DNS "chicken-and-egg" Problem

bsfinkel at anl.gov bsfinkel at anl.gov
Mon Oct 27 19:56:18 UTC 2008 

At Mon, 27 Oct 2008 10:32:59 -0500 (CDT),
bsfinkel at anl.gov wrote:
>> 
>> I am having problems resolving
>> 
>>      igpp.ucla.edu

[snip]

>> This looks like a proper referral to the one name server for the igpp
>> sub-domain.  I also get the "A" record for that name server.
>> But when I dump the cache on the nameserver on which I was doing my
>> queries, I do not see this glue information cached.  If the information
>> is not in the cache, then when I do a query for the "A" record, I find
>> that I need that "A" record to be able to query the authoritative
>> name server for that sub-domain.  There seems to be a "chicken-and-egg"
>> problem.  Why does BIND 9.5.0-P2 not cache the glue information that
>> it receives from the four authoritative name servers for ucla.edu?

And Jinmei Tatuya replied:
>I'm not sure if I understand your problem.  Did you actually have any
>trouble resolving the name, or are you just wondering about the cache
>content (without having any actual trouble)?  If it's the latter,
>please be more specific about what you did, what you expected, and
>what you actually got.
>
>If it's the former, does that always happen, or is it an occasional
>problem?  If it's occasional, that may be a known bug in 9.5 about
>cache entry management, and will be fixed in the next beta.

The answer is both.  There are times when we receive mail from

     _____ at igpp.ucla.edu

and our Postfix mailer does not accept the mail because it cannot
verify the domain of the sender.  When I see this, I try some "dig"
commands, and I usually get "SERVFAIL".  And I am trying to determine
what is the problem.  When the messages cease, I assume that the mail
has been delivered.  But I normally do not see the delivery message
when it happens, so I cannot query DNS at that time to see what is in
the DNS cache.  I see the mail delivery when I review the logs the next
morning, and by that time I am not sure that the status of the DNS
cache is the same as it was when the mail was delivered.  The record in
question has a 6H TTL.

One "problem" that I see is this - the mail comes from the same nodename
as the authoritative DNS server for the sub-domain, so if BIND does not
have the address of

    igpp.ucla.edu

then it needs that address in order to query the authoritative name
server.  And in my testing this morning I found that when I queried the
four parent name servers and received the proper referral (along with
the desired IP address) that glue information was not in the cache.
Is the problem that when BIND needs to get the desired address, it
does recursive queries from the root, gets the information, and then
does not cache it?  If I know the address of the nameserver and send
my query explicitly to that nameserver, then I get the answer I desire.

What I did this morning (and posted the last piece), was to follow the
delegation from

     f.root-servers.net
to
     C3.NSTLD.COM
to
     DNS.ucla.edu. DNS2.ucla.edu. DNS3.ucla.edu. ADNS2.BERKELEY.edu

Each of the four authoritative name servers for ucla.edu returned:

     ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
     ;; QUERY SECTION:
     ;;      igpp.ucla.edu, type = A, class = IN

     ;; AUTHORITY SECTION:
     igpp.ucla.edu.          6H IN NS        igpp.ucla.edu.

     ;; ADDITIONAL SECTION:
     igpp.ucla.edu.          6H IN A         128.97.94.1

----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list