weird bind cache server behaviour - unexpected root hint delegation on forward only zone

Paul Sherratt me at paults.com
Mon Jun 15 21:26:06 UTC 2009 

> Does it matter?

Not really, I was just being too picky - wasn't expecting bind to look for
authority for forward zones and then got into a red herring with root NS'
cached on just two servers when all four are heavily utilised (but turns out
our mail servers are only using the first two).

Thanks anyway :-)

 - Paul



On Mon, Jun 15, 2009 at 9:01 PM, Kevin Darcy <kcd at chrysler.com> wrote:

> Does it matter? Two of the servers happened to have root NS records cached.
> You could verify this with rndc dumpdb -cache. The other two servers,
> apparently, had no root NS records cached.
>
> But if the client is just a stub resolver, or set up to forward, it doesn't
> care about the NS records in the Authority Section. It only cares about the
> Answer, which is the same in both cases.
>
>
>                                           - Kevin
>
> Paul Sherratt wrote:
>
>>
>> I have 4 bind cache servers running with config close to what is listed at
>> the bottom of this post.
>>
>> All 4 servers have identical bind configuration, running same bind version
>> (9.5.1-P1), almost identical system layouts.
>>
>> The issue is that on two of the four servers, requests for records in the
>> 'dnsbl' zone return root hints if the forwarded request comes back positive!
>>  If the forwarded request returns NXDOMAIN there are no root hints returned,
>> expected as it is configured 'forward only'.
>>
>>
>> Am I missing something obvious or anyone have an idea what might be going
>> on?  Again, the configs _are_ the same, I don't have any other options like
>> minimal-responses etc set on the two servers that are working as expected!
>>
>>
>> Regards,
>>
>> Paul
>>
>>
>>
>> *$ dig 2.0.0.127.sbl.dnsbl @dns[12]*
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31470
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2
>>
>> ;; QUESTION SECTION:
>> ;2.0.0.127.sbl.dnsbl.           IN      A
>>
>> ;; ANSWER SECTION:
>> 2.0.0.127.sbl.dnsbl.    300     IN      A       127.0.0.2
>>
>> ;; AUTHORITY SECTION:
>> .                       516796  IN      NS      J.ROOT-SERVERS.NET <
>> http://J.ROOT-SERVERS.NET>.
>> .                       516796  IN      NS      K.ROOT-SERVERS.NET <
>> http://K.ROOT-SERVERS.NET>.
>> ...
>>
>> ;; ADDITIONAL SECTION:
>> J.ROOT-SERVERS.NET <http://J.ROOT-SERVERS.NET>.     603196  IN      A
>>   192.58.128.30
>> J.ROOT-SERVERS.NET <http://J.ROOT-SERVERS.NET>.     603196  IN      AAAA
>>    2001:503:c27::2:30
>>
>> ;; Query time: 8 msec
>> ;; SERVER: x.x.x.x#53(x.x.x.x)
>> ;; WHEN: Mon Jun 15 20:05:44 2009
>> ;; MSG SIZE  rcvd: 308
>>
>>
>>
>> *$ dig 2.0.0.127.sbl.dnsbl @dns[34]*
>>
>> ; <<>> DiG 9.4.2 <<>> 2.0.0.127.sbl.dnsbl @tch-cache1.dns
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41117
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;2.0.0.127.sbl.dnsbl.           IN      A
>>
>> ;; ANSWER SECTION:
>> 2.0.0.127.sbl.dnsbl.    300     IN      A       127.0.0.2
>>
>> ;; Query time: 8 msec
>> ;; SERVER: x.x.x.x#53(x.x.x.x)
>> ;; WHEN: Mon Jun 15 20:06:56 2009
>> ;; MSG SIZE  rcvd: 53
>>
>>
>>
>> --8<----------------
>>
>> acl good-mx-nets { 1.1.2.16/29 <http://1.1.2.16/29>;  ... };
>> acl good-nets { 1.1.1.0/19 <http://1.1.1.0/19>;  ... };
>>
>> view good-mx-view {
>>    match-clients { good-mail-servers; };
>>    zone "dnsbl" { type forward; forward only; forwarders { 1.1.1.10; }; };
>> };
>>
>> view good {
>>  match-clients { good-nets; };
>>  allow-recursion { good-nets; };
>>
>>  zone "." { type hint; file "/etc/bind/db.root"; };
>>  zone "com" { type delegation-only; };
>>  zone "net" { type delegation-only; };
>>
>>  // RFC 1912 zones
>>  zone "localhost" { type master; file "/etc/bind/db.local"; };
>>  zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; };
>>  zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; };
>>  zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };
>> };
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090615/be3ddb8f/attachment.html>

More information about the bind-users mailing list