why bind9 doesn't show A RR's cached with glue credibility even to +norec clients
Ladislav Vobr
lvobr at ies.etisalat.ae
Tue Aug 31 08:33:07 UTC 2004
I have some cases, when all nameservers for *single* domain are
unreachable and bind9 is trying to reach all of them for every single
request it receives, good thing to do will be bogusing these
nameservers, but there is no way to find their ip address?
Although bind9 caches these ip addresses and flooding them heavily it
refuses to reveal them to anybody. So it looks to me like current
procedure to stop these kind of floods is.
1. Miraculously discover the flooded domain
(nobody knows it better than bind, but it is quite about it)
2. Miraculously discover the A record for each nameserver
(nobody else knows better than your own bind what are the cached
addresses for this domain, but querying it for these A records will not
help)
3. Bogus all these A records
Or better
1. Ignore it
(make sure your recursive-client queue is at least 20-30 thousand slots
so you can handle it for limited period of time)
does anybody know other way?
ps. if you think dig will show it, then you have really never tried it,
if you think bind knows what should be cached as *glue* or *answer* then
you have never troubleshooted it, you need to be very lucky since
different servers have different opinion about the same thing.
Ladislav
More information about the bind-users
mailing list