Path: csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
Newsgroups: comp.protocols.dns.bind
Subject: Re: Error "Query section mismatch : got"
Date: Wed, 19 Aug 2020 17:24:38 +0200
Lines: 75
Approved: bind-users@lists.isc.org
Message-ID: <mailman.810.1597850642.942.bind-users@lists.isc.org>
References: <CA+N48Xf8vKph42T4xq_KgnwjzpQV1YVboWztm6CmPcMok6_GQA@mail.gmail.com> <20200819114133.GA6272@fantomas.sk> <CAGrdBBuZgP3oR3Q5zJjR6W-p8zB3GD-ggYPp0CFXE6mAdPfYiA@mail.gmail.com> <20200819144110.GA15085@fantomas.sk> <807AE33D-182E-459A-BEEB-9CE46854548E@isc.org> <20200819152438.GA17370@fantomas.sk>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: usenet.stanford.edu 1597850689 10595 149.20.1.60 (19 Aug 2020 15:24:49 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bind-users@lists.isc.org
Return-Path: <uhlar@fantomas.sk>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
X-Authentication-Warning: fantomas.fantomas.sk: uhlar set sender to uhlar@fantomas.sk using -f
Mail-Followup-To: bind-users@lists.isc.org
Content-Disposition: inline
In-Reply-To: <807AE33D-182E-459A-BEEB-9CE46854548E@isc.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <20200819152438.GA17370@fantomas.sk>
X-Mailman-Original-References: <CA+N48Xf8vKph42T4xq_KgnwjzpQV1YVboWztm6CmPcMok6_GQA@mail.gmail.com> <20200819114133.GA6272@fantomas.sk> <CAGrdBBuZgP3oR3Q5zJjR6W-p8zB3GD-ggYPp0CFXE6mAdPfYiA@mail.gmail.com> <20200819144110.GA15085@fantomas.sk> <807AE33D-182E-459A-BEEB-9CE46854548E@isc.org>
Xref: csiph.com comp.protocols.dns.bind:16056

>> On 20 Aug 2020, at 00:41, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
>>
>>> On Wed, Aug 19, 2020 at 7:42 AM Matus UHLAR - fantomas
>>> <uhlar@fantomas.sk> wrote:
>>>> again, why you query for 250.0-24.199.212.125.in-addr.arpa
>>>> under normal circumstances there's no point of querying that name.
>>
>> On 19.08.20 10:05, tale via bind-users wrote:
>>> Well yes and no.   While an individual user would typically not,
>>> resolvers sure will.  While trying to resolve
>>> 250.199.212.125.in-addr.arpa, it will eventually get to
>>> 250.199.212.125.in-addr.arpa CNAME 250.0-24.199.212.125.in-addr.arpa.
>>
>> my question is why would anyone do this, as this apparently does not make
>> sense.

On 20.08.20 00:59, Mark Andrews wrote:
>Presumably because they don’t know that APNIC can delegate the /24s that make
>up the /17 independently of each other.

even if not, they can fetch whole /24 from their customer (requiring
customer to add their NSes as long).

but, yes, in case of very incompetent customer they can require such
delegation.


>> someone (vietel) illogically delegated whole /24 subnet to broken servers:
>>
>> 199.212.125.in-addr.arpa. 86400 IN      NS      dns2.vietel.com.vn.
>> 199.212.125.in-addr.arpa. 86400 IN      NS      dns1.vietel.com.vn.
>>
>> 0.199.212.125.in-addr.arpa has address 125.235.4.59
>> 1.199.212.125.in-addr.arpa is an alias for 1.0-24.199.212.125.in-addr.arpa.
>> ...
>> 255.199.212.125.in-addr.arpa is an alias for 255.0-24.199.212.125.in-addr.arpa.

delegation from apnic to vietel:

199.212.125.in-addr.arpa. 86400 IN      NS      dns2.vietel.com.vn.
199.212.125.in-addr.arpa. 86400 IN      NS      dns1.vietel.com.vn.
199.212.125.in-addr.arpa. 3600  IN      NSEC    2.212.125.in-addr.arpa. NS RRSIG NSEC
199.212.125.in-addr.arpa. 3600  IN      RRSIG   NSEC 13 5 3600 20200917160047 20200818150047 30887 125.in-addr.arpa. 5ixPuj/J+cDFSDwxy3MSMs1xkmpGrdzhrmjiodo6CkEBazwUxojGfIYU R5MNZCbDoMZEF4Fq8eL9lcsZgrBctA==
;; Received 321 bytes from 203.119.95.53#53(ns2.apnic.net) in 255 ms

delegation from vietel to vietelidc:

0-24.199.212.125.in-addr.arpa. 86400 IN NS      ns.viettelidc.com.vn.
0-24.199.212.125.in-addr.arpa. 86400 IN NS      ns2.viettelidc.com.vn.
0-24.199.212.125.in-addr.arpa. 86400 IN NS      ns1.viettelidc.com.vn.
;; Received 160 bytes from 203.113.188.2#53(dns2.vietel.com.vn) in 367 ms


zone 199.212.125.in-addr.arpa. at vietelidc who is supposed to provide
0-24.199.212.125.in-addr.arpa:

199.212.125.in-addr.arpa. 2560  IN      SOA     ns.viettelidc.com.vn. hostmaster.199.212.125.in-addr.arpa. 1597850355 16384 2048 1048576 2560
;; Received 129 bytes from 115.84.181.10#53(ns2.viettelidc.com.vn) in 291 ms


vietelidc is in this case the problem:

1. they block DNS over TCP
2. they should have configured zone 0-24.199.212.125.in-addr.arpa

although it's possible that viettelidc.com.vn asked vietel.com.vn to delegate 199.212.125.in-addr.arpa.
and vietel.com.vn messed it up...



-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?