BIND can't resolve with unreachable second NS

Bob Rahe bob at
Thu May 8 14:15:21 UTC 2008

  A puzzle...

  Solaris 10, BIND 9.4.2.

  We've been having a problem resolving a web site name.

  Trying to resolve  Turns out that is a CNAME

  THAT domain claims to have 2 dns servers:   at
and   at

  But...  two interesting things.  From a different network I can find
that actually is an A record to the 147.35
address.  AND... the ns2 address does not respond.  In fact, if I try
to ping it from both the other network and here I get:

hobbes% ping
ICMP Time exceeded in transit from (
 for icmp from ( to (
ICMP Time exceeded in transit from (
 for icmp from ( to (
ICMP Time exceeded in transit from (
 for icmp from ( to (

(and doing a traceroute, I see there's some odd routing loop where it bangs
around two different addresses near it until the TTL expires. Again, from
both networks.)

But for ns1 I get:

Chobbes% ping is alive

  And... the upshot is, any nslookups I try seem to blackhole.  For
whatever reason all of our nameservers seem to get hung up if that
second ns isn't working.  Cause if I do a lookup directly via ns1 I can
get an answer:

; <<>> DiG 9.2.8-P1 <<>> any
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 910
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1




;; Query time: 104 msec
;; WHEN: Mon May  5 09:52:54 2008
;; MSG SIZE  rcvd: 72

  Ideas?  Why do nameservers on another network (also BIND of various
semi-recent vintage) seem to be able to resolve this but mine seem to
blackhole on it?  We're running BIND 9.4.2 and some 9.2.8-P1 on unix
(solaris 10 and 9) here.  I've googled, search Sun and sunmanagers and
come up empty.

  I did find one reference from back when Solaris ran 4.x BIND about the
resolver only looking at one NS it got back but that was claimed to be
solved by using 'modern' sources.... Which one would think these are...




|Bob Rahe, MIEEE, bob at (RWR50)   /    ASCII ribbon campaign ( )    |
|Delaware Technical & Community College /      - against HTML email  X     |
|Computer Center, Dover, Delaware      /                   & vCards / \    |

More information about the bind-users mailing list