inconsistent answer ?

Mark Andrews Mark_Andrews at isc.org
Wed Jun 4 02:25:42 UTC 2008


> At 05:22 PM 6/3/2008, Kevin Darcy wrote:
> >Note that the serial numbers are significantly different.
> 
> 
> Hi,
>          In the info below, I see it as 76 for the one domain and 24 
> for the other, but I didnt see any inconsistencies there?
> 
> 
> >I'm thinking this is 2 servers (or more) behind a load-balancer, and
> >replication has broken between them...
> 
> But I dont understand why bind is giving 2 different answers locally. 
> The first query generates network traffic, gets an answer from one of 
> the remote servers.  The second gives no info.... If I flush the 
> local cache, the pattern repeats.   Why would BIND not give the same 
> answers whether its a fresh query or one served from cache ?
> 
> 
> e.g.
> [auth2]% host www.tigerdirect.ca
> www.tigerdirect.ca has address 206.191.131.11
> Host www.tigerdirect.ca not found: 3(NXDOMAIN)
> Host www.tigerdirect.ca not found: 3(NXDOMAIN)
> 
> 
> [auth2]% host www.tigerdirect.ca
> Host www.tigerdirect.ca not found: 3(NXDOMAIN)
> [auth2]%

	Because there is a load balancer sitting in front of the
	nameserver and there is a CNAME for www.tigerdirect.ca that
	points to a non-existant name in the zone that is behind
	the load balancer which answers all the other queries other
	than the A query.

	The load balancer copes with EDNS by ignoring it.
	The backing nameserver doesn't handle with EDNS, it returns FORMERR.

	The reason for the second invocation of host returning
	NXDOMAIN is that the local cache remembers the NXDOMAIN.
 
	This is a classic case of Garbage-In Garbage-Out.

	The way to fix this is to replace the CNAME with a A RRset
	which has the addresses of all the machines the load balancer
	is distributing the load amongst.  That way all the answers
	that are returned from the backing nameserver will be
	consistant with the answers returned from the load balancer,
	and if necessary, the load balancer can be removed and
	everything will continue to work.  This is how things should
	have been setup in the first place.

	Mark

; <<>> DiG 9.3.4-P1 <<>> www.tigerdirect.ca +norec @ns01.highspeedbackbone.net +dnssec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64051
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.tigerdirect.ca.		IN	A

;; ANSWER SECTION:
www.tigerdirect.ca.	20	IN	A	206.191.131.51

;; Query time: 406 msec
;; SERVER: 69.42.101.231#53(69.42.101.231)
;; WHEN: Wed Jun  4 12:19:29 2008
;; MSG SIZE  rcvd: 52


; <<>> DiG 9.3.4-P1 <<>> www.tigerdirect.ca +norec @ns01.highspeedbackbone.net +dnssec txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 291
;; flags: qr ra; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 382 msec
;; SERVER: 69.42.101.231#53(69.42.101.231)
;; WHEN: Wed Jun  4 12:19:48 2008
;; MSG SIZE  rcvd: 12


; <<>> DiG 9.3.4-P1 <<>> www.tigerdirect.ca +norec @ns01.highspeedbackbone.net txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23997
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.tigerdirect.ca.		IN	TXT

;; ANSWER SECTION:
www.tigerdirect.ca.	600	IN	CNAME	web60.highspeedbackbone.net.

;; AUTHORITY SECTION:
highspeedbackbone.net.	600	IN	SOA	ns01.highspeedbackbone.net. admin.highspeedbackbone.net. 76 3600 600 604800 600

;; Query time: 376 msec
;; SERVER: 69.42.101.231#53(69.42.101.231)
;; WHEN: Wed Jun  4 12:20:00 2008
;; MSG SIZE  rcvd: 124

>          ---Mike
> 
> 
> 
> 
> 
> >- Kevin
> >
> >Mike Tancsa wrote:
> > > Hi,
> > >          I am trying to understand BIND's interaction with a
> > > seemingly misconfigured server.  A few customers called in asking why
> > > they could not periodically get to www.tigerdirect.ca.
> > >
> > >
> > > It seems to be a MS server and is letting a full transfer of the 2
> > > zones, so we see
> > >
> > >   dig axfr @69.42.101.231 tigerdirect.ca
> > >
> > > ; <<>> DiG 9.3.4-P1 <<>> axfr @69.42.101.231 tigerdirect.ca
> > > ; (1 server found)
> > > ;; global options:  printcmd
> > > tigerdirect.ca.         600     IN      SOA
> > > ns01.highspeedbackbone.net. admin.highspeedbackbone.net. 24 3600 
> > 600 604800 600
> > > tigerdirect.ca.         600     IN      TXT     "v=spf1
> > > ip4:206.191.131.0/24 mx -all"
> > > tigerdirect.ca.         600     IN      MX      10 
> > mail.highspeedbackbone.net.
> > > tigerdirect.ca.         600     IN      NS      ns01.highspeedbackbone.ne
> t.
> > > tigerdirect.ca.         600     IN      NS      ns02.highspeedbackbone.ne
> t.
> > > tigerdirect.ca.         600     IN      A       206.191.131.49
> > > 
> > comp.tigerdirect.ca.    600     IN      CNAME   web140.highspeedbackbone.ne
> t.
> > > help.tigerdirect.ca.    600     IN      NS      ns01.highspeedbackbone.ne
> t.
> > > help.tigerdirect.ca.    600     IN      NS      ns02.highspeedbackbone.ne
> t.
> > > images.tigerdirect.ca.  600     IN      CNAME
> > > images.tigerdirect.ca.edgesuite.net.
> > > 
> > media.tigerdirect.ca.   600     IN      CNAME   web140.highspeedbackbone.ne
> t.
> > > origin-images.tigerdirect.ca. 600 
> > IN    CNAME   web140.highspeedbackbone.net.
> > > 
> > static.tigerdirect.ca.  600     IN      CNAME   web140.highspeedbackbone.ne
> t.
> > > 
> > www.tigerdirect.ca.     600     IN      CNAME   web60.highspeedbackbone.net
> .
> > > tigerdirect.ca.         600     IN      SOA
> > > ns01.highspeedbackbone.net. admin.highspeedbackbone.net. 24 3600 
> > 600 604800 600
> > > ;; Query time: 101 msec
> > > ;; SERVER: 69.42.101.231#53(69.42.101.231)
> > > ;; WHEN: Tue Jun  3 14:31:31 2008
> > > ;; XFR size: 15 records (messages 15)
> > >
> > >   dig axfr @69.42.101.231 highspeedbackbone.net
> > >
> > > ; <<>> DiG 9.3.4-P1 <<>> axfr @69.42.101.231 highspeedbackbone.net
> > > ; (1 server found)
> > > ;; global options:  printcmd
> > > highspeedbackbone.net.  600     IN      SOA
> > > ns01.highspeedbackbone.net. admin.highspeedbackbone.net. 76 3600 
> > 600 604800 600
> > > highspeedbackbone.net.  600     IN      TXT     "v=spf1
> > > ip4:206.191.131.0/24 mx -all"
> > > highspeedbackbone.net.  600     IN      NS      ns01.highspeedbackbone.ne
> t.
> > > highspeedbackbone.net.  600     IN      NS      ns02.highspeedbackbone.ne
> t.
> > > click.highspeedbackbone.net. 600 IN     A       206.191.131.125
> > > ftps.highspeedbackbone.net. 600 IN      A       69.42.102.34
> > > mail01.highspeedbackbone.net. 600 IN    A       206.191.131.100
> > > mail02.highspeedbackbone.net. 600 IN    A       206.191.131.101
> > > ns01.highspeedbackbone.net. 600 IN      A       69.42.101.231
> > > ns02.highspeedbackbone.net. 600 IN      A       69.42.101.232
> > > promo.highspeedbackbone.net. 600 IN     A       206.191.131.124
> > > sslvpn.highspeedbackbone.net. 600 IN    A       69.42.103.6
> > > van01.highspeedbackbone.net. 600 IN     A       69.42.102.121
> > > vpn.highspeedbackbone.net. 600  IN      A       69.42.103.13
> > > vpn2.highspeedbackbone.net. 600 IN      A       69.42.103.14
> > > web50.highspeedbackbone.net. 600 IN     NS      ns01.highspeedbackbone.ne
> t.
> > > highspeedbackbone.net.  600     IN      SOA
> > > ns01.highspeedbackbone.net. admin.highspeedbackbone.net. 76 3600 
> > 600 604800 600
> > > ;; Query time: 102 msec
> > > ;; SERVER: 69.42.101.231#53(69.42.101.231)
> > > ;; WHEN: Tue Jun  3 14:15:13 2008
> > > ;; XFR size: 17 records (messages 17)
> > >
> > >
> > >
> > > So, www.tigerdirect.ca is a CNAME for web60.highspeedbackbone.net,
> > > which according to the axfer, does not exist.
> > >
> > > But, using host, I get strange initial results
> > >
> > > [auth2]# host www.tigerdirect.ca
> > > www.tigerdirect.ca is an alias for web60.highspeedbackbone.net.
> > > web60.highspeedbackbone.net has address 206.191.131.51
> > > Host web60.highspeedbackbone.net not found: 3(NXDOMAIN)
> > > Host web60.highspeedbackbone.net not found: 3(NXDOMAIN)
> > > [auth2]# host www.tigerdirect.ca
> > > Host www.tigerdirect.ca not found: 3(NXDOMAIN)
> > > [auth2]#
> > >
> > > Why do I get a response initially, and not on subsequent queries
> > > ?  Is it because the authoritative name server is giving a cached
> > > non-authoritative response ?  Should not host regardless give the 
> > same answer ?
> > >
> > >
> > > Using dig, I see
> > >
> > > [auth2]# dig www.tigerdirect.ca
> > >
> > > ; <<>> DiG 9.3.4-P1 <<>> www.tigerdirect.ca
> > > ;; global options:  printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58136
> > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
> > >
> > > ;; QUESTION SECTION:
> > > ;www.tigerdirect.ca.            IN      A
> > >
> > > ;; ANSWER SECTION:
> > > 
> > www.tigerdirect.ca.     600     IN      CNAME   web60.highspeedbackbone.net
> .
> > > web60.highspeedbackbone.net. 20 IN      A       206.191.131.51
> > >
> > > ;; AUTHORITY SECTION:
> > > highspeedbackbone.net.  549     IN      NS      ns02.highspeedbackbone.ne
> t.
> > > highspeedbackbone.net.  549     IN      NS      ns01.highspeedbackbone.ne
> t.
> > >
> > > ;; ADDITIONAL SECTION:
> > > ns01.highspeedbackbone.net. 166602 IN   A       69.42.101.231
> > > ns02.highspeedbackbone.net. 167305 IN   A       69.42.101.232
> > >
> > > ;; Query time: 101 msec
> > > ;; SERVER: 205.211.164.51#53(205.211.164.51)
> > > ;; WHEN: Tue Jun  3 14:38:51 2008
> > > ;; MSG SIZE  rcvd: 163
> > >
> > > [auth2]#
> > >
> > > [auth2]# dig @ns01.highspeedbackbone.net web60.highspeedbackbone.net
> > >
> > > ; <<>> DiG 9.3.4-P1 <<>> @ns01.highspeedbackbone.net
> > > web60.highspeedbackbone.net
> > > ; (1 server found)
> > > ;; global options:  printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32182
> > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;web60.highspeedbackbone.net.   IN      A
> > >
> > > ;; ANSWER SECTION:
> > > web60.highspeedbackbone.net. 20 IN      A       206.191.131.51
> > >
> > > ;; Query time: 52 msec
> > > ;; SERVER: 69.42.101.231#53(69.42.101.231)
> > > ;; WHEN: Tue Jun  3 14:39:38 2008
> > > ;; MSG SIZE  rcvd: 61
> > >
> > > [auth2]#
> > >
> > > [auth2]# dig @ns02.highspeedbackbone.net web60.highspeedbackbone.net
> > >
> > > ; <<>> DiG 9.3.4-P1 <<>> @ns02.highspeedbackbone.net
> > > web60.highspeedbackbone.net
> > > ; (1 server found)
> > > ;; global options:  printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55930
> > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;web60.highspeedbackbone.net.   IN      A
> > >
> > > ;; ANSWER SECTION:
> > > web60.highspeedbackbone.net. 20 IN      A       206.191.131.51
> > >
> > > ;; Query time: 52 msec
> > > ;; SERVER: 69.42.101.232#53(69.42.101.232)
> > > ;; WHEN: Tue Jun  3 14:39:54 2008
> > > ;; MSG SIZE  rcvd: 61
> > >
> > > [auth2]#
> > >
> > >
> > >
> > >
> > > I am using the stock BIND on FreeBSD RELENG_6 and FreeBSD RELENG_7
> > > and both show the same behavior.  Doing a tcpdump, I see the
> > > following raw responses.
> > >
> > >
> > >   tcpdump -xX -s0 -vni bge0 host 69.42.101.231 or host 69.42.101.232
> > > tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size
> > > 65535 bytes
> > > 14:35:49.021797 IP (tos 0x0, ttl  64, id 32432, offset 0, flags
> > > [none], proto: UDP (17), length: 64) 205.211.164.51.53743 >
> > > 69.42.101.232.53:  37954 A? www.tigerdirect.ca. (36)
> > >          0x0000:  4500 0040 7eb0 0000 4011 dee3 cdd3 a433  E..@~... at .....
> .3
> > >          0x0010:  452a 65e8 d1ef 0035 002c 892f 9442 0000  E*e....5.,./.B
> ..
> > >          0x0020:  0001 0000 0000 0000 0377 7777 0b74 6967  .........www.t
> ig
> > >          0x0030:  6572 6469 7265 6374 0263 6100 0001 0001  erdirect.ca...
> ..
> > > 14:35:49.072965 IP (tos 0x0, ttl  53, id 54410, offset 0, flags [DF],
> > > proto: UDP (17), length: 152) 69.42.101.232.53 >
> > > 205.211.164.51.53743:  37954 NXDomain* 1/1/0 www.tigerdirect.ca.
> > > CNAME web60.highspeedbackbone.net. (124)
> > >          0x0000:  4500 0098 d48a 4000 3511 53b1 452a 65e8  E..... at .5.S.E*
> e.
> > >          0x0010:  cdd3 a433 0035 d1ef 0084 ef2c 9442 8483  ...3.5.....,.B
> ..
> > >          0x0020:  0001 0001 0001 0000 0377 7777 0b74 6967  .........www.t
> ig
> > >          0x0030:  6572 6469 7265 6374 0263 6100 0001 0001  erdirect.ca...
> ..
> > >          0x0040:  c00c 0005 0001 0000 0258 001d 0577 6562  .........X...w
> eb
> > >          0x0050:  3630 1168 6967 6873 7065 6564 6261 636b  60.highspeedba
> ck
> > >          0x0060:  626f 6e65 036e 6574 00c0 3600 0600 0100  bone.net..6...
> ..
> > >          0x0070:  0002 5800 2304 6e73 3031 c036 0561 646d  ..X.#.ns01.6.a
> dm
> > >          0x0080:  696e c036 0000 004c 0000 0e10 0000 0258  in.6...L......
> .X
> > >          0x0090:  0009 3a80 0000 0258                      ..:....X
> > > 14:35:49.073103 IP (tos 0x0, ttl  64, id 32445, offset 0, flags
> > > [none], proto: UDP (17), length: 73) 205.211.164.51.53743 >
> > > 69.42.101.231.53:  578 A? web60.highspeedbackbone.net. (45)
> > >          0x0000:  4500 0049 7ebd 0000 4011 dece cdd3 a433  E..I~... at .....
> .3
> > >          0x0010:  452a 65e7 d1ef 0035 0035 b269 0242 0000  E*e....5.5.i.B
> ..
> > >          0x0020:  0001 0000 0000 0000 0577 6562 3630 1168  .........web60
> .h
> > >          0x0030:  6967 6873 7065 6564 6261 636b 626f 6e65  ighspeedbackbo
> ne
> > >          0x0040:  036e 6574 0000 0100 01                   .net.....
> > > 14:35:49.123297 IP (tos 0x0, ttl  52, id 23015, offset 0, flags [DF],
> > > proto: UDP (17), length: 89) 69.42.101.231.53 >
> > > 205.211.164.51.53743:  578*- 1/0/0 web60.highspeedbackbone.net. A
> > > 206.191.131.51 (61)
> > >          0x0000:  4500 0059 59e7 4000 3411 cf94 452a 65e7  E..YY. at .4...E*
> e.
> > >          0x0010:  cdd3 a433 0035 d1ef 0045 1436 0242 8400  ...3.5...E.6.B
> ..
> > >          0x0020:  0001 0001 0000 0000 0577 6562 3630 1168  .........web60
> .h
> > >          0x0030:  6967 6873 7065 6564 6261 636b 626f 6e65  ighspeedbackbo
> ne
> > >          0x0040:  036e 6574 0000 0100 01c0 0c00 0100 0100  .net..........
> ..
> > >          0x0050:  0000 1400 04ce bf83 33                   ........3
> > > 14:35:49.123908 IP (tos 0x0, ttl  64, id 32457, offset 0, flags
> > > [none], proto: UDP (17), length: 73) 205.211.164.51.53743 >
> > > 69.42.101.232.53:  34516 AAAA? web60.highspeedbackbone.net. (45)
> > >          0x0000:  4500 0049 7ec9 0000 4011 dec1 cdd3 a433  E..I~... at .....
> .3
> > >          0x0010:  452a 65e8 d1ef 0035 0035 12d6 86d4 0000  E*e....5.5....
> ..
> > >          0x0020:  0001 0000 0000 0000 0577 6562 3630 1168  .........web60
> .h
> > >          0x0030:  6967 6873 7065 6564 6261 636b 626f 6e65  ighspeedbackbo
> ne
> > >          0x0040:  036e 6574 0000 1c00 01                   .net.....
> > > 14:35:49.174369 IP (tos 0x0, ttl  53, id 54473, offset 0, flags [DF],
> > > proto: UDP (17), length: 141) 69.42.101.232.53 >
> > > 205.211.164.51.53743:  34516 NXDomain* 0/1/0 (113)
> > >          0x0000:  4500 008d d4c9 4000 3511 537d 452a 65e8  E..... at .5.S}E*
> e.
> > >          0x0010:  cdd3 a433 0035 d1ef 0079 244f 86d4 8483  ...3.5...y$O..
> ..
> > >          0x0020:  0001 0000 0001 0000 0577 6562 3630 1168  .........web60
> .h
> > >          0x0030:  6967 6873 7065 6564 6261 636b 626f 6e65  ighspeedbackbo
> ne
> > >          0x0040:  036e 6574 0000 1c00 0111 6869 6768 7370  .net......high
> sp
> > >          0x0050:  6565 6462 6163 6b62 6f6e 6503 6e65 7400  eedbackbone.ne
> t.
> > >          0x0060:  0006 0001 0000 0258 0023 046e 7330 31c0  .......X.#.ns0
> 1.
> > >          0x0070:  2d05 6164 6d69 6ec0 2d00 0000 4c00 000e  -.admin.-...L.
> ..
> > >          0x0080:  1000 0002 5800 093a 8000 0002 58         ....X..:....X
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > Mike Tancsa,                                      tel +1 519 651 3400
> > > Sentex Communications,                            mike at sentex.net
> > > Providing Internet since 1994                    www.sentex.net
> > > Cambridge, Ontario Canada                         www.sentex.net/mike
> > >
> > >
> > >
> > >
> > >
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list