DNS "chicken-and-egg" Problem
JINMEI Tatuya / 神明達哉
Jinmei_Tatuya at isc.org
Mon Oct 27 21:41:23 UTC 2008
At Mon, 27 Oct 2008 14:56:18 -0500 (CDT),
bsfinkel at anl.gov wrote:
> One "problem" that I see is this - the mail comes from the same nodename
> as the authoritative DNS server for the sub-domain, so if BIND does not
> have the address of
>
> igpp.ucla.edu
>
> then it needs that address in order to query the authoritative name
> server. And in my testing this morning I found that when I queried the
> four parent name servers and received the proper referral (along with
> the desired IP address) that glue information was not in the cache.
> Is the problem that when BIND needs to get the desired address, it
> does recursive queries from the root, gets the information, and then
> does not cache it? If I know the address of the nameserver and send
If it's the bug I mentioned, it's not about the missing glue
(address). I suspect the NS record of igpp.ucla.edu was (incorrectly)
purged during the resolution process of igpp.ucla.edu itself, most
likely by the address glue record.
I also guess you use the default max-cache-size of 9.5.0-P2 (which is
32MB). Using such small size of cache on a moderately busy server
tends to trigger this cache management bug. So, as a workaround I'd
suggest you raise the cache size (if you didn't) to a reasonable large
value, e.g., 256MB or even more, depending on the available memory on
your machine.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list