When Domain Resolution just Stops one Day.

Doug Barton dougb at dougbarton.us
Mon Jul 30 20:30:38 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


On Mon, 30 Jul 2007, Martin McCormick wrote:

> 	Imagine a domain called thisdomain.org.

It's virtually impossible to diagnose this kind of stuff without being able 
to query the DNS to get clues. http://www.bind-users.info/FAQ.html#RealNames

> It is registered
> and looks up properly in whois. Thisdomain.org has subdomains
> such as remotesite.thisdomain.org where they have a DNS that
> sends us a slave zone we keep on the thisdomain.org DNS.

What do you mean by "on the dns" here? Do you mean that you slave the 
child zone to all authoritative servers for the parent?

> 	If you lookup somebody.remotesite.thisdomain.org on our
> master DNS, resolution is no problem. If you lookup the same
> address on a slave DNS on your network that slaves the
> thisdomain.org zone but not the remotesite.thisdomain.org zone,
> it may still work fine for literally years. Then, one day, the
> phone rings out of the blue and clients using that slave DNS
> suddenly can not resolve remotesite.thisdomain.org. If you start
> slaving that zone also on the slave DNS, everything is okay
> again.

So the obvious question here is, "what changed?" Assuming that you have 
proper delegation records, and that the records in the parent and child zone 
match, my guess would be that there is some kind of new firewall (or new 
entry in an existing firewall) that is preventing your resolvers from 
querying the name servers for the child zone directly.

> 	We also had this happen on one other occasion to a
> different subdomain of ours. It had worked on our remote
> campuses for a couple of years and then just quit one day.

Did you ever find the cause of that problem?

> 	In all cases, I fixed it by bringing the slave zone from
> the subdomain to the slave DNS's that had stopped resolving.

That's a good practice in any case, but it doesn't tell you why it stopped 
working.

hth,

Doug

- -- 
 	If you're never wrong, you're not trying hard enough.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFGrkpvyIakK9Wy8PsRA57XAKC0akvUbKYeop2plsoIHT2EKFzmQQCdGEpP
KguqDwRdFwcr5dQJK6vdzbY=
=Xdmt
-----END PGP SIGNATURE-----



More information about the bind-users mailing list