Problems after 8.3.3 upgrade

Mark_Andrews at isc.org Mark_Andrews at isc.org
Fri Jul 19 01:56:18 UTC 2002 

> 
> On Wed, Jul 17, 2002 at 12:58:57AM -0700, Doug Barton wrote:
> 
> > > Also, would that explain why the problem goes away when I force a cname
> > > lookup?
> > 
> > Actually I can't. I have bind 8.3.3 resolvers and I don't see this
> > problem.
> 
> I've been doing some more research and have more complete information on
> the circumstances under which I can reproduce this problem:
> 
> - server is running bind 8.3.3
> & server is behind a PIX firewall
> & server is not forwarding
> & client issues an A query for a .yahoo.com record which is a CNAME to
>   an Akamai record
> & the TTL for the CNAME record has recently expired

	Well the PIX firewall drops EDNS responses which are bigger
	than 512 octets.  CISCO has a bug id for this.  Contact
	CISCO.

	It takes some time for 8.3.3 to time out all the initial
	EDNS queries and retry w/o EDNS.  The client may timeout
	while this is happening.

	This will fail intermittently depending upon the cache
	contents for the yahoo.com servers. i.e. when the contents
	push the response over 512 bytes.
 
> The problem was first reported on June 28, which is also the day we
> upgraded to from 8.2.3 to 8.3.3.  It has only been reported with 
> .yahoo.com addresses.
> 
> The servers tested were all running the same bind from an 8.3.3 RPM built
> in-house.
> 
> The PIX and our border router log ACL denials, and there were no messages 
> in our PIX or router logs regarding denied traffic to or from the name 
> servers.  I've tested on servers with a static conduit on the PIX as well 
> as servers that share a single NAT address with PAT.
> 
> I cannot reproduce the problem:
> 
> - when the server runs bind from the 8.2.3 RPMs
> | when the server is configured to "forward only" to our servers outside
>   the firewall
> | when the client queries a .yahoo.com record which is an A record
> | when the client queries a .yahoo.com record which is a CNAME to another
>   .yahoo.com A record
> | when the client queries a .lycos.com record which is a CNAME to an
>   Akamai record
> 
> Once the problem has happened, right after the TTL expiration, I've seen
> cases where lookups start working again after 30 seconds and cases where 
> lookups fail until I query the .yahoo.com CNAME or restart named.  Lookups 
> always start working immediately after I query the .yahoo.com CNAME.
> 
> At this point, it's easy enough for me to get around this using 
> forwarding, but I'd love to know why it's happening.
> 
> --
> For a successful technology, reality must take precedence over public
> relations, for nature cannot be fooled.
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list