Problem with a host Delagation

Kevin Darcy kcd at daimlerchrysler.com
Tue Dec 16 22:45:56 UTC 2003


Terry Rossi wrote:

>Hi,
>
>I have implemented a F5 Networks Link Controller to do inbound load
>balancing.  In order to make this device work you need to have the LC
>respond to DNS requests for IP addresses you wish to inbound load
>balance.  I did this with my webserver by adding NS records for the
>webserver host.
>
>ie:
>;www    3600    IN      A       192.135.189.20
>www     3600    IN      NS      bigip1.pics.com.        ;Cl=2
>        3600    IN      NS      bigip2.pics.com.        ;Cl=2
>
>Bind 8.2.3-REL on the parent (where the zone file resides) answers
>fine 75% of the time, the other 25% of the time it reports a SERVFAIL
>and i see no proof (with tcpdump) that bind is asking the F5 device
>for the IP of www.pics.com.
>
>Here is a dig debug (from the parent 192.135.189.20) but I have no
>idea what this means or how to correct.
>
># dig www.pics.com +debug
>
>; <<>> DiG 8.3 <<>> www.pics.com +debug
>;; res_nmkquery(QUERY, www.pics.com, IN, A)
>;; res options: init debug recurs defnam dnsrch
>;; res_send()
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18404
>;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>;; QUERY SECTION:
>;;      www.pics.com, type = A, class = IN
>
>;; Querying server (# 1) address = 192.135.189.20
>;; new DG socket
>server rejected query:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18404
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>;; QUERY SECTION:
>;;      www.pics.com, type = A, class = IN
>
>;; got answer:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18404
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>;; QUERY SECTION:
>;;      www.pics.com, type = A, class = IN
>
>;; Total query time: 4 msec
>;; FROM: picspc01.pics.com to SERVER: default -- 192.135.189.20
>;; WHEN: Tue Dec 16 12:58:11 2003
>;; MSG SIZE  sent: 30  rcvd: 30
>
>
>
>Here is an example after I restarted bind
>
>$ named -v
>named 8.2.3-REL Thu Feb 15 09:57:28 EST 2001
>        root at picspc01.pics.com:/u3/obj/u3/src/src/usr.sbin/named
>$ dig www.pics.com +debug
>
>; <<>> DiG 8.3 <<>> www.pics.com +debug
>;; res_nmkquery(QUERY, www.pics.com, IN, A)
>;; res options: init debug recurs defnam dnsrch
>;; res_send()
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47326
>;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>;; QUERY SECTION:
>;;      www.pics.com, type = A, class = IN
>
>;; Querying server (# 1) address = 192.135.189.20
>;; new DG socket
>;; got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47326
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
>0
>;; QUERY SECTION:
>;;      www.pics.com, type = A, class = IN
>
>;; ANSWER SECTION:
>www.pics.com.           5S IN A         207.8.189.152
>
>;; Total query time: 4 msec
>;; FROM: picspc01.pics.com to SERVER: default -- 192.135.189.20
>;; WHEN: Tue Dec 16 13:42:55 2003
>;; MSG SIZE  sent: 30  rcvd: 46
>
Really old versions of BIND 8 probably have issues with the terse 
responses (e.g. no NS records) from the load-balancers. Try upgrading 
BIND. Either that, or you have some sort of network connectivity issue 
that is preventing the BIND server from talking to the load balancers 
occasionally. With a 5-second TTL, you don't exactly have much of a 
safety margin to protect you from network hiccups...

                                                                         
                                             - Kevin




More information about the bind-users mailing list