inconsistent answer ?
Mark Andrews
Mark_Andrews at isc.org
Wed Jun 4 02:25:42 UTC 2008
> At 05:22 PM 6/3/2008, Kevin Darcy wrote:
> >Note that the serial numbers are significantly different.
>
>
> Hi,
> In the info below, I see it as 76 for the one domain and 24
> for the other, but I didnt see any inconsistencies there?
>
>
> >I'm thinking this is 2 servers (or more) behind a load-balancer, and
> >replication has broken between them...
>
> But I dont understand why bind is giving 2 different answers locally.
> The first query generates network traffic, gets an answer from one of
> the remote servers. The second gives no info.... If I flush the
> local cache, the pattern repeats. Why would BIND not give the same
> answers whether its a fresh query or one served from cache ?
>
>
> e.g.
> [auth2]% host www.tigerdirect.ca
> www.tigerdirect.ca has address 206.191.131.11
> Host www.tigerdirect.ca not found: 3(NXDOMAIN)
> Host www.tigerdirect.ca not found: 3(NXDOMAIN)
>
>
> [auth2]% host www.tigerdirect.ca
> Host www.tigerdirect.ca not found: 3(NXDOMAIN)
> [auth2]%
Because there is a load balancer sitting in front of the
nameserver and there is a CNAME for www.tigerdirect.ca that
points to a non-existant name in the zone that is behind
the load balancer which answers all the other queries other
than the A query.
The load balancer copes with EDNS by ignoring it.
The backing nameserver doesn't handle with EDNS, it returns FORMERR.
The reason for the second invocation of host returning
NXDOMAIN is that the local cache remembers the NXDOMAIN.
This is a classic case of Garbage-In Garbage-Out.
The way to fix this is to replace the CNAME with a A RRset
which has the addresses of all the machines the load balancer
is distributing the load amongst. That way all the answers
that are returned from the backing nameserver will be
consistant with the answers returned from the load balancer,
and if necessary, the load balancer can be removed and
everything will continue to work. This is how things should
have been setup in the first place.
Mark
; <<>> DiG 9.3.4-P1 <<>> www.tigerdirect.ca +norec @ns01.highspeedbackbone.net +dnssec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64051
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.tigerdirect.ca. IN A
;; ANSWER SECTION:
www.tigerdirect.ca. 20 IN A 206.191.131.51
;; Query time: 406 msec
;; SERVER: 69.42.101.231#53(69.42.101.231)
;; WHEN: Wed Jun 4 12:19:29 2008
;; MSG SIZE rcvd: 52
; <<>> DiG 9.3.4-P1 <<>> www.tigerdirect.ca +norec @ns01.highspeedbackbone.net +dnssec txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 291
;; flags: qr ra; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; Query time: 382 msec
;; SERVER: 69.42.101.231#53(69.42.101.231)
;; WHEN: Wed Jun 4 12:19:48 2008
;; MSG SIZE rcvd: 12
; <<>> DiG 9.3.4-P1 <<>> www.tigerdirect.ca +norec @ns01.highspeedbackbone.net txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23997
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.tigerdirect.ca. IN TXT
;; ANSWER SECTION:
www.tigerdirect.ca. 600 IN CNAME web60.highspeedbackbone.net.
;; AUTHORITY SECTION:
highspeedbackbone.net. 600 IN SOA ns01.highspeedbackbone.net. admin.highspeedbackbone.net. 76 3600 600 604800 600
;; Query time: 376 msec
;; SERVER: 69.42.101.231#53(69.42.101.231)
;; WHEN: Wed Jun 4 12:20:00 2008
;; MSG SIZE rcvd: 124
> ---Mike
>
>
>
>
>
> >- Kevin
> >
> >Mike Tancsa wrote:
> > > Hi,
> > > I am trying to understand BIND's interaction with a
> > > seemingly misconfigured server. A few customers called in asking why
> > > they could not periodically get to www.tigerdirect.ca.
> > >
> > >
> > > It seems to be a MS server and is letting a full transfer of the 2
> > > zones, so we see
> > >
> > > dig axfr @69.42.101.231 tigerdirect.ca
> > >
> > > ; <<>> DiG 9.3.4-P1 <<>> axfr @69.42.101.231 tigerdirect.ca
> > > ; (1 server found)
> > > ;; global options: printcmd
> > > tigerdirect.ca. 600 IN SOA
> > > ns01.highspeedbackbone.net. admin.highspeedbackbone.net. 24 3600
> > 600 604800 600
> > > tigerdirect.ca. 600 IN TXT "v=spf1
> > > ip4:206.191.131.0/24 mx -all"
> > > tigerdirect.ca. 600 IN MX 10
> > mail.highspeedbackbone.net.
> > > tigerdirect.ca. 600 IN NS ns01.highspeedbackbone.ne
> t.
> > > tigerdirect.ca. 600 IN NS ns02.highspeedbackbone.ne
> t.
> > > tigerdirect.ca. 600 IN A 206.191.131.49
> > >
> > comp.tigerdirect.ca. 600 IN CNAME web140.highspeedbackbone.ne
> t.
> > > help.tigerdirect.ca. 600 IN NS ns01.highspeedbackbone.ne
> t.
> > > help.tigerdirect.ca. 600 IN NS ns02.highspeedbackbone.ne
> t.
> > > images.tigerdirect.ca. 600 IN CNAME
> > > images.tigerdirect.ca.edgesuite.net.
> > >
> > media.tigerdirect.ca. 600 IN CNAME web140.highspeedbackbone.ne
> t.
> > > origin-images.tigerdirect.ca. 600
> > IN CNAME web140.highspeedbackbone.net.
> > >
> > static.tigerdirect.ca. 600 IN CNAME web140.highspeedbackbone.ne
> t.
> > >
> > www.tigerdirect.ca. 600 IN CNAME web60.highspeedbackbone.net
> .
> > > tigerdirect.ca. 600 IN SOA
> > > ns01.highspeedbackbone.net. admin.highspeedbackbone.net. 24 3600
> > 600 604800 600
> > > ;; Query time: 101 msec
> > > ;; SERVER: 69.42.101.231#53(69.42.101.231)
> > > ;; WHEN: Tue Jun 3 14:31:31 2008
> > > ;; XFR size: 15 records (messages 15)
> > >
> > > dig axfr @69.42.101.231 highspeedbackbone.net
> > >
> > > ; <<>> DiG 9.3.4-P1 <<>> axfr @69.42.101.231 highspeedbackbone.net
> > > ; (1 server found)
> > > ;; global options: printcmd
> > > highspeedbackbone.net. 600 IN SOA
> > > ns01.highspeedbackbone.net. admin.highspeedbackbone.net. 76 3600
> > 600 604800 600
> > > highspeedbackbone.net. 600 IN TXT "v=spf1
> > > ip4:206.191.131.0/24 mx -all"
> > > highspeedbackbone.net. 600 IN NS ns01.highspeedbackbone.ne
> t.
> > > highspeedbackbone.net. 600 IN NS ns02.highspeedbackbone.ne
> t.
> > > click.highspeedbackbone.net. 600 IN A 206.191.131.125
> > > ftps.highspeedbackbone.net. 600 IN A 69.42.102.34
> > > mail01.highspeedbackbone.net. 600 IN A 206.191.131.100
> > > mail02.highspeedbackbone.net. 600 IN A 206.191.131.101
> > > ns01.highspeedbackbone.net. 600 IN A 69.42.101.231
> > > ns02.highspeedbackbone.net. 600 IN A 69.42.101.232
> > > promo.highspeedbackbone.net. 600 IN A 206.191.131.124
> > > sslvpn.highspeedbackbone.net. 600 IN A 69.42.103.6
> > > van01.highspeedbackbone.net. 600 IN A 69.42.102.121
> > > vpn.highspeedbackbone.net. 600 IN A 69.42.103.13
> > > vpn2.highspeedbackbone.net. 600 IN A 69.42.103.14
> > > web50.highspeedbackbone.net. 600 IN NS ns01.highspeedbackbone.ne
> t.
> > > highspeedbackbone.net. 600 IN SOA
> > > ns01.highspeedbackbone.net. admin.highspeedbackbone.net. 76 3600
> > 600 604800 600
> > > ;; Query time: 102 msec
> > > ;; SERVER: 69.42.101.231#53(69.42.101.231)
> > > ;; WHEN: Tue Jun 3 14:15:13 2008
> > > ;; XFR size: 17 records (messages 17)
> > >
> > >
> > >
> > > So, www.tigerdirect.ca is a CNAME for web60.highspeedbackbone.net,
> > > which according to the axfer, does not exist.
> > >
> > > But, using host, I get strange initial results
> > >
> > > [auth2]# host www.tigerdirect.ca
> > > www.tigerdirect.ca is an alias for web60.highspeedbackbone.net.
> > > web60.highspeedbackbone.net has address 206.191.131.51
> > > Host web60.highspeedbackbone.net not found: 3(NXDOMAIN)
> > > Host web60.highspeedbackbone.net not found: 3(NXDOMAIN)
> > > [auth2]# host www.tigerdirect.ca
> > > Host www.tigerdirect.ca not found: 3(NXDOMAIN)
> > > [auth2]#
> > >
> > > Why do I get a response initially, and not on subsequent queries
> > > ? Is it because the authoritative name server is giving a cached
> > > non-authoritative response ? Should not host regardless give the
> > same answer ?
> > >
> > >
> > > Using dig, I see
> > >
> > > [auth2]# dig www.tigerdirect.ca
> > >
> > > ; <<>> DiG 9.3.4-P1 <<>> www.tigerdirect.ca
> > > ;; global options: printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58136
> > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
> > >
> > > ;; QUESTION SECTION:
> > > ;www.tigerdirect.ca. IN A
> > >
> > > ;; ANSWER SECTION:
> > >
> > www.tigerdirect.ca. 600 IN CNAME web60.highspeedbackbone.net
> .
> > > web60.highspeedbackbone.net. 20 IN A 206.191.131.51
> > >
> > > ;; AUTHORITY SECTION:
> > > highspeedbackbone.net. 549 IN NS ns02.highspeedbackbone.ne
> t.
> > > highspeedbackbone.net. 549 IN NS ns01.highspeedbackbone.ne
> t.
> > >
> > > ;; ADDITIONAL SECTION:
> > > ns01.highspeedbackbone.net. 166602 IN A 69.42.101.231
> > > ns02.highspeedbackbone.net. 167305 IN A 69.42.101.232
> > >
> > > ;; Query time: 101 msec
> > > ;; SERVER: 205.211.164.51#53(205.211.164.51)
> > > ;; WHEN: Tue Jun 3 14:38:51 2008
> > > ;; MSG SIZE rcvd: 163
> > >
> > > [auth2]#
> > >
> > > [auth2]# dig @ns01.highspeedbackbone.net web60.highspeedbackbone.net
> > >
> > > ; <<>> DiG 9.3.4-P1 <<>> @ns01.highspeedbackbone.net
> > > web60.highspeedbackbone.net
> > > ; (1 server found)
> > > ;; global options: printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32182
> > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;web60.highspeedbackbone.net. IN A
> > >
> > > ;; ANSWER SECTION:
> > > web60.highspeedbackbone.net. 20 IN A 206.191.131.51
> > >
> > > ;; Query time: 52 msec
> > > ;; SERVER: 69.42.101.231#53(69.42.101.231)
> > > ;; WHEN: Tue Jun 3 14:39:38 2008
> > > ;; MSG SIZE rcvd: 61
> > >
> > > [auth2]#
> > >
> > > [auth2]# dig @ns02.highspeedbackbone.net web60.highspeedbackbone.net
> > >
> > > ; <<>> DiG 9.3.4-P1 <<>> @ns02.highspeedbackbone.net
> > > web60.highspeedbackbone.net
> > > ; (1 server found)
> > > ;; global options: printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55930
> > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;web60.highspeedbackbone.net. IN A
> > >
> > > ;; ANSWER SECTION:
> > > web60.highspeedbackbone.net. 20 IN A 206.191.131.51
> > >
> > > ;; Query time: 52 msec
> > > ;; SERVER: 69.42.101.232#53(69.42.101.232)
> > > ;; WHEN: Tue Jun 3 14:39:54 2008
> > > ;; MSG SIZE rcvd: 61
> > >
> > > [auth2]#
> > >
> > >
> > >
> > >
> > > I am using the stock BIND on FreeBSD RELENG_6 and FreeBSD RELENG_7
> > > and both show the same behavior. Doing a tcpdump, I see the
> > > following raw responses.
> > >
> > >
> > > tcpdump -xX -s0 -vni bge0 host 69.42.101.231 or host 69.42.101.232
> > > tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size
> > > 65535 bytes
> > > 14:35:49.021797 IP (tos 0x0, ttl 64, id 32432, offset 0, flags
> > > [none], proto: UDP (17), length: 64) 205.211.164.51.53743 >
> > > 69.42.101.232.53: 37954 A? www.tigerdirect.ca. (36)
> > > 0x0000: 4500 0040 7eb0 0000 4011 dee3 cdd3 a433 E..@~... at .....
> .3
> > > 0x0010: 452a 65e8 d1ef 0035 002c 892f 9442 0000 E*e....5.,./.B
> ..
> > > 0x0020: 0001 0000 0000 0000 0377 7777 0b74 6967 .........www.t
> ig
> > > 0x0030: 6572 6469 7265 6374 0263 6100 0001 0001 erdirect.ca...
> ..
> > > 14:35:49.072965 IP (tos 0x0, ttl 53, id 54410, offset 0, flags [DF],
> > > proto: UDP (17), length: 152) 69.42.101.232.53 >
> > > 205.211.164.51.53743: 37954 NXDomain* 1/1/0 www.tigerdirect.ca.
> > > CNAME web60.highspeedbackbone.net. (124)
> > > 0x0000: 4500 0098 d48a 4000 3511 53b1 452a 65e8 E..... at .5.S.E*
> e.
> > > 0x0010: cdd3 a433 0035 d1ef 0084 ef2c 9442 8483 ...3.5.....,.B
> ..
> > > 0x0020: 0001 0001 0001 0000 0377 7777 0b74 6967 .........www.t
> ig
> > > 0x0030: 6572 6469 7265 6374 0263 6100 0001 0001 erdirect.ca...
> ..
> > > 0x0040: c00c 0005 0001 0000 0258 001d 0577 6562 .........X...w
> eb
> > > 0x0050: 3630 1168 6967 6873 7065 6564 6261 636b 60.highspeedba
> ck
> > > 0x0060: 626f 6e65 036e 6574 00c0 3600 0600 0100 bone.net..6...
> ..
> > > 0x0070: 0002 5800 2304 6e73 3031 c036 0561 646d ..X.#.ns01.6.a
> dm
> > > 0x0080: 696e c036 0000 004c 0000 0e10 0000 0258 in.6...L......
> .X
> > > 0x0090: 0009 3a80 0000 0258 ..:....X
> > > 14:35:49.073103 IP (tos 0x0, ttl 64, id 32445, offset 0, flags
> > > [none], proto: UDP (17), length: 73) 205.211.164.51.53743 >
> > > 69.42.101.231.53: 578 A? web60.highspeedbackbone.net. (45)
> > > 0x0000: 4500 0049 7ebd 0000 4011 dece cdd3 a433 E..I~... at .....
> .3
> > > 0x0010: 452a 65e7 d1ef 0035 0035 b269 0242 0000 E*e....5.5.i.B
> ..
> > > 0x0020: 0001 0000 0000 0000 0577 6562 3630 1168 .........web60
> .h
> > > 0x0030: 6967 6873 7065 6564 6261 636b 626f 6e65 ighspeedbackbo
> ne
> > > 0x0040: 036e 6574 0000 0100 01 .net.....
> > > 14:35:49.123297 IP (tos 0x0, ttl 52, id 23015, offset 0, flags [DF],
> > > proto: UDP (17), length: 89) 69.42.101.231.53 >
> > > 205.211.164.51.53743: 578*- 1/0/0 web60.highspeedbackbone.net. A
> > > 206.191.131.51 (61)
> > > 0x0000: 4500 0059 59e7 4000 3411 cf94 452a 65e7 E..YY. at .4...E*
> e.
> > > 0x0010: cdd3 a433 0035 d1ef 0045 1436 0242 8400 ...3.5...E.6.B
> ..
> > > 0x0020: 0001 0001 0000 0000 0577 6562 3630 1168 .........web60
> .h
> > > 0x0030: 6967 6873 7065 6564 6261 636b 626f 6e65 ighspeedbackbo
> ne
> > > 0x0040: 036e 6574 0000 0100 01c0 0c00 0100 0100 .net..........
> ..
> > > 0x0050: 0000 1400 04ce bf83 33 ........3
> > > 14:35:49.123908 IP (tos 0x0, ttl 64, id 32457, offset 0, flags
> > > [none], proto: UDP (17), length: 73) 205.211.164.51.53743 >
> > > 69.42.101.232.53: 34516 AAAA? web60.highspeedbackbone.net. (45)
> > > 0x0000: 4500 0049 7ec9 0000 4011 dec1 cdd3 a433 E..I~... at .....
> .3
> > > 0x0010: 452a 65e8 d1ef 0035 0035 12d6 86d4 0000 E*e....5.5....
> ..
> > > 0x0020: 0001 0000 0000 0000 0577 6562 3630 1168 .........web60
> .h
> > > 0x0030: 6967 6873 7065 6564 6261 636b 626f 6e65 ighspeedbackbo
> ne
> > > 0x0040: 036e 6574 0000 1c00 01 .net.....
> > > 14:35:49.174369 IP (tos 0x0, ttl 53, id 54473, offset 0, flags [DF],
> > > proto: UDP (17), length: 141) 69.42.101.232.53 >
> > > 205.211.164.51.53743: 34516 NXDomain* 0/1/0 (113)
> > > 0x0000: 4500 008d d4c9 4000 3511 537d 452a 65e8 E..... at .5.S}E*
> e.
> > > 0x0010: cdd3 a433 0035 d1ef 0079 244f 86d4 8483 ...3.5...y$O..
> ..
> > > 0x0020: 0001 0000 0001 0000 0577 6562 3630 1168 .........web60
> .h
> > > 0x0030: 6967 6873 7065 6564 6261 636b 626f 6e65 ighspeedbackbo
> ne
> > > 0x0040: 036e 6574 0000 1c00 0111 6869 6768 7370 .net......high
> sp
> > > 0x0050: 6565 6462 6163 6b62 6f6e 6503 6e65 7400 eedbackbone.ne
> t.
> > > 0x0060: 0006 0001 0000 0258 0023 046e 7330 31c0 .......X.#.ns0
> 1.
> > > 0x0070: 2d05 6164 6d69 6ec0 2d00 0000 4c00 000e -.admin.-...L.
> ..
> > > 0x0080: 1000 0002 5800 093a 8000 0002 58 ....X..:....X
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > Mike Tancsa, tel +1 519 651 3400
> > > Sentex Communications, mike at sentex.net
> > > Providing Internet since 1994 www.sentex.net
> > > Cambridge, Ontario Canada www.sentex.net/mike
> > >
> > >
> > >
> > >
> > >
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list