bind-9.3.2-33.fc5
Mark Andrews
Mark_Andrews at isc.org
Thu Sep 21 13:34:42 UTC 2006
> I have 2 public DNS servers one as primary and the other one is secondary,
> both are behind PIX firewall
>
> Environment:
>
> BIND Version: bind-9.3.2-33.fc5
>
> OS: FC5
>
> PIX: Cisco Adaptive Security Appliance Software Version 7.1
>
> Problem Description:
>
> 1- Most queries are resolved just fine but some returns the following error
> "Server Failed", not timed out.
>
> By restarting the named daemon those records resolves fine for a while then
> the problem happens again.
These will almost always be the result of a bad delegation.
> 2- When restarting named daemon sometimes I get the error that it is already
> running when trying to start, and by initiating /etc/init.d/named start, it
> starts fine afterward.
The restart script doesn't wait for named to finish exiting.
Talk to the scipts maintainer.
> 3- Some records are cached even though TTL is expired.
You are confused. Named will not return a expired record.
> Steps taken to resolve the issue:
>
> 1- Removed the DNS Inspection from PIX firewall.
>
> 2- Defined edns packet size to 512.
>
> 3- Defined max ttl cache
>
> Configuration File:
>
> options {
>
> directory "/var/named";
>
> dump-file "/var/named/data/cache_dump.db";
>
> statistics-file "/var/named/data/named_stats.txt";
>
> version "Whatever";
>
> allow-query { any; };
>
> allow-recursion { localhost; trusted; };
>
> blackhole { badguys; };
>
> notify yes;
>
> max-cache-ttl 172800;
>
> max-ncache-ttl 172800;
>
> datasize default;
>
> max-cache-size 80000000;
>
> allow-transfer { secondaries; };
>
> also-notify {192.168.1.101; 192.168.10.9;}; // all zones
>
> allow-notify { secondaries; };
>
> recursive-clients 30000;
>
>
> --
> Dry Networks don't pass by lakes !!!
--
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email training at isc.org.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list