BIND can't resolve with unreachable second NS

Bob Rahe bob at hobbes.dtcc.edu
Thu May 8 14:15:21 UTC 2008 

  A puzzle...

  Solaris 10, BIND 9.4.2.

  We've been having a problem resolving a web site name.

  Trying to resolve www.childcaremanager.com.  Turns out that is a CNAME
to childcaremanager.com.

  THAT domain claims to have 2 dns servers:

      ns1.ccmturbo.com   at 69.9.147.35
and   ns2.ccmturbo.com   at 69.9.147.36

  But...  two interesting things.  From a different network I can find
that childcaremanager.com actually is an A record to the 147.35
address.  AND... the ns2 address does not respond.  In fact, if I try
to ping it from both the other network and here I get:

hobbes% ping 69.9.147.36
ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
 for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.36)
ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
 for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.36)
ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
 for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.36)

(and doing a traceroute, I see there's some odd routing loop where it bangs
around two different addresses near it until the TTL expires. Again, from
both networks.)

But for ns1 I get:

Chobbes% ping 69.9.147.35
69.9.147.35 is alive

  And... the upshot is, any nslookups I try seem to blackhole.  For
whatever reason all of our nameservers seem to get hung up if that
second ns isn't working.  Cause if I do a lookup directly via ns1 I can
get an answer:

; <<>> DiG 9.2.8-P1 <<>> @ns1.ccmturbo.com. www.childcaremanager.com. any
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 910
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;www.childcaremanager.com.	IN	ANY

;; ANSWER SECTION:
www.childcaremanager.com. 0	IN	CNAME	childcaremanager.com.

;; ADDITIONAL SECTION:
childcaremanager.com.	3600	IN	A	69.9.147.35

;; Query time: 104 msec
;; SERVER: 69.9.147.35#53(69.9.147.35)
;; WHEN: Mon May  5 09:52:54 2008
;; MSG SIZE  rcvd: 72

  Ideas?  Why do nameservers on another network (also BIND of various
semi-recent vintage) seem to be able to resolve this but mine seem to
blackhole on it?  We're running BIND 9.4.2 and some 9.2.8-P1 on unix
(solaris 10 and 9) here.  I've googled, search Sun and sunmanagers and
come up empty.

  I did find one reference from back when Solaris ran 4.x BIND about the
resolver only looking at one NS it got back but that was claimed to be
solved by using 'modern' sources.... Which one would think these are...

???

Tnx,

  Bob

-- 
---------------------------------------------------------------------_------
|Bob Rahe, MIEEE, bob at dtcc.edu (RWR50)   /    ASCII ribbon campaign ( )    |
|Delaware Technical & Community College /      - against HTML email  X     |
|Computer Center, Dover, Delaware      /                   & vCards / \    |
----------------------------------------------------------------------------

More information about the bind-users mailing list