>On Sat, 28 Jun 2003 13:46:12 +0100, Ian Northeast
>>I have encountered a nameserver which when sent a correctly formulated
>>AAAA query for a name it is authoritative for responds with an ICMP
>>"port unreachable" message. I would expect a DNS reply containing 0
>I'd expect the same.
>An "ICMP port unreacheable" error indicates that no process is
>listening on that port. If the nameserver has no AAAA records, it
>should reply the query with 0 answers, *not* with an ICMP error.
>Are you sure you get an ICMP error because of the request for AAAA
>records? (Could you provide a packet trace?)
brain dead by returning a incorrect error message at the
wrong level in the stack.
A sane resolver on seeing port unreachable would declare theQuote:>>My question is, is this acceptable behaviour? All the DNS RFCs seem to
>>discuss exactly what should be put in responses but not any requirement
>>to send a response. It seems to be assumed that all queries will be
>>replied to but I can't find it stated anywhere.
>Why shouldn't queries be replied?
>As requests are made using UDP, which is an unreliable protocol, if
>queries are not replied, the resolver will think that the query was
>lost/corrupted, and will retry it.
>>BTW this causes trouble with the FTP client in AIX which tries an AAAA
>>lookup first and waits over a minute before trying an A if it doesn't
>>get a response.
>If the query for AAAA records is replied with 0 answers, then the FTP
>"should" query for A records almost immediately.
>If the resolver gets an "ICMP port unreacheable", it'd return an error
>to the FTP client, which would then query for A records, almost
server dead and not try a A query. The port is reachable,
the error being returned is a lie. To see what would happen
if the false return value was made visible you only have to
look at what happens when a nameserver returns a incorrect
NXDOMAIN response. These get cached (if only for the current
second) and sebequent A queries are blocked.
Luckly the FTP client isn't actually talking to the remote
DNS server directly. It is talking to its local caching
server and the BSD API does not provide a mechanism for
retrieving port unreachables from connectionless UDP sockets.
Nameserver use connectionless UDP sockets as they are talking
to hundreds, if not thousands of server simultaniously.
Most caching servers don't cache non answers so the subsequent
A queries succeed.
>before querying A records. Could you provide packet traces?
>[To send a personal reply, please remove the ANTISPAM tag]