NXDOMAIN returned on while updating

Kevin Darcy kcd at daimlerchrysler.com
Fri Dec 15 01:59:08 UTC 2006 

Nick Garfield wrote:
> Hello fellow bind-users!
>
> I really hope one of you has some advice for how to solve the following
> problem:
>
> We have a well cared for reliable campus DNS service based on BIND 9.3
> with a hidden master -> authoritative slave architecture.
>
> Typical load on the authoritative servers is about 400 queries per
> second.
>
> There is a mix of small dynamic zones with ixfr/journalling/ddns and
> large (100,000 line) zones with a traditional
> load-a-new-file/bump-serial and axfr system.
>
> This architecture has proved to be very stable until one day a user
> (providing services themselves) complained that they were getting host
> resolution errors.  I was somewhat skeptical as our alarm system was not
> complaining. 
>
> So I wrote a quick perl Net::DNS script to query the DNS every second.
> To my amazement the script reported (in synchronization with large zone
> transfers by axfr) that there is indeed a problem - in fact a
> potentially very serious problem: each time there is a large zone
> transfer the test query received at least one NXDOMAIN reply.  Stranger
> still is that queries to any other locally hosted domains and
> sub-domains show the same symptom even though the zone transfer is for
> another domain.  It would not be so bad if this was a time-out, but
> NXDOMAIN is the worst reply possible because the host is told the record
> does not exist.
>
> Anyone out there got a fix for this?
>
> I would be grateful to get any replies, even if bad news!
>
>   
Nick,
I've never seen the behavior you described, even though we have a 
similar environment, i.e. many Dynamically-updated zones, a few big ones 
that take a long time to transfer (e.g. an 87,000-record zone that we 
transfer over the Atlantic). I think we would have noticed this problem 
a long time ago, since, as you point out, most apps will simply *fail* 
when an erroneous NXDOMAIN is given for a name. Admittedly, as a general 
rule, we don't have ordinary end-user clients querying our master 
nameserver (it's pretty much dedicated to handling Dynamic Updates and 
doing zone transfers), but we do have various clients and processes 
querying that box and I'm sure we would have noticed spurious NXDOMAINs 
by now...

- Kevin

More information about the bind-users mailing list