Problems after 8.3.3 upgrade

Nick Hengeveld nickh at yaga.com
Thu Jul 18 23:08:38 UTC 2002 

On Wed, Jul 17, 2002 at 12:58:57AM -0700, Doug Barton wrote:

> > Also, would that explain why the problem goes away when I force a cname
> > lookup?
> 
> Actually I can't. I have bind 8.3.3 resolvers and I don't see this
> problem.

I've been doing some more research and have more complete information on
the circumstances under which I can reproduce this problem:

- server is running bind 8.3.3
& server is behind a PIX firewall
& server is not forwarding
& client issues an A query for a .yahoo.com record which is a CNAME to
  an Akamai record
& the TTL for the CNAME record has recently expired

The problem was first reported on June 28, which is also the day we
upgraded to from 8.2.3 to 8.3.3.  It has only been reported with 
.yahoo.com addresses.

The servers tested were all running the same bind from an 8.3.3 RPM built
in-house.

The PIX and our border router log ACL denials, and there were no messages 
in our PIX or router logs regarding denied traffic to or from the name 
servers.  I've tested on servers with a static conduit on the PIX as well 
as servers that share a single NAT address with PAT.

I cannot reproduce the problem:

- when the server runs bind from the 8.2.3 RPMs
| when the server is configured to "forward only" to our servers outside
  the firewall
| when the client queries a .yahoo.com record which is an A record
| when the client queries a .yahoo.com record which is a CNAME to another
  .yahoo.com A record
| when the client queries a .lycos.com record which is a CNAME to an
  Akamai record

Once the problem has happened, right after the TTL expiration, I've seen
cases where lookups start working again after 30 seconds and cases where 
lookups fail until I query the .yahoo.com CNAME or restart named.  Lookups 
always start working immediately after I query the .yahoo.com CNAME.

At this point, it's easy enough for me to get around this using 
forwarding, but I'd love to know why it's happening.

--
For a successful technology, reality must take precedence over public
relations, for nature cannot be fooled.

More information about the bind-users mailing list