[Pdns-users] CNAME NXDOMAIN problem

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Nov 22 11:05:54 UTC 2013 

Hello,

On Nov 22, 2013, at 9:45 , Francois Claire wrote:

>> Appears that you receive nxdomain from nameserver, see at the end of trace.
>> 
> Indeed the g2.ebay.com. DNS server (66.211.167.40) answers thumbs.g.ebay.com. with an NXDomain:
> 14:13:38.023503 IP W.X.Y.Z.4994 > 66.211.167.40.53: 26515 [1au] A? thumbs.g.ebay.com. (54)
> 14:13:38.196462 IP 66.211.167.40.53 > W.X.Y.Z.4994: 26515 NXDomain*- 0/1/1 (96)
> 
> But when using dig, the g2.ebay.com. DNS server answers a CNAME record:
> 
> $ dig @66.211.167.40 thumbs.g.ebay.com
> 
> ; <<>> DiG 9.8.4-P2 <<>> @66.211.167.40 thumbs.g.ebay.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58678
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;thumbs.g.ebay.com.        IN    A
> 
> ;; ANSWER SECTION:
> thumbs.g.ebay.com.    60    IN    CNAME c.ebay.georedirector.akadns.net.
> 
> ;; Query time: 177 msec
> ;; SERVER: 66.211.167.40#53(66.211.167.40)
> ;; WHEN: Thu Nov 21 14:41:08 2013
> ;; MSG SIZE  rcvd: 80
> 
> 
> So why is the powerDNS recursor receiving an NXDomain ? Is its query malformed ?


I don't know why your recursor is receiving NXDomain (mine does not, for example) - but this does not appear to be a PowerDNS Recursor issue.

However, the g*.ebay.com servers are definitely broken. While the relevant query (dig +norec +noedns @66.211.167.40 thumbs.g.ebay.com A) returns the right CNAME for me, various other queries (replace A in the query with MX, ANY or even CNAME) yield NXDOMAIN. A recursor that receives NXDOMAIN when asking for a specific type is allowed to assume the NXDOMAIN applies to all other types.

Given that they are broken like this, I'm not surprised they manage to reply NXDOMAIN to A-queries as well, in specific situations.

If you have a contact at eBay, please let them know that their name servers are broken. I will also look into finding a contact.

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20131122/ef49daed/attachment-0001.sig>

More information about the Pdns-users mailing list