Problem with a host Delagation

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Dec 16 22:57:59 UTC 2003 

> 
> > Hi,
> > 
> > I have implemented a F5 Networks Link Controller to do inbound load
> > balancing.  In order to make this device work you need to have the LC
> > respond to DNS requests for IP addresses you wish to inbound load
> > balance.  I did this with my webserver by adding NS records for the
> > webserver host.
> > 
> > ie:
> > ;www    3600    IN      A       192.135.189.20
> > www     3600    IN      NS      bigip1.pics.com.        ;Cl=2
> >         3600    IN      NS      bigip2.pics.com.        ;Cl=2
> > 
> > Bind 8.2.3-REL on the parent (where the zone file resides) answers
> > fine 75% of the time, the other 25% of the time it reports a SERVFAIL
> > and i see no proof (with tcpdump) that bind is asking the F5 device
> > for the IP of www.pics.com.
> > 
> > Here is a dig debug (from the parent 192.135.189.20) but I have no
> > idea what this means or how to correct.
> 
> 	I suggest that you choose another vendor.  Your load balancer
> 	does not implement the base DNS specification (RFC 1034).
> 	The second answer below is wrong.  The correct answer should
> 	be "aa=1 rcode=NOERROR ANSWER=0" (otherwise known as a
> 	NODATA response) and if the authority section is filled in
> 	then it should contain the NS records for the zone (www.pics.com).
 
	Sorry I made a error above.

	The authority section should contain the SOA record for the zone.

> 	The second answer below causes named to mark the nameservers as
> 	lame hence the SERVFAIL.
> 
> 	Mark
> 
> ; <<>> DiG 8.3 <<>> a www.pics.com +norec @bigip1.pics.com 
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50467
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;	www.pics.com, type = A, class = IN
> 
> ;; ANSWER SECTION:
> www.pics.com.		5S IN A		66.243.87.152
> 
> ;; Total query time: 249 msec
> ;; FROM: drugs.dv.isc.org to SERVER: 66.243.87.146
> ;; WHEN: Wed Dec 17 08:32:14 2003
> ;; MSG SIZE  sent: 30  rcvd: 46
> 
> ; <<>> DiG 8.3 <<>> aaaa www.pics.com +norec @bigip1.pics.com 
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26359
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
> ;; QUERY SECTION:
> ;;	www.pics.com, type = AAAA, class = IN
> 
> ;; AUTHORITY SECTION:
> .			22h31m21s IN NS  c.root-servers.net.
> .			22h31m21s IN NS  g.root-servers.net.
> .			22h31m21s IN NS  f.root-servers.net.
> .			22h31m21s IN NS  b.root-servers.net.
> .			22h31m21s IN NS  j.root-servers.net.
> .			22h31m21s IN NS  k.root-servers.net.
> .			22h31m21s IN NS  l.root-servers.net.
> .			22h31m21s IN NS  m.root-servers.net.
> .			22h31m21s IN NS  i.root-servers.net.
> .			22h31m21s IN NS  e.root-servers.net.
> .			22h31m21s IN NS  d.root-servers.net.
> .			22h31m21s IN NS  a.root-servers.net.
> .			22h31m21s IN NS  h.root-servers.net.
> 
> ;; ADDITIONAL SECTION:
> c.root-servers.net.	1d22h31m21s IN A  192.33.4.12
> g.root-servers.net.	1d22h31m21s IN A  192.112.36.4
> f.root-servers.net.	1d22h31m21s IN A  192.5.5.241
> b.root-servers.net.	1d22h31m21s IN A  128.9.0.107
> j.root-servers.net.	1d22h31m21s IN A  192.58.128.30
> k.root-servers.net.	1d22h31m21s IN A  193.0.14.129
> l.root-servers.net.	1d22h31m21s IN A  198.32.64.12
> m.root-servers.net.	1d22h31m21s IN A  202.12.27.33
> i.root-servers.net.	1d22h31m21s IN A  192.36.148.17
> e.root-servers.net.	1d22h31m21s IN A  192.203.230.10
> d.root-servers.net.	1d22h31m21s IN A  128.8.10.90
> a.root-servers.net.	1d22h31m21s IN A  198.41.0.4
> h.root-servers.net.	1d22h31m21s IN A  128.63.2.53
> 
> ;; Total query time: 255 msec
> ;; FROM: drugs.dv.isc.org to SERVER: 66.243.87.146
> ;; WHEN: Wed Dec 17 08:31:29 2003
> ;; MSG SIZE  sent: 30  rcvd: 449
> 
> 
> > # dig www.pics.com +debug
> > 
> > ; <<>> DiG 8.3 <<>> www.pics.com +debug
> > ;; res_nmkquery(QUERY, www.pics.com, IN, A)
> > ;; res options: init debug recurs defnam dnsrch
> > ;; res_send()
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18404
> > ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; QUERY SECTION:
> > ;;      www.pics.com, type = A, class = IN
> > 
> > ;; Querying server (# 1) address = 192.135.189.20
> > ;; new DG socket
> > server rejected query:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18404
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; QUERY SECTION:
> > ;;      www.pics.com, type = A, class = IN
> > 
> > ;; got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18404
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; QUERY SECTION:
> > ;;      www.pics.com, type = A, class = IN
> > 
> > ;; Total query time: 4 msec
> > ;; FROM: picspc01.pics.com to SERVER: default -- 192.135.189.20
> > ;; WHEN: Tue Dec 16 12:58:11 2003
> > ;; MSG SIZE  sent: 30  rcvd: 30
> > 
> > 
> > 
> > Here is an example after I restarted bind
> > 
> > $ named -v
> > named 8.2.3-REL Thu Feb 15 09:57:28 EST 2001
> >         root at picspc01.pics.com:/u3/obj/u3/src/src/usr.sbin/named
> > $ dig www.pics.com +debug
> > 
> > ; <<>> DiG 8.3 <<>> www.pics.com +debug
> > ;; res_nmkquery(QUERY, www.pics.com, IN, A)
> > ;; res options: init debug recurs defnam dnsrch
> > ;; res_send()
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47326
> > ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; QUERY SECTION:
> ;;      www.pics.com, type = A, class = IN
> > 
> > ;; Querying server (# 1) address = 192.135.189.20
> > ;; new DG socket
> > ;; got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47326
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
> > 0
> > ;; QUERY SECTION:
> > ;;      www.pics.com, type = A, class = IN
> > 
> > ;; ANSWER SECTION:
> > www.pics.com.           5S IN A         207.8.189.152
> > 
> > ;; Total query time: 4 msec
> > ;; FROM: picspc01.pics.com to SERVER: default -- 192.135.189.20
> > ;; WHEN: Tue Dec 16 13:42:55 2003
> > ;; MSG SIZE  sent: 30  rcvd: 46
> > 
> > $
> > 
> > 
> > Thanks in advance for any advice you can provide.
> > 
> > Regards,
> > 
> > 
> > Terry
> > 
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list