Problem with a host Delagation

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Dec 16 21:40:45 UTC 2003 

> Hi,
> 
> I have implemented a F5 Networks Link Controller to do inbound load
> balancing.  In order to make this device work you need to have the LC
> respond to DNS requests for IP addresses you wish to inbound load
> balance.  I did this with my webserver by adding NS records for the
> webserver host.
> 
> ie:
> ;www    3600    IN      A       192.135.189.20
> www     3600    IN      NS      bigip1.pics.com.        ;Cl=2
>         3600    IN      NS      bigip2.pics.com.        ;Cl=2
> 
> Bind 8.2.3-REL on the parent (where the zone file resides) answers
> fine 75% of the time, the other 25% of the time it reports a SERVFAIL
> and i see no proof (with tcpdump) that bind is asking the F5 device
> for the IP of www.pics.com.
> 
> Here is a dig debug (from the parent 192.135.189.20) but I have no
> idea what this means or how to correct.

	I suggest that you choose another vendor.  Your load balancer
	does not implement the base DNS specification (RFC 1034).
	The second answer below is wrong.  The correct answer should
	be "aa=1 rcode=NOERROR ANSWER=0" (otherwise known as a
	NODATA response) and if the authority section is filled in
	then it should contain the NS records for the zone (www.pics.com).

	The second answer below causes named to mark the nameservers as
	lame hence the SERVFAIL.

	Mark

; <<>> DiG 8.3 <<>> a www.pics.com +norec @bigip1.pics.com 
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50467
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;	www.pics.com, type = A, class = IN

;; ANSWER SECTION:
www.pics.com.		5S IN A		66.243.87.152

;; Total query time: 249 msec
;; FROM: drugs.dv.isc.org to SERVER: 66.243.87.146
;; WHEN: Wed Dec 17 08:32:14 2003
;; MSG SIZE  sent: 30  rcvd: 46

; <<>> DiG 8.3 <<>> aaaa www.pics.com +norec @bigip1.pics.com 
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26359
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
;; QUERY SECTION:
;;	www.pics.com, type = AAAA, class = IN

;; AUTHORITY SECTION:
.			22h31m21s IN NS  c.root-servers.net.
.			22h31m21s IN NS  g.root-servers.net.
.			22h31m21s IN NS  f.root-servers.net.
.			22h31m21s IN NS  b.root-servers.net.
.			22h31m21s IN NS  j.root-servers.net.
.			22h31m21s IN NS  k.root-servers.net.
.			22h31m21s IN NS  l.root-servers.net.
.			22h31m21s IN NS  m.root-servers.net.
.			22h31m21s IN NS  i.root-servers.net.
.			22h31m21s IN NS  e.root-servers.net.
.			22h31m21s IN NS  d.root-servers.net.
.			22h31m21s IN NS  a.root-servers.net.
.			22h31m21s IN NS  h.root-servers.net.

;; ADDITIONAL SECTION:
c.root-servers.net.	1d22h31m21s IN A  192.33.4.12
g.root-servers.net.	1d22h31m21s IN A  192.112.36.4
f.root-servers.net.	1d22h31m21s IN A  192.5.5.241
b.root-servers.net.	1d22h31m21s IN A  128.9.0.107
j.root-servers.net.	1d22h31m21s IN A  192.58.128.30
k.root-servers.net.	1d22h31m21s IN A  193.0.14.129
l.root-servers.net.	1d22h31m21s IN A  198.32.64.12
m.root-servers.net.	1d22h31m21s IN A  202.12.27.33
i.root-servers.net.	1d22h31m21s IN A  192.36.148.17
e.root-servers.net.	1d22h31m21s IN A  192.203.230.10
d.root-servers.net.	1d22h31m21s IN A  128.8.10.90
a.root-servers.net.	1d22h31m21s IN A  198.41.0.4
h.root-servers.net.	1d22h31m21s IN A  128.63.2.53

;; Total query time: 255 msec
;; FROM: drugs.dv.isc.org to SERVER: 66.243.87.146
;; WHEN: Wed Dec 17 08:31:29 2003
;; MSG SIZE  sent: 30  rcvd: 449


> # dig www.pics.com +debug
> 
> ; <<>> DiG 8.3 <<>> www.pics.com +debug
> ;; res_nmkquery(QUERY, www.pics.com, IN, A)
> ;; res options: init debug recurs defnam dnsrch
> ;; res_send()
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18404
> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      www.pics.com, type = A, class = IN
> 
> ;; Querying server (# 1) address = 192.135.189.20
> ;; new DG socket
> server rejected query:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18404
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      www.pics.com, type = A, class = IN
> 
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18404
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      www.pics.com, type = A, class = IN
> 
> ;; Total query time: 4 msec
> ;; FROM: picspc01.pics.com to SERVER: default -- 192.135.189.20
> ;; WHEN: Tue Dec 16 12:58:11 2003
> ;; MSG SIZE  sent: 30  rcvd: 30
> 
> 
> 
> Here is an example after I restarted bind
> 
> $ named -v
> named 8.2.3-REL Thu Feb 15 09:57:28 EST 2001
>         root at picspc01.pics.com:/u3/obj/u3/src/src/usr.sbin/named
> $ dig www.pics.com +debug
> 
> ; <<>> DiG 8.3 <<>> www.pics.com +debug
> ;; res_nmkquery(QUERY, www.pics.com, IN, A)
> ;; res options: init debug recurs defnam dnsrch
> ;; res_send()
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47326
> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      www.pics.com, type = A, class = IN
> 
> ;; Querying server (# 1) address = 192.135.189.20
> ;; new DG socket
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47326
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
> 0
> ;; QUERY SECTION:
> ;;      www.pics.com, type = A, class = IN
> 
> ;; ANSWER SECTION:
> www.pics.com.           5S IN A         207.8.189.152
> 
> ;; Total query time: 4 msec
> ;; FROM: picspc01.pics.com to SERVER: default -- 192.135.189.20
> ;; WHEN: Tue Dec 16 13:42:55 2003
> ;; MSG SIZE  sent: 30  rcvd: 46
> 
> $
> 
> 
> Thanks in advance for any advice you can provide.
> 
> Regards,
> 
> 
> Terry
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list