ISP caching server setup

Jared Empson jared.empson at zitomedia.com
Thu Aug 7 00:45:38 UTC 2014 

Jared Empson
Systems Administrator
Zito Media
814.260.9450



On Aug 6, 2014, at 7:28 PM, Mark Andrews <marka at isc.org> wrote:

> 
> In message <3A1EBFDB-A033-4E07-BE61-9F6BA6916406 at zitomedia.com>, Jared Empson w
> rites:
>> 
>> I manage a small group of cache only servers for an ISP.  We run Bind 9.7
> 
> You run BIND 9.7.0 and haven't applied any of the maintainence releases
> to BIND 9.7. 

I just updated the bind instance with the Ubuntu Lucid packages so I’m running version BIND 9.7.0-P1.

> 
>> and have noticed that several domains our customers would like to access
>> are unavailable from our cache servers.  These same domains work on other
>> provider networks such as Verizon or Google.
> 
> In BIND 9.7.0 we restored the code to skip to non authorative answers
> from supposedly authorative servers having fixed a bug in named.
> Unfortunately there are some zones for which all the servers are
> broken and don't return authorative (aa=1) answers.
> 
> BIND 9.7.1 reversed the change to skip non authorative answers
> despite it being technically correct.

Do you suggest we upgrade to bind version 9.7.1?

> 
>> What I have found is that these domains all have misconfigured glue
>> records.  This could be cause by a recent change of registrar or a
>> misconfigured zone file pointing to NS records that no longer exist as
>> glue records.  Because of this any query of a host from these domains
>> receive a non-authoratative response and are dropped by our cache servers.
>> 
>> How do I configure the cache server to accept the non-authoritative
>> response to provide our customers access to these domains with out
>> forwarding to Google's caching servers?
> 
> 
>> An example domain is losscontrol360.com.
>> What our customers receive:
>> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;losscontrol360.com.		IN	A
>> 
>> ;; Query time: 1380 msec
>> ;; SERVER: 10.100.2.11#53(10.100.2.11)
>> ;; WHEN: Wed Aug  6 16:00:55 2014
>> ;; MSG SIZE  rcvd: 36
>> 
>> What our cache server receives:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38342
>> ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 1280
>> ;; QUESTION SECTION:
>> ;losscontrol360.com.		IN	A
>> 
>> ;; ANSWER SECTION:
>> losscontrol360.com.	173	IN	A	74.208.98.80
>> 
>> What Google provides:
>> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com @8.8.8.8
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;losscontrol360.com.		IN	A
>> 
>> ;; ANSWER SECTION:
>> losscontrol360.com.	586	IN	A	74.208.98.80
>> 
>> ;; Query time: 174 msec
>> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>> ;; WHEN: Wed Aug  6 16:01:07 2014
>> ;; MSG SIZE  rcvd: 52
>> 
>> Jared Empson
>> Systems Administrator
>> Zito Media
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list