Server failed Errors from the Outside

Bill Chatfield bill.chatfield at netcommunity.com
Sun Nov 28 00:36:26 UTC 1999 

I am having a problem resolving host names on our network from the
outside.  By this I mean when you use a name server other than our own
primary name server to resolve names in our domain.  I call these
"indirect" queries because the outside name server has to ask a root
name server for our name server's address and then contact our name
server.  Technically this is a recursive lookup, but "indirect" makes
much more sense to me because "recursive" is too vague to convey any
useful information.

I am using bind 4.9.3 P1 on Solaris 2.5.1.  I have applied the current
patch, 103663-15, from Sun.  I have installed bind 8.2.2 P5 and it has
the same problem.  I have been over the config files many times and can
find no errors in them.

All host names resolve correctly as long as you are on a machine in our
domain, netcommunity.com, resolving names using our primary name
server.  The problem only occurs when you use a name server other than
our primary.

Sometimes a particular subset of our host names will resolve from the
outside and the rest will not resolve.  They return a "Server failed"
error with nslookup.  After some unknown period of time, the subset
changes.  Other hosts will resolve and others won't.

I have set up an additional name server (Red Hat Linux 6.0, bind 8.2,
hereafter called "test") on our network so that I can test "indirect"
queries to our primary name server, because this is the only time the
error occurs.

I have figured out that if I specify a TTL value of 0 in the SOA record
for the domain in the primary name server, restart the test name server,
and run indirect queries through the test name server, the problem does
not occur.  So, I think it has something to do with the cache.

With a normal TTL value (after a restart), the test name server will
indirectly resolve the first host name I ask it to resolve.  It is a
caching only name server and is supposed to ask our primary name server
(through a root name server) for all host names on netcommunity.com.
Every host name query after the first results in a "Server falied"
error.  Running snoop on the primary name server, I can see that the
test name server never contacts the primary name server for all lookups
following the first one.  It does contact the primary for the first
lookup.  It always contacts a root name server.

I've found the debug output of named to be impossible to read, but I
have seen ncache messages indicating that negative responses are being
cached.

I've attached the db file for netcommunity.com.

You can test this situation by doing this:

nslookup www.netcommunity.com ns1.kreber.com
nslookup pokey.netcommunity.com ns1.kreber.com

which will work every time.  ns1.kreber.com is our primary name server.
Then try this:

nslookup www.netcommunity.com ns.redhat.com
nslookup pokey.netcommunity.com ns.redhat.com
nslookup jhad.netcommunity.com ns.redhat.com

One of those at any given time will not work, even though they are valid
names.  You can substitue gumby.netcommunity.com or your name server for
ns.redhat.com.  gumby has the name server I set up to run tests.

I really have no clue why this is happening.  I'm hoping you can help.
If you need any additional information, let me know and I'll provide
it.  Thanks.

--
Bill Chatfield - Vice President of Technology - NetCommunity
bill.chatfield at netcommunity.com
670 Harmon Avenue, Columbus, Ohio 43223
Phone: (614) 228-9977, FAX: (614) 228-2115



-- Attached file included as plaintext by Listar --
-- File: db.netcommunity.com

; ---------------------------------------------------------------------------
; This table was created by Bill Haase Internet Media Properties on Jan 27, 1998
; Emergency Contact is Bill Haase, Pager (614) 731-9033 Mobile (614) 207-4257
; ---------------------------------------------------------------------------

$ORIGIN netcommunity.com.

@       IN SOA ns1.kreber.com. billc.netcommunity.com. (
          1999112701   ; serial
               86400   ; refresh
               21600   ; retry
              604800   ; expire
                   0 ) ; TTL minimum
; TTL minimum use to be 86400

		IN NS	198.212.27.4.
		IN NS	206.183.224.8.	
		IN NS	206.183.224.7.	
		IN NS	206.183.226.10.	
; ------------------------------------------------------------------------
;
netcommunity.com.	IN MX 10	pokey.netcommunity.com.
jhad			IN A		198.212.27.132
bodasheck		IN A		198.212.27.143
burnbaby		IN A		198.212.27.160
sales			IN A		198.212.27.185
ns1			IN A 		198.212.27.192
simba			IN A		198.212.27.194
zuul			IN A		198.212.27.195
winnt2			IN A		198.212.27.197
winnt3			IN A		198.212.27.198
pokey			IN A		198.212.27.199
gumby			IN A		198.212.27.200
winnt1			IN A		198.212.27.238
hal			IN A		198.212.27.242
yaldwan			IN A		198.212.27.243
www		     	IN A		198.212.27.254
ftp			IN CNAME	pokey.netcommunity.com.
pulsar			IN CNAME	ns1.netcommunity.com.
mail			IN CNAME	pokey.netcommunity.com.
dev			IN CNAME	gumby.netcommunity.com.
; ------------------------------------------------------------------------
; Test sites currently on gumby.
; ------------------------------------------------------------------------
test.grangeinsurance	IN A		198.212.27.200
test.gtgi		IN A		198.212.27.200
test.netcommunity	IN A		198.212.27.200
test.securitydocuments	IN A		198.212.27.200
test.trimsystems	IN A		198.212.27.200
test.flashpilot		IN A		198.212.27.200

More information about the bind-users mailing list