Problem with a host Delagation
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Tue Dec 16 22:57:59 UTC 2003
>
> > Hi,
> >
> > I have implemented a F5 Networks Link Controller to do inbound load
> > balancing. In order to make this device work you need to have the LC
> > respond to DNS requests for IP addresses you wish to inbound load
> > balance. I did this with my webserver by adding NS records for the
> > webserver host.
> >
> > ie:
> > ;www 3600 IN A 192.135.189.20
> > www 3600 IN NS bigip1.pics.com. ;Cl=2
> > 3600 IN NS bigip2.pics.com. ;Cl=2
> >
> > Bind 8.2.3-REL on the parent (where the zone file resides) answers
> > fine 75% of the time, the other 25% of the time it reports a SERVFAIL
> > and i see no proof (with tcpdump) that bind is asking the F5 device
> > for the IP of www.pics.com.
> >
> > Here is a dig debug (from the parent 192.135.189.20) but I have no
> > idea what this means or how to correct.
>
> I suggest that you choose another vendor. Your load balancer
> does not implement the base DNS specification (RFC 1034).
> The second answer below is wrong. The correct answer should
> be "aa=1 rcode=NOERROR ANSWER=0" (otherwise known as a
> NODATA response) and if the authority section is filled in
> then it should contain the NS records for the zone (www.pics.com).
Sorry I made a error above.
The authority section should contain the SOA record for the zone.
> The second answer below causes named to mark the nameservers as
> lame hence the SERVFAIL.
>
> Mark
>
> ; <<>> DiG 8.3 <<>> a www.pics.com +norec @bigip1.pics.com
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50467
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;; www.pics.com, type = A, class = IN
>
> ;; ANSWER SECTION:
> www.pics.com. 5S IN A 66.243.87.152
>
> ;; Total query time: 249 msec
> ;; FROM: drugs.dv.isc.org to SERVER: 66.243.87.146
> ;; WHEN: Wed Dec 17 08:32:14 2003
> ;; MSG SIZE sent: 30 rcvd: 46
>
> ; <<>> DiG 8.3 <<>> aaaa www.pics.com +norec @bigip1.pics.com
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26359
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
> ;; QUERY SECTION:
> ;; www.pics.com, type = AAAA, class = IN
>
> ;; AUTHORITY SECTION:
> . 22h31m21s IN NS c.root-servers.net.
> . 22h31m21s IN NS g.root-servers.net.
> . 22h31m21s IN NS f.root-servers.net.
> . 22h31m21s IN NS b.root-servers.net.
> . 22h31m21s IN NS j.root-servers.net.
> . 22h31m21s IN NS k.root-servers.net.
> . 22h31m21s IN NS l.root-servers.net.
> . 22h31m21s IN NS m.root-servers.net.
> . 22h31m21s IN NS i.root-servers.net.
> . 22h31m21s IN NS e.root-servers.net.
> . 22h31m21s IN NS d.root-servers.net.
> . 22h31m21s IN NS a.root-servers.net.
> . 22h31m21s IN NS h.root-servers.net.
>
> ;; ADDITIONAL SECTION:
> c.root-servers.net. 1d22h31m21s IN A 192.33.4.12
> g.root-servers.net. 1d22h31m21s IN A 192.112.36.4
> f.root-servers.net. 1d22h31m21s IN A 192.5.5.241
> b.root-servers.net. 1d22h31m21s IN A 128.9.0.107
> j.root-servers.net. 1d22h31m21s IN A 192.58.128.30
> k.root-servers.net. 1d22h31m21s IN A 193.0.14.129
> l.root-servers.net. 1d22h31m21s IN A 198.32.64.12
> m.root-servers.net. 1d22h31m21s IN A 202.12.27.33
> i.root-servers.net. 1d22h31m21s IN A 192.36.148.17
> e.root-servers.net. 1d22h31m21s IN A 192.203.230.10
> d.root-servers.net. 1d22h31m21s IN A 128.8.10.90
> a.root-servers.net. 1d22h31m21s IN A 198.41.0.4
> h.root-servers.net. 1d22h31m21s IN A 128.63.2.53
>
> ;; Total query time: 255 msec
> ;; FROM: drugs.dv.isc.org to SERVER: 66.243.87.146
> ;; WHEN: Wed Dec 17 08:31:29 2003
> ;; MSG SIZE sent: 30 rcvd: 449
>
>
> > # dig www.pics.com +debug
> >
> > ; <<>> DiG 8.3 <<>> www.pics.com +debug
> > ;; res_nmkquery(QUERY, www.pics.com, IN, A)
> > ;; res options: init debug recurs defnam dnsrch
> > ;; res_send()
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18404
> > ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; QUERY SECTION:
> > ;; www.pics.com, type = A, class = IN
> >
> > ;; Querying server (# 1) address = 192.135.189.20
> > ;; new DG socket
> > server rejected query:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18404
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; QUERY SECTION:
> > ;; www.pics.com, type = A, class = IN
> >
> > ;; got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18404
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; QUERY SECTION:
> > ;; www.pics.com, type = A, class = IN
> >
> > ;; Total query time: 4 msec
> > ;; FROM: picspc01.pics.com to SERVER: default -- 192.135.189.20
> > ;; WHEN: Tue Dec 16 12:58:11 2003
> > ;; MSG SIZE sent: 30 rcvd: 30
> >
> >
> >
> > Here is an example after I restarted bind
> >
> > $ named -v
> > named 8.2.3-REL Thu Feb 15 09:57:28 EST 2001
> > root at picspc01.pics.com:/u3/obj/u3/src/src/usr.sbin/named
> > $ dig www.pics.com +debug
> >
> > ; <<>> DiG 8.3 <<>> www.pics.com +debug
> > ;; res_nmkquery(QUERY, www.pics.com, IN, A)
> > ;; res options: init debug recurs defnam dnsrch
> > ;; res_send()
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47326
> > ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; QUERY SECTION:
> ;; www.pics.com, type = A, class = IN
> >
> > ;; Querying server (# 1) address = 192.135.189.20
> > ;; new DG socket
> > ;; got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47326
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
> > 0
> > ;; QUERY SECTION:
> > ;; www.pics.com, type = A, class = IN
> >
> > ;; ANSWER SECTION:
> > www.pics.com. 5S IN A 207.8.189.152
> >
> > ;; Total query time: 4 msec
> > ;; FROM: picspc01.pics.com to SERVER: default -- 192.135.189.20
> > ;; WHEN: Tue Dec 16 13:42:55 2003
> > ;; MSG SIZE sent: 30 rcvd: 46
> >
> > $
> >
> >
> > Thanks in advance for any advice you can provide.
> >
> > Regards,
> >
> >
> > Terry
> >
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list