and bind8/9

Kevin Darcy kcd at
Sat Dec 4 00:31:53 UTC 2004

Dirk Janssen wrote:

>I encountered a problem on all our recursive caching-only nameservers
>(and even others) running bind8.4.4/bind8.4.5 with resolving the host
>mentioned above. When the cache is empty (after restart) then the host
>can be resolved, but if you ask just for one time for the nameserver(s)
>of (the domain to where the cname points) then you
>get an answer of an unresolvable host (with a TTL of 1 Week). After
>that, can't be resolved anymore and the query ends
>up in a timemout (probably for 1 Week) what is really annoying because a
>lot of websites using this ad-server are incredibly slow because of this
>So far I think this is a problem of doubleclick (it would be nice if
>somebody could also check and verify this). But what I've encountered is
>that bind9.2.3 behaves in another way. What you get here is a SERVFAIL
>and not a timeout and even this SERVFAIL comes just for a short time (it
>seems to depend from how often you queried the ns of
> What's the reason for this different behaviour?
>Is the timeout a bug of bind8? What would be the correct rfc-conform
>Because of performance issues I really don't want to upgrade to bind9.
> is delegated to 4 nameservers 
({uk,de,fr,se}, but each of them only publishes a 
single {uk,de,fr,se} NS record for the zone. In 
other words, if you happen to query, say, for 
the NS record of the zone, it would respond with 
only an NS record pointing to The trouble 
is, these NS'es are not the same as the delegation NS'es, and since they 
are in the zone being delegated, if the A record times out before the NS 
record does, then any iterative resolver will get stuck, trying to 
resolve from a nameserver it knows (from the NS record it still has 
cached) but without being able to get the address of that nameserver. As 
you can see, BIND 8 and BIND 9 deal with this intolerable situation in 
slightly different ways. This should not surprise you, since BIND 8 and 
BIND 9 share no common code.

Ultimately, needs to fix either their delegations or 
their in-zone NS records for The in-zone NS records 
should match the delegation NS records. At a bare minimum, they need to 
follow Internet standards and publish at least 2 NS'es for the zone.

- Kevin

More information about the bind-users mailing list