NXDOMAIN returned on while updating

[Nick Garfield]

Hello fellow bind-users!

I really hope one of you has some advice for how to solve the following
problem:

We have a well cared for reliable campus DNS service based on BIND 9.3
with a hidden master -> authoritative slave architecture.

Typical load on the authoritative servers is about 400 queries per
second.

There is a mix of small dynamic zones with ixfr/journalling/ddns and
large (100,000 line) zones with a traditional
load-a-new-file/bump-serial and axfr system.

This architecture has proved to be very stable until one day a user
(providing services themselves) complained that they were getting host
resolution errors.  I was somewhat skeptical as our alarm system was not
complaining. 

So I wrote a quick perl Net::DNS script to query the DNS every second.
To my amazement the script reported (in synchronization with large zone
transfers by axfr) that there is indeed a problem - in fact a
potentially very serious problem: each time there is a large zone
transfer the test query received at least one NXDOMAIN reply.  Stranger
still is that queries to any other locally hosted domains and
sub-domains show the same symptom even though the zone transfer is for
another domain.  It would not be so bad if this was a time-out, but
NXDOMAIN is the worst reply possible because the host is told the record
does not exist.

Anyone out there got a fix for this?

I would be grateful to get any replies, even if bad news!

Thanks in advance.

Regards,

Nick 

------------------
Dr. Nick Garfield
IT/CS Group
CERN
CH-1211 Geneve 23
Switzerland

T: +41 22 767 4533
M: +41 76 487 3282
http://consult.cern.ch/xwho/people/394262
------------------