Problems with bind9 caching too long

Sam Hayes Merritt, III sam at
Mon Mar 14 18:09:11 UTC 2005

> On Fri, Mar 11, 2005 at 07:37:56PM -0500, Kevin Darcy wrote:
>> No, that's not a BIND bug. You've left the old version of the zone
>> running on and, and they'll keep on giving out
>> the stale NS records in response to queries. Other caching nameservers
>> such as which had the NS records cached from prior to the
>> switchover will keep on using those nameservers to resolve
>> names, and therefore keep seeing regurgitations of the stale NS records,
>> and the cycle will repeat until those caching nameservers are restarted
>> or those particular records in their caches expire or are purged out, or
>> until the nameservers stop answering with stale NS records for
>> the zone (i.e. the zone is removed from them or is replaced by a more
>> up-to-date version).

> First, the stale record is from the .net name servers (which are the root
> nameservers), that record that delegates to has expired
> and should be refreshed from where it came from.

You are partially correct. Yes, the .net name servers delegated 
to ns1/ The USC nameservers cached that.

> is only authoritative for by delegation from the .net
> servers, and this should be honored.

It is, for any new lookups.

> Secondly, every other server on the net I can find has the new addresses,
> leading me to believe there is some sort of configuration or something I've
> missed - why is it only USC's servers continue to get the old data?

Noone else had it cached, or may be running different software.

The way bind works, as he explained, was it found the authoritative 
nameservers. It continues to use those, as long as they provide an 
authoritative answer until the sun don't shine no more. It doesn't go 
back to the root again to ask for the authoritative unless it no longer 
has the info cached. To get that to stop, you would do a rndc flushname for each server. Or restart Bind.

Although the correct way would be for the owner of to actually 
finish moving their domain. They got halfway their, now they need to 
complete the job and ask pbi to remove it from their nameservers and then 
make sure they actually remove it. Without that step, theres probably 
other nameserver somewhere that will have the old authoritative cached.


More information about the bind-users mailing list