Bind Domain Expiration Problem

Kevin Darcy kcd at daimlerchrysler.com
Tue Apr 17 21:58:26 UTC 2007 

According to the .pk nameservers, pipelink.com.pk is delegated to 
ns1.kdasystems.net and ns2.kdasystem.net, but only one of those 
(ns1.kdasystems.net) resolves to an address (looks like the other name 
is typo'ed), and according to that nameserver, the one and only NS for 
pipelink.com.pk is ns.pipelink.com.pk. This sets the stage for a nasty 
little chicken-and-egg situation, where the A record for 
ns.pipelink.com.pk times out of the cache, and no A record can be 
resolved for it, since it's in a zone the only NS of which has an 
unresolvable A record. Once that happens, the whole zone becomes 
unresolvable, short of a restart.

It doesn't help matters, either, when there is only 1 NS published at 
the apex of a zone. That nameserver then becomes a Single Point of 
Failure. It's actually *required* by the DNS standards, to have at least 
2 nameservers for a zone, but it's not enforced effectively.

The domain owners and/or maintainers need to clean this all up. The NS 
records in the delegations should match the NS records at the apex of 
the zone, or, in the worst case, during a transition, the apex NS 
records should be a superset of the (soon-to-be-changed) delegation records.

                                                                         
            - Kevin
 
Mohsin Raza wrote:
> One thing I would like to make clear is I'm not authoritative for 
> pipelink.com.pk but I've just having problem in resolving this 
> particular domain. I've also checked tcp tarffic between both servers 
> and its working fine.
>
> Dawn Connelly wrote:
>
>   
>> Make sure that TCP and UDP 53 is open from the Slave server to the 
>> master server. Probably what is happening is that traffic is allowed 
>> one direction but not the other. There is something about the notify 
>> packets that isn't working for you. Typically what happens is that the 
>> slave server sends a packet to the master server at the refresh 
>> interval asking "Hey, is this serial number still good?" Then the 
>> master server replies with either a yes or a no. If the answer is no, 
>> a zone transfer takes place. That traffic happens over TCP. I would 
>> definitely check the network path first.  A simple test would be 
>> "telnet <master_server_IP> 53" from the slave server and try the 
>> inverse from the master. If you can't connect both directions, you 
>> found your problem.
>>
>> On 4/17/07, *Mohsin Raza* <mohsin at max.com.pk 
>> <mailto:mohsin at max.com.pk>> wrote:
>>
>>     I'm administering two name servers which are working fine but I'm
>>     facing
>>     a problem with a domain pipelink.com.pk <http://pipelink.com.pk>,
>>     the record expires after about
>>     24 hours when I reload rndc and restart the service of bind, the
>>     domain
>>     starts to resolve again.
>>
>>     I've searched a lot but I can't figure out what's the problem and
>>     how to
>>     resolve it. So kindly provide any useful information in this regard, I
>>     shall be thankful.
>>
>>     --
>>     Thanks & regards,
>>
>>     Mohsin Raza
>>
>>     Maskatiya Communications (pvt) Ltd.
>>
>>
>>     
>
>
>

More information about the bind-users mailing list