bind 9 ignores new data / TTL ?

Hagen von Eitzen hve at blasberg-computer.de
Wed Mar 3 11:10:11 UTC 2004


Hello everyone,

I thought I knew DNS quite well, but do not have a reasonable
explanation for the following (running bind9 on debian):

My DNS server keeps some obsolete DNS entries alive way beyond their
TTL.
Assume that on my machine
 # dig ns example
yields
 example.  86400 IN NS  ns1.example.
 example.  86400 IN NS  ns2.sample.
(I'll work with example-domains since the real domains probably won't
help You much)

Assume further that both
 # dig ns foo.example @ns1.example
and
 # dig ns foo.example @ns2.sample
yield
 foo.example.  86400 IN NS  ns1.bar.example.
 foo.example.  86400 IN NS  ns2.bar.example.

Unfortunately, on my machine (which is not involved with foo.example)
 # dig ns foo.example
may yield something like
 foo.example.  12345 IN NS  ns1.obsolete.example.
 foo.example.  12345 IN NS  ns2.obsolete.example.

This is not a problem yet, since You may suspect rightly that
foo.example had beend delegated to the obsolete.example nameservers
some time ago.
The expected behaviour is that after another 12345 seconds, the
obsolete entries should time out and then be replaced by the correct
entries.

Unfortunately, my machine seem to refresh with the OLD values. i.e. a
few hours later I might get
 # dig ns foo.example
 foo.example.  81321 IN NS  ns1.obsolete.example.
 foo.example.  81321 IN NS  ns2.obsolete.example.
and the countdown starts anew.

As far as I can see, the problem will only go away with a restart (not
reload)
of my name server.
This might be okay for the one special case that I pinned down.
But without knowledge if and which entries might be obsolete this
boils down to "Everyone should restart their bind at least once a
day".

Does anybody know a better solution?
Or a better understanding of what the real problem is? I tend to
suspect that the source of evil might be that
ns1.obsolete.example/ns2.obsolete.example still (wrongly) claim to be
authoritative. Could that be right?
But shouldn't the delegation of foo.example be rechecked from the
example zone rather than from the (according to the cache to be
validated) authoritative servers?

Thanks for any help,
Hagen


More information about the bind-users mailing list