Fwd: IPv6 client and negative cache - some doubts
Mark Andrews
marka at isc.org
Tue Feb 23 22:19:16 UTC 2010
In message <f677fefa1002230600n4694161cu315e5dd4beaaab02 at mail.gmail.com>, Micha
l Wesolowski writes:
>
> sorry for replying directly, still have some problems with gmail UI.
>
> ---------- Forwarded message ----------
> From: Michal Wesolowski <gmickyw at gmail.com>
> Date: Tue, Feb 23, 2010 at 2:47 PM
> Subject: Re: IPv6 client and negative cache - some doubts
> To: Sam Wilson <Sam.Wilson at ed.ac.uk>
>
>
> On Tue, Feb 23, 2010 at 1:33 PM, Sam Wilson <Sam.Wilson at ed.ac.uk> wrote:
>
> > In article <mailman.529.1266923597.21153.bind-users at lists.isc.org>,
> > Michal Wesolowski <gmickyw at gmail.com> wrote:
> >
> > > Hello Everyone
> > >
> > > I have a problem with Bind 9.3.6-P1 (included in Solaris 10) but honestly
> > I
> > > don't even understand if it is wrong Bind behaviour or my ignorance. It
> > does
> > > apply only to some specific cases when external domain delegation is also
> > > somewhat broken. My server is caching only. Let me show it by the
> > example:
> > >
> > Host "www.goleszow.pl" has bad NS delegation on country root servers
> > level
> > > because virtual.sincom.pl is not resolvable:
> > >
> > > goleszow.pl. 86400 IN NS virtual.sincom.pl.
> > > goleszow.pl. 86400 IN NS virtual.jasnet.pl.
> > > ;; Received 91 bytes from 149.156.1.6#53(G-DNS.pl) in 19 ms
> >
> > That may be part of the problem, and it needs to be fixed, but I don't
> > think that's all of it.
> >
>
> > > When dns client asks my server for A record of "www.goleszow.pl" -
> > > everything is fine. But when first query (after cache is flushed) asks
> > for
> > > AAAA record - my server seems to cache negative answer and all subsequent
> > > queries for A record also fails. ...
> > > [snip]
> > > This is what I found in the Bind cache:
> > > # rndc dumpdb -all
> > > # cat /var/named/log/named_dump.db | grep virt
> > > goleszow.pl. 85994 NS virtual.jasnet.pl.
> > > 85994 NS virtual.sincom.pl.
> > > virtual.jasnet.pl. 3194 A 85.202.208.254
> > > virtual.sincom.pl. 3194 \-ANY ;-$NXDOMAIN
> > > ; virtual.jasnet.pl alias jasnet.pl [v4 TTL 3194] [target TTL 3194] [v4
> > > success] [v6 unexpected]
> > > ; virtual.sincom.pl [v4 TTL 3194] [v6 TTL 3194] [v4 nxdomain] [v6
> > nxdomain]
> > >
> > > Which for me doesn't explain this behaviour. Please advice.
> >
> > Note that line beginning "virtual.jasnet.pl alias jasnet.pl". jasnet.pl
> > is delegated to ns10.az.pl and ns11.az.pl. If you ask them for an A
> > record for virtual.jasnet.pl you get an A record; if you ask for AAAA
> > you get a CNAME pointing to jasnet.pl. I can't imagine what sort of
> > configuration could cause that to happen. I'm also not sure how that
> > might be screwing up your lookups, but it's certainly weird. On the
> > 'fix what you know to be broken' principle I'd try to get that and the
> > broken delegation sorted first before looking any further.
> >
> > Sam
> >
> >
> Thank you Sam for pointing this out. This is probably real source of the
> problem. I looked over what could cause such situation and so far found old
> bug in PowerDNS (but don't know if they use it!) which generated such
> answers when using wildcards.
>
> After some reading my present understanding is that correct response to AAAA
> query when there is such record in the zone and there exists another record
> of different type for the same name - is to reply with empty answer and no
> error (this applies to authoritative NS). So what ns10.az.pl does is not
> consistent with specification.
> However I'm still not sure if bind shouldn't cope with this somehow. I
> understand that if it applied to final query for "www.goliszew.pl" than it
> would be correct for bind to cache it as negative for all types of records.
> But if it concerns bad respond for NS? - I don't know.
>
> Thanks
>
> Michal
Well one of the nameservers does not exist and the other is a CNAME.
Both of these are fatal errors for the particular nameserver and
as there are only two nameservers for the zone lookups fail.
Add A records to the sincom.pl and jasnet.pl zones for virtual.sincom.pl
and virtual.jasnet.pl respectively.
Mark
; <<>> DiG 9.3.6-P1 <<>> virtual.sincom.pl aaaa @ns11.az.pl
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45587
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;virtual.sincom.pl. IN AAAA
;; AUTHORITY SECTION:
sincom.pl. 3600 IN SOA ns10.az.pl. admin.az.pl. 2009101603 10800 3600 604800 3600
;; Query time: 356 msec
;; SERVER: 62.146.68.200#53(62.146.68.200)
;; WHEN: Wed Feb 24 09:12:16 2010
;; MSG SIZE rcvd: 85
; <<>> DiG 9.7.0rc1 <<>> virtual.jasnet.pl aaaa @ns11.az.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11702
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;virtual.jasnet.pl. IN AAAA
;; ANSWER SECTION:
virtual.jasnet.pl. 3600 IN CNAME jasnet.pl.
;; AUTHORITY SECTION:
jasnet.pl. 3600 IN SOA ns10.az.pl. admin.az.pl. 2009091500 10800 3600 604800 3600
;; Query time: 334 msec
;; SERVER: 62.146.68.200#53(62.146.68.200)
;; WHEN: Wed Feb 24 09:13:32 2010
;; MSG SIZE rcvd: 99
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list