程序池 – Windows Server 2003 查看谁在Windows Server 2008上更改了证书 Jetty 9 – 将httpredirect到https 为什么PHP作为FCGI运行需要产生多个孩子? Linux内存碎片 如何将持久连接支持添加到负载平衡的HTTP Web服务 PHP不会在命令行上运行 如何在cygwin上运行的openssh中configuration基于ssh密钥的authentication? 通过光纤连接传输60GB数据 – VPN连接超时 krb5.conf故障转移无法正常工作 删除特定扩展名的文件unix 7.0.1和Photoshop的OpenGL要求 Windows Server 2008,重新join域失败

DNS SERVFAIL和不正确的标志只能通过TCP:损坏的DNS服务器?

返回指向另一个域的CNAME查询的附加部分中的名称服务器是否configuration不当? 特别是我所看到的是由networking解决scheme托pipe的CNAME,CNAME指向不同的域名和TLD。

我问,如果这是不好的configuration,因为所有这些额外的logging导致超过UDP数据包的大小,迫使查询重新与TCP完成。

dig www.unitedstatesartists.org +trace

名称服务器响应: 

 example.org. 86400 IN NS ns15.worldnic.com. example.org. 86400 IN NS ns16.worldnic.com. ;; Received 95 bytes from 199.249.120.1#53(b2.org.afilias-nst.org) in 79 ms ;; Warning: Message parser reports malformed message packet. ;; Truncated, retrying in TCP mode. www.example.org. 7200 IN CNAME load-01-123.us-west-1.elb.amazonaws.com. . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; Received 526 bytes from 205.178.190.8#53(ns15.worldnic.com) in 173 ms

返回额外的logging是随机的。 有时,当他们没有返回附加信息时,仍然会有一个截断的响应,并在TCP中进行重试。 

 example.org. 86400 IN NS ns15.worldnic.com. example.org. 86400 IN NS ns16.worldnic.com. ;; Received 95 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 82 ms ;; Warning: Message parser reports malformed message packet. ;; Truncated, retrying in TCP mode. www.example.org. 7200 IN CNAME load-01-123.us-west-1.elb.amazonaws.com. ;; Received 107 bytes from 205.178.190.8#53(ns15.worldnic.com) in 164 ms

更新2010-12-08

随着更多的testing发现:

  • networking解决scheme用一个recursion查询来响应SERVFAIL(服务器故障)(如果不是+ trace,则默认为dig),但仍然给出正确的答案。
  • 设置挖+ + norecurse工作正常,但并不总是。 有时一个SERVFAIL返回 – 不好。 可能的原因如下
  • networking解决scheme“在权威和附加部分中包含根服务器会导致UDP截断并需要TCP完成。

以下截图概述:

  • 来自ns15的非recursion请求logging
  • ns15答案包括auth中的根服务器和附加并将回复标记为截断
  • 非recursion请求由于被截断的UDP而在TCP中重试
  • 除了“recursion desired”,使用TCP的ns15的相似答案被错误地设置,并且“服务器失败”代码也被设置

我们已经创build了一张票,但我们会看看它是否在任何地方。 以下是来自tshark细节的DNS数据包:

第一个问题(通过UDP): 

 Domain Name System (query) Transaction ID: 0x27ef Flags: 0x0000 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... .0.. .... = Z: reserved (0) .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable

首先回答(通过UDP): 

 Domain Name System (response) [Request In: 1] [Time: 0.078623000 seconds] Transaction ID: 0x27ef Flags: 0x8600 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .1.. .... .... = Authoritative: Server is an authority for domain .... ..1. .... .... = Truncated: Message is truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... .0.. .... = Z: reserved (0) .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0)

第二个问题(通过TCP): 

 Domain Name System (query) Length: 56 Transaction ID: 0xbc37 Flags: 0x0000 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... .0.. .... = Z: reserved (0) .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable

第二个答案(通过TCP,注意“recursion欲望”): 

 Domain Name System (response) [Request In: 6] [Time: 0.147357000 seconds] Length: 107 Transaction ID: 0xbc37 Flags: 0x8102 (Standard query response, Server failure) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .0.. .... .... = Authoritative: Server is not an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... .0.. .... = Z: reserved (0) .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... .... 0010 = Reply code: Server failure (2)

是的,这是糟糕的configuration和/或实现 – 没有理由让权威服务器返回根引用在其他有效的响应。

而且,我看到其他的错误不应该发生在这两台Worldnic服务器上:

  • 有时它会给出正确的答案,但带有SERVFAIL错误代码,并且没有设置AA位。

  • 即使在指定了EDNS0( RFC 2671 )的情况下,UDP回复也总是被截断为512字节。 这意味着DNSSEC不能使用这个名称服务器

  • 这不仅仅是ADDITIONAL部分是一个问题,而是将根名称服务器放在授权( AA位集合)的AUTHORITY部分中。