Requirement of a nameserver to answer?

Requirement of a nameserver to answer?

Post by Mark Andre » Tue, 08 Jul 2003 09:30:20





>On Sat, 28 Jun 2003 13:46:12 +0100, Ian Northeast

>>I have encountered a nameserver which when sent a correctly formulated
>>AAAA query for a name it is authoritative for responds with an ICMP
>>"port unreachable" message. I would expect a DNS reply containing 0
>>answers.

>I'd expect the same.
>An "ICMP port unreacheable" error indicates that no process is
>listening on that port. If the nameserver has no AAAA records, it
>should reply the query with 0 answers, *not* with an ICMP error.

>Are you sure you get an ICMP error because of the request for AAAA
>records? (Could you provide a packet trace?)

        You could have done the test yourself.  Yes the server is
        brain dead by returning a incorrect error message at the
        wrong level in the stack.

- Show quoted text -

Quote:>>My question is, is this acceptable behaviour? All the DNS RFCs seem to
>>discuss exactly what should be put in responses but not any requirement
>>to send a response. It seems to be assumed that all queries will be
>>replied to but I can't find it stated anywhere.

>Why shouldn't queries be replied?
>As requests are made using UDP, which is an unreliable protocol, if
>queries are not replied, the resolver will think that the query was
>lost/corrupted, and will retry it.

>>BTW this causes trouble with the FTP client in AIX which tries an AAAA
>>lookup first and waits over a minute before trying an A if it doesn't
>>get a response.

>If the query for AAAA records is replied with 0 answers, then the FTP
>"should" query for A records almost immediately.
>If the resolver gets an "ICMP port unreacheable", it'd return an error
>to the FTP client, which would then query for A records, almost
>immediately.

        A sane resolver on seeing port unreachable would declare the
        server dead and not try a A query.  The port is reachable,
        the error being returned is a lie.  To see what would happen
        if the false return value was made visible you only have to
        look at what happens when a nameserver returns a incorrect
        NXDOMAIN response.  These get cached (if only for the current
        second) and sebequent A queries are blocked.

        Luckly the FTP client isn't actually talking to the remote
        DNS server directly.  It is talking to its local caching
        server and the BSD API does not provide a mechanism for
        retrieving port unreachables from connectionless UDP sockets.
        Nameserver use connectionless UDP sockets as they are talking
        to hundreds, if not thousands of server simultaniously.

        Most caching servers don't cache non answers so the subsequent
        A queries succeed.

- Show quoted text -

>I don't understand why the FTP client should wait for about a minute
>before querying A records. Could you provide packet traces?

>--
>Fernando Gont

>[To send a personal reply, please remove the ANTISPAM tag]