测试了下某个DNS系统,查询如下:
$ dig mytest.blogchina.org @ns1.dnsv5.com
; <<>> DiG 9.4.2-P2.1 <<>> mytest.blogchina.org @ns1.dnsv5.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24560
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;mytest.blogchina.org. IN A
;; AUTHORITY SECTION:
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; Query time: 26 msec
;; SERVER: 222.186.189.214#53(222.186.189.214)
;; WHEN: Thu Jul 7 15:01:58 2011
;; MSG SIZE rcvd: 92
我们看到这个DNS响应包含了aa flag,证明它是mytest.blogchina.org的权威服务器。
但是,这个应答的ANSWER里并无内容,也就是说没有该域名的权威解析。
按照RFC,此时的AUTHORITY SECTION应该返回本域的SOA记录。
然而,该DNS却在AUTHORITY SECTION里错误的返回了域的NS记录。
在包含了aa flag,且ANSWER里有内容时,名字服务器才能在AUTHORITY SECTION里返回NS。
或者没有包含aa flag,当然ANSWER里也无内容,名字服务器可以在AUTHORITY SECTION里返回NS,这叫引用。
显然,该DNS服务器的设计是错误的,导致的结果是BAD (HORIZONTAL) REFERRAL。
我们dig跟踪一下可看到这个错误过程:
$ dig mytest.blogchina.org +trace
; <<>> DiG 9.4.2-P2.1 <<>> mytest.blogchina.org +trace
;; global options: printcmd
. 276642 IN NS c.root-servers.net.
. 276642 IN NS l.root-servers.net.
. 276642 IN NS i.root-servers.net.
. 276642 IN NS a.root-servers.net.
. 276642 IN NS b.root-servers.net.
. 276642 IN NS g.root-servers.net.
. 276642 IN NS k.root-servers.net.
. 276642 IN NS d.root-servers.net.
. 276642 IN NS m.root-servers.net.
. 276642 IN NS j.root-servers.net.
. 276642 IN NS f.root-servers.net.
. 276642 IN NS e.root-servers.net.
. 276642 IN NS h.root-servers.net.
;; Received 496 bytes from 202.96.128.166#53(202.96.128.166) in 5 ms
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS a0.org.afilias-nst.info.
;; Received 440 bytes from 192.203.230.10#53(e.root-servers.net) in 370 ms
blogchina.org. 86400 IN NS ns1.dnsv5.com.
blogchina.org. 86400 IN NS ns2.dnsv5.com.
;; Received 83 bytes from 199.19.54.1#53(b0.org.afilias-nst.org) in 65 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; Received 92 bytes from 180.153.162.153#53(ns2.dnsv5.com) in 27 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 125.39.58.15#53(ns1.dnsv5.com) in 37 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 183.60.59.217#53(ns1.dnsv5.com) in 6 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 112.90.143.36#53(ns1.dnsv5.com) in 77 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 221.130.12.61#53(ns2.dnsv5.com) in 193 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 122.225.217.194#53(ns2.dnsv5.com) in 24 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 222.186.189.214#53(ns1.dnsv5.com) in 26 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 183.60.59.217#53(ns1.dnsv5.com) in 6 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 183.60.59.218#53(ns2.dnsv5.com) in 6 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 112.90.143.36#53(ns1.dnsv5.com) in 77 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 180.153.162.153#53(ns2.dnsv5.com) in 27 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 222.186.189.214#53(ns1.dnsv5.com) in 26 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 221.130.12.61#53(ns2.dnsv5.com) in 194 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 122.225.217.194#53(ns2.dnsv5.com) in 24 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 125.39.58.15#53(ns1.dnsv5.com) in 37 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 183.60.59.217#53(ns1.dnsv5.com) in 6 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 183.60.59.218#53(ns2.dnsv5.com) in 5 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 180.153.162.153#53(ns2.dnsv5.com) in 27 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 221.130.12.61#53(ns2.dnsv5.com) in 193 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 122.225.217.194#53(ns2.dnsv5.com) in 24 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 222.186.189.214#53(ns1.dnsv5.com) in 26 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 125.39.58.15#53(ns1.dnsv5.com) in 37 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 183.60.59.217#53(ns1.dnsv5.com) in 6 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 183.60.59.218#53(ns2.dnsv5.com) in 6 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 180.153.162.153#53(ns2.dnsv5.com) in 27 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 112.90.143.36#53(ns1.dnsv5.com) in 77 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 221.130.12.61#53(ns2.dnsv5.com) in 196 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 222.186.189.214#53(ns1.dnsv5.com) in 26 ms
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 92 bytes from 125.39.58.15#53(ns1.dnsv5.com) in 37 ms
mytest.blogchina.org. 600 IN NS ns2.dnsv5.com.
mytest.blogchina.org. 600 IN NS ns1.dnsv5.com.
;; BAD (HORIZONTAL) REFERRAL
dig: too many lookups