bind-9.3.2-33.fc5

Mark Andrews Mark_Andrews at isc.org
Thu Sep 21 13:34:42 UTC 2006 

> I have 2 public DNS servers one as primary and the other one is secondary,
> both are behind PIX firewall
> 
> Environment:
> 
> BIND Version: bind-9.3.2-33.fc5
> 
> OS: FC5
> 
> PIX: Cisco Adaptive Security Appliance Software Version 7.1
> 
> Problem Description:
> 
> 1- Most queries are resolved just fine but some returns the following error
> "Server Failed", not timed out.
> 
> By restarting the named daemon those records resolves fine for a while then
> the problem happens again.

	These will almost always be the result of a bad delegation.

> 2- When restarting named daemon sometimes I get the error that it is already
> running when trying to start, and by initiating /etc/init.d/named start, it
> starts fine afterward.

	The restart script doesn't wait for named to finish exiting.
	Talk to the scipts maintainer.
 
> 3- Some records are cached even though TTL is expired.

	You are confused.  Named will not return a expired record.
 
> Steps taken to resolve the issue:
> 
> 1- Removed the DNS Inspection from PIX firewall.
> 
> 2- Defined edns packet size to 512.
> 
> 3- Defined max ttl cache
> 
>  Configuration File:
> 
> options {
> 
> directory "/var/named";
> 
> dump-file "/var/named/data/cache_dump.db";
> 
> statistics-file "/var/named/data/named_stats.txt";
> 
> version "Whatever";
> 
> allow-query { any; };
> 
> allow-recursion { localhost; trusted; };
> 
> blackhole { badguys; };
> 
> notify yes;
> 
> max-cache-ttl 172800;
> 
> max-ncache-ttl 172800;
> 
> datasize default;
> 
> max-cache-size 80000000;
> 
> allow-transfer { secondaries; };
> 
> also-notify {192.168.1.101; 192.168.10.9;}; // all zones
> 
> allow-notify { secondaries; };
> 
> recursive-clients 30000;
> 
> 
> -- 
> Dry Networks don't pass by lakes !!!
--
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP.  Email training at isc.org.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list