incorrect NXDOMAIN response from DNS server

[Jun-ichiro itojun Hagino <itojun () itojun org>]

        the issue was originally raised on 6bone () isi edu.

        there are name server implementations (probably load balancing product)
        that responds with NXDOMAIN, when it should respond with NOERROR with
        empty reply.  one example is news.bbc.co.uk.  this symptom not only
        confuse IPv6-ready client resolvers, but also has bad effect against
        negative caching and email delivery (if MX is responded with NODOMAIN).

        do you know:
        - name of particular implementation which have/had this bug?
        - other examples of nameservers that behave like this?
          (windowsupdate.microsoft.com behaved like this in Feb 2002, but
          they are already fixed)
        - how can we get people to fix it?  (client side workaround should
          not be populated, just to be sure)

itojun


% dig news.bbc.co.uk. aaaa

; <<>> DiG 9.1.2 <<>> news.bbc.co.uk. aaaa
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60945
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;news.bbc.co.uk.                        IN      AAAA

;; ANSWER SECTION:
news.bbc.co.uk.         1770    IN      CNAME   newswww.bbc.net.uk.

;; Query time: 2362 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Thu Apr 25 11:25:45 2002
;; MSG SIZE  rcvd: 62

% dig news.bbc.co.uk. a

; <<>> DiG 9.1.2 <<>> news.bbc.co.uk. a
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11225
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;news.bbc.co.uk.                        IN      A

;; ANSWER SECTION:
news.bbc.co.uk.         1761    IN      CNAME   newswww.bbc.net.uk.
newswww.bbc.net.uk.     300     IN      A       212.58.240.33

;; AUTHORITY SECTION:
bbc.net.uk.             14360   IN      NS      ns0.thny.bbc.co.uk.
bbc.net.uk.             14360   IN      NS      ns0.thdo.bbc.co.uk.

;; ADDITIONAL SECTION:
ns0.thdo.bbc.co.uk.     6362    IN      A       212.58.224.20
ns0.thny.bbc.co.uk.     6362    IN      A       38.160.150.20

;; Query time: 2341 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Thu Apr 25 11:25:53 2002
;; MSG SIZE  rcvd: 156

--- Begin Message --- From: Nathan Lutchansky <lutchann-ipv6users () litech org>
Date: Wed, 17 Apr 2002 11:02:15 -0400

Hi all,

We've noticed that some sites like news.bbc.co.uk are running broken DNS 
servers that return NXDOMAIN for AAAA queries rather than NOERROR with 
zero answers.  The NXDOMAIN reply indicates that there are no records of 
any type for the requested name, which is clearly not true since A records 
exist and are returned with an A query.

Unfortunately, this means that applications that attempt AAAA queries are 
unable to resolve addresses that reside within these broken servers.  And 
that includes WinXP with the IPv6 stack enabled.  We would like to deploy 
IPv6 on Windows XP machines here, but our users complain loudly when they 
are not able to access BBC.

Has anybody found a workaround for this problem?  Judging by newsgroup 
messages, BBC has known about this problem for months and has neglected to 
fix it.  At the very least, does anybody have an idea of how widespread is 
this problem?  -Nathan

-- 
+-------------------+---------------------+------------------------+
| Nathan Lutchansky | lutchann () litech org |  Lithium Technologies  |
+------------------------------------------------------------------+
|  I dread success.  To have succeeded is to have finished one's   |
|  business on earth...  I like a state of continual becoming,     |
|  with a goal in front and not behind. - George Bernard Shaw      |
+------------------------------------------------------------------+

Attachment: _bin
Description:

--- End Message ---