NXDOMAIN returned on while updating
Kevin Darcy
kcd at daimlerchrysler.com
Fri Dec 15 01:59:08 UTC 2006
Nick Garfield wrote:
> Hello fellow bind-users!
>
> I really hope one of you has some advice for how to solve the following
> problem:
>
> We have a well cared for reliable campus DNS service based on BIND 9.3
> with a hidden master -> authoritative slave architecture.
>
> Typical load on the authoritative servers is about 400 queries per
> second.
>
> There is a mix of small dynamic zones with ixfr/journalling/ddns and
> large (100,000 line) zones with a traditional
> load-a-new-file/bump-serial and axfr system.
>
> This architecture has proved to be very stable until one day a user
> (providing services themselves) complained that they were getting host
> resolution errors. I was somewhat skeptical as our alarm system was not
> complaining.
>
> So I wrote a quick perl Net::DNS script to query the DNS every second.
> To my amazement the script reported (in synchronization with large zone
> transfers by axfr) that there is indeed a problem - in fact a
> potentially very serious problem: each time there is a large zone
> transfer the test query received at least one NXDOMAIN reply. Stranger
> still is that queries to any other locally hosted domains and
> sub-domains show the same symptom even though the zone transfer is for
> another domain. It would not be so bad if this was a time-out, but
> NXDOMAIN is the worst reply possible because the host is told the record
> does not exist.
>
> Anyone out there got a fix for this?
>
> I would be grateful to get any replies, even if bad news!
>
>
Nick,
I've never seen the behavior you described, even though we have a
similar environment, i.e. many Dynamically-updated zones, a few big ones
that take a long time to transfer (e.g. an 87,000-record zone that we
transfer over the Atlantic). I think we would have noticed this problem
a long time ago, since, as you point out, most apps will simply *fail*
when an erroneous NXDOMAIN is given for a name. Admittedly, as a general
rule, we don't have ordinary end-user clients querying our master
nameserver (it's pretty much dedicated to handling Dynamic Updates and
doing zone transfers), but we do have various clients and processes
querying that box and I'm sure we would have noticed spurious NXDOMAINs
by now...
- Kevin
More information about the bind-users
mailing list