facebook.com delegation

Chris Buxton cbuxton at menandmice.com
Tue Nov 27 21:29:05 UTC 2007 

It appears that the load balancers that are authoritative for these  
two zones do not return NS records when answering the queries. In  
fact, if asked for such NS records, they give a negative answer.  
Delegation of these zones, however, looks perfectly normal.

While this is a little weird, and may break the rules a bit, there's  
no problem that it's likely to cause unless a resolving name server  
tries to verify the delegation records. I can see why a software  
designer creating a load balancer might not think there would be any  
problem here.

Testing with my vanilla install of BIND 9.4.1-P1, there is no problem.  
If I ask once for www.facebook.com, the records are retrieved, and I  
see:

;; QUESTION SECTION:
;www.facebook.com.		IN	A

;; ANSWER SECTION:
www.facebook.com.	30	IN	A	69.63.176.11

;; AUTHORITY SECTION:
www.facebook.com.	900	IN	NS	glb01.sctm.tfbnw.net.
www.facebook.com.	900	IN	NS	glb01.sf2p.tfbnw.net.

;; ADDITIONAL SECTION:
glb01.sctm.tfbnw.net.	7200	IN	A	204.15.20.101
glb01.sf2p.tfbnw.net.	7200	IN	A	69.63.176.101

Further requests are answered with the same records, from cache. named  
has not asked the load balancers for the zone's authoritative NS  
records, instead relying on the cached delegation records. In fact, if  
I ask it to look up the zone's NS records, it returns SERVFAIL, and  
does not cache the bogus nxrrset response from the authoritative  
servers.

What name server software are you using for recursion? Are you  
forwarding or recursing? If forwarding, what is the ultimate recursion  
server?

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone:   +354 412 1500
Email:   cbuxton at menandmice.com
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and  
privileged information only intended for the person or entity to which  
it is addressed. If the reader of this message is not the intended  
recipient, you are hereby notified that any retention, dissemination,  
distribution or copy of this e-mail is strictly prohibited. If you  
have received this e-mail in error, please notify us immediately by  
reply e-mail and immediately delete this message and all its attachment.



On Nov 27, 2007, at 12:44 PM, Jeff Wark wrote:

> We are currently having some difficulty resolving facebook.com.   
> Restarts of our nameservers solve the problem for a short time,
> but it crops up again.
>
> It seems that 'www.facebook.com' and 'login.facebook.com' are  
> delegated zones and the delegation is not set up correctly.  The
> name servers for 'www.facebook.com' and 'login.facebook.com' do not  
> return NS records.  Perhaps I am checking something
> incorrectly, its been a long day.
>
> Can anyone confirm or deny these delegation problems?  If confirmed,  
> what kind of problems could be expected?
>
> Thank for taking a look.
>
> Jeff Wark
> TBayTel Internet
>
>

More information about the bind-users mailing list