Why is ADDITIONAL SECTION missing from my dig response?

Question

I have a couple bind servers recently upgraded to Ubuntu 16.04 (from 14.04). Cron runs dig . ns once a day to grab an updated list of Root servers used in the bind configuration.

The script run by cron checks for ADDTIONAL SECTION in the output to determine if the query failed. It's been failing since the upgrade because section is no longer being returned. Anyone know what's up with this? I've not turned up anything specific on google yet.

on 14.04 dig returns this

# dig . ns
; <<>> DiG 9.9.5-3ubuntu0.19-Ubuntu <<>> . ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1492
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 900
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       73048   IN      NS      e.root-servers.net.
.                       73048   IN      NS      b.root-servers.net.
.                       73048   IN      NS      j.root-servers.net.
.                       73048   IN      NS      d.root-servers.net.
.                       73048   IN      NS      m.root-servers.net.
.                       73048   IN      NS      k.root-servers.net.
.                       73048   IN      NS      g.root-servers.net.
.                       73048   IN      NS      l.root-servers.net.
.                       73048   IN      NS      c.root-servers.net.
.                       73048   IN      NS      i.root-servers.net.
.                       73048   IN      NS      h.root-servers.net.
.                       73048   IN      NS      a.root-servers.net.
.                       73048   IN      NS      f.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.     222215  IN      A       198.41.0.4
a.root-servers.net.     308618  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     73048   IN      A       199.9.14.201
b.root-servers.net.     73048   IN      AAAA    2001:500:200::b
c.root-servers.net.     308618  IN      A       192.33.4.12
c.root-servers.net.     308618  IN      AAAA    2001:500:2::c
d.root-servers.net.     73048   IN      A       199.7.91.13
d.root-servers.net.     73048   IN      AAAA    2001:500:2d::d
e.root-servers.net.     73048   IN      A       192.203.230.10
e.root-servers.net.     73048   IN      AAAA    2001:500:a8::e
f.root-servers.net.     73048   IN      A       192.5.5.241
f.root-servers.net.     75235   IN      AAAA    2001:500:2f::f
g.root-servers.net.     308618  IN      A       192.112.36.4
g.root-servers.net.     75235   IN      AAAA    2001:500:12::d0d
h.root-servers.net.     308618  IN      A       198.97.190.53
h.root-servers.net.     312215  IN      AAAA    2001:500:1::53
i.root-servers.net.     73048   IN      A       192.36.148.17
i.root-servers.net.     75235   IN      AAAA    2001:7fe::53
j.root-servers.net.     73048   IN      A       192.58.128.30
j.root-servers.net.     75235   IN      AAAA    2001:503:c27::2:30
k.root-servers.net.     73048   IN      A       193.0.14.129
k.root-servers.net.     75235   IN      AAAA    2001:7fd::1
l.root-servers.net.     73048   IN      A       199.7.83.42
l.root-servers.net.     75235   IN      AAAA    2001:500:9f::42
m.root-servers.net.     73048   IN      A       202.12.27.33
m.root-servers.net.     75235   IN      AAAA    2001:dc3::35

;; Query time: 1 msec
;; SERVER: 192.168.136.183#53(192.168.136.183)
;; WHEN: Thu Feb 28 09:31:26 CST 2019
;; MSG SIZE  rcvd: 811

On 16.04 dig returns this

# dig . ns
; <<>> DiG 9.10.3-P4-Ubuntu <<>> . ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57497
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       55229   IN      NS      j.root-servers.net.
.                       55229   IN      NS      a.root-servers.net.
.                       55229   IN      NS      h.root-servers.net.
.                       55229   IN      NS      b.root-servers.net.
.                       55229   IN      NS      d.root-servers.net.
.                       55229   IN      NS      i.root-servers.net.
.                       55229   IN      NS      c.root-servers.net.
.                       55229   IN      NS      m.root-servers.net.
.                       55229   IN      NS      g.root-servers.net.
.                       55229   IN      NS      l.root-servers.net.
.                       55229   IN      NS      f.root-servers.net.
.                       55229   IN      NS      e.root-servers.net.
.                       55229   IN      NS      k.root-servers.net.

;; Query time: 1 msec
;; SERVER: 192.168.32.4#53(192.168.32.4)
;; WHEN: Thu Feb 28 09:30:41 CST 2019
;; MSG SIZE  rcvd: 239

Updated: 16.04 with +additional

# dig . ns +additional

; <<>> DiG 9.10.3-P4-Ubuntu <<>> . ns +additional
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32682
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       402756  IN      NS      l.root-servers.net.
.                       402756  IN      NS      h.root-servers.net.
.                       402756  IN      NS      j.root-servers.net.
.                       402756  IN      NS      b.root-servers.net.
.                       402756  IN      NS      e.root-servers.net.
.                       402756  IN      NS      g.root-servers.net.
.                       402756  IN      NS      m.root-servers.net.
.                       402756  IN      NS      f.root-servers.net.
.                       402756  IN      NS      d.root-servers.net.
.                       402756  IN      NS      a.root-servers.net.
.                       402756  IN      NS      c.root-servers.net.
.                       402756  IN      NS      k.root-servers.net.
.                       402756  IN      NS      i.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.     107396  IN      A       198.41.0.4

;; Query time: 0 msec
;; SERVER: 192.168.32.4#53(192.168.32.4)
;; WHEN: Wed Mar 06 09:57:10 CST 2019
;; MSG SIZE  rcvd: 255

Why not start with upgrading your servers to 18.04 LTS? Also, do you get the additional section when you explicitly add `+additional` to the command? — Tommiie, Mar 06 '19 at 10:03
Today the 16.04 hosts are returning a single server in the `ADDITIONAL` section (post updated - this is bizarre!). 14.04 hosts still return the same thing. All of our app servers have been in testing for quite some time on 16.04 so we need to stick with that on production. — Server Fault, Mar 06 '19 at 16:08
Why does this monitoring script check for a part of the response that is not mandatory? I'd guess the observed change comes down to either some change in configuration or a change in the newer BIND version which reduces the amount of data it tacks on beyond what was actually asked for (probably for the best). — Håkan Lindqvist, Mar 06 '19 at 16:40
The script is run by Nagios to determine if the current list of root servers is valid. I've since changed it to `success=$(egrep '^[a-z]\.root-servers\.net' /var/cache/bind/named.ca)` which satisfies Nagios and appears to still be valid for `bind` — Server Fault, Mar 06 '19 at 16:57
Never use dig without `@`: you need to specify exactly which nameserver you query if you want results to be reproducible (and even with that it remains difficult in the era of anycasted services). Otherwise it is difficult to compare things (even if dig shows at bottom which nameserver replied), and indeed you are not querying the same nameserver between examples 1 and 2+3. — Patrick Mevzek, Mar 07 '19 at 01:25
"The script run by cron checks for ADDTIONAL SECTION in the output to determine if the query failed." This is a very peculiar way to do things, why? Depends on what you mean by "the query failed", but the return code (NOERROR vs something else) or even checking a specific resource record seems better solution to know if the query failed or not... — Patrick Mevzek, Mar 07 '19 at 01:26
Ah, when using `@` the output is at least the same now. Thanks. — Server Fault, Mar 07 '19 at 14:18

Why is ADDITIONAL SECTION missing from my dig response?

0 Answers0