BIND9 don't query specific nameserver with IPv4 address.

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Wed Jun 23 16:21:18 UTC 2004 

Daisuke Koike <daisukek at tkd.att.ne.jp> wrote:
> Hi all,

> I have a problem when using BIND-9.2.3 as a cache server.

> When I'll resolve RRs of specific domain, sometimes it seems that BIND9=
 query
> that nemeserver only with IPv6, though that nameserver has both IPv4 an=
d IPv6
> addresses.
> # I checked by tcpdump and trace logs, and thought so
> The cache server don't have IPv6 reachability, so the query fails.

> The domain is "sm.sony.co.jp" and the problem can reproduce on my box a=
s
> follows.


> 1. enable debugging and flush all caches.
> ------------------------------------------------------------
> 13:58> sbin/rndc -c etc/rndc.conf trace 99
> 13:58> sbin/rndc -c etc/rndc.conf flush
> ------------------------------------------------------------


> 2. dig MX record of the domain "sm.sony.co.jp".
> ------------------------------------------------------------
> 13:58> dig @localhost sm.sony.co.jp mx +d2 +time=3D300

> ; <<>> DiG 8.3 <<>> @localhost sm.sony.co.jp mx +d2 +time=3D300
> ; (2 servers found)
> ;; res_nmkquery(QUERY, sm.sony.co.jp, IN, MX)
> ;; res options: init debug recurs defnam dnsrch ?0x80000000?
> ;; res_send()
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3332
> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      sm.sony.co.jp, type =3D MX, class =3D IN

> ;; Querying server (# 1) address =3D ::1
> ;; new DG socket
> res_send: recvfrom: Connection refused
> ;; Querying server (# 2) address =3D 127.0.0.1
> ;; new DG socket
> server rejected query:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3332
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      sm.sony.co.jp, type =3D MX, class =3D IN

> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3332
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      sm.sony.co.jp, type =3D MX, class =3D IN

> ;; Total query time: 30017 msec
> ;; FROM: rap.jp.above.net to SERVER: localhost  ::1
> ;; WHEN: Wed Jun 23 13:59:10 2004
> ;; MSG SIZE  sent: 31  rcvd: 31

> 13:59>
> ------------------------------------------------------------
> # it often fails like this


> 3. the result of tcpdump (# tcpdump -n -vvv -s1024 port domain)
> Please see http://165.76.207.140/bind/tcpdump.txt

> Though an authority nameserver of sm.sony.co.jp is widefw.csl.sony.co.j=
p,
> BIND9 didn't query that.


> 4. debug log (trace level 99)
> Please see http://165.76.207.140/bind/tracelog.txt

> It seems that BIND9 is querying to widefw.csl.sony.co.jp only with IPv6.


> 5. cache dump
> Please see http://165.76.207.140/bind/named_dump.txt

> BIND9 has both IPv4 and IPv6 addresses about widefw.csl.sony.co.jp on t=
he
> cache, as glue record.


> # I tested on this environment
> ------------------------------------------------------------
> OS - FreeBSD 4.7-RELEASE
> BIND - 9.2.3(compiled from source, with no configure option except pref=
ix)
> named.conf -> http://211.18.251.218/bind/named.conf.txt
> ------------------------------------------------------------

> According to my recognition, if the nameserver has both A and AAAA reco=
rds
> and if querying with IPv6 fails, BIND should re-query with IPv4.

> Where is my mistake?
> Please point it out if there is some unclear information about this.

> Thanks.
> ----------------------------------------
> Daisuke Koike 	<daisukek at tkd.att.ne.jp>


Don't worry bout bind-9, it's the domain "sm.sony.co.jp" that is broken.



Among the problems :

the domain is delegated to "widefw.csl.sony.co.jp (133.138.1.1)" , that
server however says "ns.sony.co.jp (137.153.0.11), which is Lame, and
"widens.sm.sony.co.jp (133.138.10.1)" as nameservers.

TTL for this fragile zone is very short ( 600s) so any problems will
strike with full power.





--=20
Peter H=E5kanson        =20
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out=
,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list