Problems after 8.3.3 upgrade
Nick Hengeveld
nickh at yaga.com
Thu Jul 18 23:08:38 UTC 2002
On Wed, Jul 17, 2002 at 12:58:57AM -0700, Doug Barton wrote:
> > Also, would that explain why the problem goes away when I force a cname
> > lookup?
>
> Actually I can't. I have bind 8.3.3 resolvers and I don't see this
> problem.
I've been doing some more research and have more complete information on
the circumstances under which I can reproduce this problem:
- server is running bind 8.3.3
& server is behind a PIX firewall
& server is not forwarding
& client issues an A query for a .yahoo.com record which is a CNAME to
an Akamai record
& the TTL for the CNAME record has recently expired
The problem was first reported on June 28, which is also the day we
upgraded to from 8.2.3 to 8.3.3. It has only been reported with
.yahoo.com addresses.
The servers tested were all running the same bind from an 8.3.3 RPM built
in-house.
The PIX and our border router log ACL denials, and there were no messages
in our PIX or router logs regarding denied traffic to or from the name
servers. I've tested on servers with a static conduit on the PIX as well
as servers that share a single NAT address with PAT.
I cannot reproduce the problem:
- when the server runs bind from the 8.2.3 RPMs
| when the server is configured to "forward only" to our servers outside
the firewall
| when the client queries a .yahoo.com record which is an A record
| when the client queries a .yahoo.com record which is a CNAME to another
.yahoo.com A record
| when the client queries a .lycos.com record which is a CNAME to an
Akamai record
Once the problem has happened, right after the TTL expiration, I've seen
cases where lookups start working again after 30 seconds and cases where
lookups fail until I query the .yahoo.com CNAME or restart named. Lookups
always start working immediately after I query the .yahoo.com CNAME.
At this point, it's easy enough for me to get around this using
forwarding, but I'd love to know why it's happening.
--
For a successful technology, reality must take precedence over public
relations, for nature cannot be fooled.
More information about the bind-users
mailing list