CNAME and Delegation Problem.

Kevin Darcy kcd at daimlerchrysler.com
Mon Aug 21 23:05:52 UTC 2000 

Check all of the usual suspects:

1. are com and dynamic.com both delegated to the correct sets of servers?

2. do the glue records exist, if necessary?

3. are the delegated servers for com and dynamic.com all answering authoritatively?

4. are the NS records returned by those delegated servers for those zones the same as
the delegation NS records?

I believe there are tools available which can check all of this automatically.


- Kevin

xlong at andrew.cmu.edu wrote:

> CNAME and Delegation Problem.
>
> I find problems when I define a CNAME record in a zone whose canonical name
> belongs to a subzone, and this subzone is delegated to another server.
>
> In my network, Machine A  is authorative for [root] zone,
> Machine B is authorative for [.com] zone, Machine C is authorative
> for [dynamic.com] zone.
>
> Delegations are set properly: A---(com)->B---(dynamic.com)->C.
>
> Now I have some CName records in Machine B's [.com] zone:
> www.esite1.com. IN CNAME www.esite1.dynamic.com.
> www.esite2.com. IN CNAME www.esite2.dynamic.com.
> www.esite3.com. IN CNAME www.esite3.dynamic.com.
> www.esite4.com. IN CNAME www.esite4.dynamic.com.
>
> Then, in Machine C, I have the type-A records for them in zone
> [dynamic.com]:
> www.esite1.dynamic.com.  A 192.168.0.101
> www.esite2.dynamic.com.  A 192.168.0.102
> www.esite3.dynamic.com.  A 192.168.0.103
> www.esite4.dynamic.com.  A 192.168.0.104
>
> When I query from machine B by nslookup, for www.site1.com, it return
> correclty
> the IP address "192.168.0.101" as a authorative answer.
>
> Then I use another cache only server E, and query to machine E through
> nslookup.
> When I query for name "www.esite?.dynamic.com" (we do not need to lookup the
> CNAME this way),
> everything is fine. I got the authorative answer and the correct IP address.
>
> However, when I query for name "www.esite?.com", the problem appears.
> There are two problem, the first one is for all of these type of queries,
> they always
> return unauthorative answer, although I am sure I have set all the
> inter-servers as
> non-recursive and before each test I stoped, and started the cache only
> server to
> clear the cache.
>
> The second problem is, after I restart the cache only server (E), the first
> query returns
> pretty fast (www.esite1.com), but the queries afterwards,
> (of course different names, i.e www.esite2.com) return quite slow. When I
> looked at the log
> and the received queries on server C, it seems the follwing event happened:
>         ...
>         cache-only server E query for name "www.esite3.com"
>         , ...,
>         E receives the CNAME record and delegation information from B,
>         E queries for canonicla name "www.esite3.dynamic.com" to C,
>         C send back responsem including the IP address with the [aa] bit set.
>
> At this point, it seems E keeps ignoring A's response and desperately want
> to retranmist the same request with the same query ID.
>
> After a 5 second timeout, E sends another query to C, then it accepts C's
> response.
> Here is a typical sequence of packet exchanges. It is "windump -n port 53"
> output:
>
> (I have replaced the IP address with server name in the context, words after
> // are my comments)
>
> 08:24:40.751706       E.53 >       B.53: 43012 (33)
> 08:24:40.752076       B.53 >       E.53: 43012*- 1/1/1 (107)       // get the
> canonical naeme
>
> 08:24:40.753596       E.53 >       C.53: 43013 (41)                // ID 43013, first
> query to C
> 08:24:40.754311       C.53 >       E.53: 43013*- 1/1/1 (105) (DF)
>
> 08:24:44.749240       E.53 >       C.53: 43013 (41)                // ID 43013,
> repeated
> 08:24:44.749823       C.53 >       E.53: 43013*- 1/1/1 (105) (DF)
>
> 08:24:45.749598       E.53 >       C.53: 43014 (41)                // Time Out,
> different ID query again
> 08:24:45.750303       C.53 >       E.53: 43014*- 1/1/1 (105) (DF)
>
> 08:24:52.749288       E.53 >       C.53: 43013 (41)                // ID 43013,
> repeated
> 08:24:52.749978       C.53 >       E.53: 43013*- 1/1/1 (105) (DF)
>
> Another behavior is if I do the following, it is OK.
> nslookup
>         set query=CNAME
>         www.esite4.com
>         .....           (server E will cache the CNAME record)
>         set query=A
>         www.esite4.com
>         ..........
>         Then it gives the correct answer, response is prompt but it is a
> nonauthorative answer.
>
> Does anybody have an idea about where the problem is?
> Is it a bug for the server. I am using the BIND 4.9.5 on Windows-NT for
> (A,B,E),
> and server C is a sun  ULtr-5 running bind 8.2.2.

More information about the bind-users mailing list