Problem resolving a domain on my cache server. (part II)
Ronan Flood
ronan at noc.ulcc.ac.uk
Wed Mar 23 17:07:27 UTC 2005
"Fabiano Silos Reis" <fsilos at ig.com> wrote:
> I know what you mean. The problem is that my cache server keeps
> resolving for a while but somehow from time to times this host
> (www.redecard.com.br) cannot be resolved by my cache server (my server
> answer with timeout responses). But when this host cannot be resolved by
When this happens, what does your server show for
dig redecard.com.br. ns +norec
dig regulus1.credicard.com.br. a +norec
dig canopus1.credicard.com.br. a +norec
I mean, does it still have the information about how to get to the
record for www.redecard.com.br?
> my cache server I setup a script that dig this host directly from their
> two ns
>
> dig -b mycacheserver_ip_address#the_same_src_port_namded_is_using
> www.redecard.com.br @200.211.224.110
> dig -b mycacheserver_ip_address#the_same_src_port_namded_is_using
> www.redecard.com.br @200.211.224.111
>
> I get positive answers. So I suppose it is not communication fault or
> their fault.
>
> Don't you think my cache server daemon may be losing something when it
> tries to resolve this specific host?
One thing I notice is that on a direct query, their nameservers do not
return authority and additional records for the NS/A:
% dig @200.211.224.111 www.redecard.com.br. a +norec
; <<>> DiG 9.2.3 <<>> @200.211.224.111 www.redecard.com.br. a +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23575
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.redecard.com.br. IN A
;; ANSWER SECTION:
www.redecard.com.br. 3600 IN A 200.185.9.46
Could that be significant? Also the records they do actually have:
% dig @200.211.224.111 redecard.com.br. ns +norec
;; ANSWER SECTION:
redecard.com.br. 3600 IN NS regulus1.credicard.com.br.
redecard.com.br. 3600 IN NS canopus1.credicard.com.br.
;; ADDITIONAL SECTION:
regulus1.credicard.com.br. 3600 IN A 200.211.224.110
canopus1.credicard.com.br. 3600 IN A 200.211.224.111
have different TTLs from the delegation records:
% dig @a.dns.br. redecard.com.br. ns +norec
;; AUTHORITY SECTION:
redecard.com.br. 86400 IN NS CANOPUS1.CREDICARD.com.br.
redecard.com.br. 86400 IN NS REGULUS1.CREDICARD.com.br.
;; ADDITIONAL SECTION:
CANOPUS1.CREDICARD.com.br. 86400 IN A 200.211.224.111
REGULUS1.CREDICARD.com.br. 86400 IN A 200.211.224.110
which might cause problems. I assume the upper/lowercase differences
are not relevant.
On a BIND 9.3.0 server here, when I do an initial query for
www.redecard.com.br I get
;; ANSWER SECTION:
www.redecard.com.br. 3600 IN A 200.185.9.46
;; AUTHORITY SECTION:
redecard.com.br. 86399 IN NS REGULUS1.CREDICARD.com.br.
redecard.com.br. 86399 IN NS CANOPUS1.CREDICARD.com.br.
i.e. the NS records from the delegation. BIND obviously has, or
had, the A records too, in order to get to www.redecard.com.br,
but does not include them as additional, and does not respond to
a direct query:
% dig REGULUS1.CREDICARD.com.br. a +norec
;; QUESTION SECTION:
;REGULUS1.CREDICARD.com.br. IN A
;; AUTHORITY SECTION:
br. 31117 IN NS C.DNS.br.
br. 31117 IN NS D.DNS.br.
br. 31117 IN NS E.DNS.br.
br. 31117 IN NS A.DNS.br.
br. 31117 IN NS B.DNS.br.
--
Ronan Flood <R.Flood at noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)
More information about the bind-users
mailing list