BIND fails if one of 2 servers is bad?
Barry Margolin
barry.margolin at level3.com
Mon Sep 29 19:16:59 UTC 2003
In article <bl9uc3$9n$1 at sf1.isc.org>,
Andre Burgoyne <comp.protocols.dns.bind at fishbear.com> wrote:
>Running BIND 9.2.1 (RedHat 9), I get the following results:
>
># dig counterpunch.org
>
>; <<>> DiG 9.2.1 <<>> counterpunch.org
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20001
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;counterpunch.org. IN A
>
>But when I do +trace I get:
>
># dig counterpunch.org +trace
>
>; <<>> DiG 9.2.1 <<>> counterpunch.org +trace
>;; global options: printcmd
>...
>org. 86400 IN NS TLD2.ULTRADNS.NET.
>org. 86400 IN NS TLD1.ULTRADNS.NET.
>;; Received 116 bytes from 195.206.104.13#53(M.ROOT-SERVERS.ORSC) in 192 ms
>
>COUNTERPUNCH.ORG. 172800 IN NS NS.LEB.NET.
>COUNTERPUNCH.ORG. 172800 IN NS NS.DOLEH.COM.
>;; Received 100 bytes from 204.74.113.1#53(TLD2.ULTRADNS.NET) in 35 ms
>
>counterpunch.org. 86400 IN A 38.117.146.196
>counterpunch.org. 86400 IN NS ns.leb.net.
>;; Received 74 bytes from 206.127.55.2#53(NS.LEB.NET) in 108 ms
>
>So NS.LEB.NET is working and answers for the domain, but when I do the
>simple query (e.g. for normal web browsing) I get the server fail.
>(Presumably because NS.DOLEH.COM does not exist). Is my server somehow
>mis-configured? Seems like it should answer as long as one of the name
>servers is responding (isn't that the whole point of redundant servers?)
My first guess is that NS.DOLEH.COM *did* exist at the time you did the
initial query, but it didn't have the zone loaded into its configuration.
So you had a 50% chance of querying a lame server. Failover only occurs if
a server doesn't respond at all; if it responds with a SERVFAIL error code,
this response is passed on to the client.
BTW, it looks like the registration of the domain has since been updated;
the delegation now points to ns1.leb.net and ns2.leb.net. However, this
could be the source of another problem, because this didn't match the NS
record on the authoritative server, which was:
counterpunch.org. IN NS ns.leb.net.
This is what's in my caching server's memory, but it looks like leb.net has
fixed it to match the delegation since it got cached. However, there's a
similar inconsistency in the leb.net domain itself, which they *haven't*
fixed. This could cause problems due to glue issues.
--
Barry Margolin, barry.margolin at level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list