Bug 800148

Summary:	host and nslookup ignore valid responses that are non-recursive
Product:	Red Hat Enterprise Linux 6	Reporter:	Damian Gerow <dgerow>
Component:	bind	Assignee:	Adam Tkac <atkac>
Status:	CLOSED DUPLICATE	QA Contact:	qe-baseos-daemons
Severity:	low	Docs Contact:
Priority:	unspecified
Version:	6.2	CC:	ovasik
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-03-08 15:32:25 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Damian Gerow 2012-03-05 20:45:53 UTC

Description of problem:
The 'host' and 'nslookup' utilities perform recursive queries by default.  If multiple nameservers are configured in /etc/resolv.conf, and these nameservers are configured as authoritative-only -- so no recursion is available -- then both the 'host' and 'nslookup' utilities will ignore the valid response returned by named, so long as more than one nameserver is configured in /etc/resolv.conf

Version-Release number of selected component (if applicable):
# lsb_release -a
LSB Version:	:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID:	RedHatEnterpriseServer
Description:	Red Hat Enterprise Linux Server release 6.2 (Santiago)
Release:	6.2
Codename:	Santiago
# rpm -q bind-utils
bind-utils-9.7.3-8.P3.el6_2.2.x86_64
# 

How reproducible:
100%

Steps to Reproduce:
1. Set 'recursion no;' in your named.conf.
2. Ensure that instance of bind is present in /etc/resolv.conf.
3. Add an additional, non-existat -- i.e. 127.0.0.2 -- nameserver to /etc/resolv.conf.
4. Attempt to look up a host for which the nameserver is authoritative.
  
Actual results:
With /etc/resolv.conf:
-----
domain example.com
search example.com
nameserver 127.0.0.1
nameserver 127.0.0.2
-----

# host foo.example.com.
;; connection timed out; no servers could be reached
#  

On the network:
-----
# tcpdump -i lo -lnp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
20:42:38.796690 IP 127.0.0.1.56421 > 127.0.0.1.domain: 63281+ A? foo.example.com. (46)
20:42:38.796938 IP 127.0.0.1.domain > 127.0.0.1.56421: 63281*- 1/3/3 A 192.168.0.100 (179)
20:42:38.797128 IP 127.0.0.2.37682 > 127.0.0.2.domain: 63281+ A? foo.example.com. (46)
20:42:43.797499 IP 127.0.0.2.37682 > 127.0.0.2.domain: 63281+ A? foo.example.com. (46)
-----

Expected results:
With /etc/resolv.conf:
-----
domain example.com
search example.com
nameserver 127.0.0.1
-----

# host foo.example.com.
foo.example.com has address 192.168.0.100
# 

On the network:
-----
20:43:53.702429 IP 127.0.0.1.37943 > 127.0.0.1.domain: 55233+ A? foo.example.com. (46)
20:43:53.702545 IP 127.0.0.1.domain > 127.0.0.1.37943: 55233*- 1/3/3 A 192.168.0.100 (179)
20:43:53.702841 IP 127.0.0.1.50849 > 127.0.0.1.domain: 16205+ AAAA? foo.example.com. (46)
20:43:53.702940 IP 127.0.0.1.domain > 127.0.0.1.50849: 16205*- 0/1/0 (93)
20:43:53.703047 IP 127.0.0.1.60328 > 127.0.0.1.domain: 23258+ MX? foo.example.com. (46)
20:43:53.703119 IP 127.0.0.1.domain > 127.0.0.1.60328: 23258*- 0/1/0 (93)
-----

Additional info:
Both 'host' and 'nslookup' provide workarounds for this: '-r' and '-norec', respectively.

Comment 1 Nalin Dahyabhai 2012-03-05 21:24:10 UTC

Both commands are part of the bind-utils package, which is built from the bind source package; reassigning.

Comment 3 Adam Tkac 2012-03-08 15:32:25 UTC


*** This bug has been marked as a duplicate of bug 734458 ***