Forwarding Problem (was Re: Ambiguous def of multiple CNAME)

Kevin Darcy kcd at daimlerchrysler.com
Thu Dec 2 04:58:24 UTC 1999


Christine.Tran at east.sun.com wrote:

> >I'm a little confused here: does "[1.2.3.4]" stand for your regular forwarder,
>         [1.2.3.4] is my forwarder on the DMZ.

Understood.

> >What happens after this point in the process?
>         I get what looks like a referal back from the forwarder.  Look at the
>         nsid number
>         Response (USER NORMAL -) nsid=3597 id=13204
>         ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3597
>         Then my internal server tries to follow the referral to finsys name
>         server, but can't.

Well, I'm stumped as to why you'd get a referral back to a recursive query when the forwarder supposedly
allows recursive queries and has a valid hints file configured. If you just try to query your forwarder
directly from the command-line, e.g. using nslookup or dig, do you get the same results, i.e. a referral?

> >It also looks like you already had the CNAME cached,
>         Well, now you got me thinking, porttracker.foo.com has a default TTL
>         of 24H.  The target, porttracker.finsys.com has a TTL of 1H.  After 1H
>         the finsys.com A RR will expire, but the foo.com CNAME RR will not.
>         But the forwarder knows nothing about this CNAME relationship, the
>         query to it is of type A only.  Oh, headaches!

The forwarder should be trying to fetch the A record for you. If it gets a definitive answer that the
A doesn't exist, it should return the CNAME without the A. If it fails to get an answer for the A (e.g. by
timing out or finding all the NS'es for the zone lame), it should return SERVFAIL.

> >unless someone in your forwarding chain has recursion turned off
>         No, it's all on.
>
> >If your firewall is misconfigured to forward to an Internet root server
>         No, forwarder uses hint file.
>
> >if you do get a referral back, you shouldn't be trying to follow it if global >forwarding is in effect;
>         Well, forward only is broken in 8.2.  Default is forward first.

I looked back through my archives and the only reference I found to forward only being broken in 8.2 was
accompanied by some advice to upgrade to 8.2.1; presumably it still has a clean bill of health in 8.2.2-p5,
and I can confirm that it does what it's supposed to in my blah.chrysler.com-aliased-to-www.sun.com mockup.
If you're running 8.2, maybe there are some related bugs which affect forward first which may go away when
you upgrade. The forward first setting does explain why you're trying to follow the referrals, but it still
doesn't explain why you got a referral in the first place. What version is your forwarder running?


- Kevin




More information about the bind-users mailing list