DNS "chicken-and-egg" Problem

JINMEI Tatuya / 神明達哉 Jinmei_Tatuya at isc.org
Mon Oct 27 21:41:23 UTC 2008


At Mon, 27 Oct 2008 14:56:18 -0500 (CDT),
bsfinkel at anl.gov wrote:

> One "problem" that I see is this - the mail comes from the same nodename
> as the authoritative DNS server for the sub-domain, so if BIND does not
> have the address of
> 
>     igpp.ucla.edu
> 
> then it needs that address in order to query the authoritative name
> server.  And in my testing this morning I found that when I queried the
> four parent name servers and received the proper referral (along with
> the desired IP address) that glue information was not in the cache.
> Is the problem that when BIND needs to get the desired address, it
> does recursive queries from the root, gets the information, and then
> does not cache it?  If I know the address of the nameserver and send

If it's the bug I mentioned, it's not about the missing glue
(address).  I suspect the NS record of igpp.ucla.edu was (incorrectly)
purged during the resolution process of igpp.ucla.edu itself, most
likely by the address glue record.

I also guess you use the default max-cache-size of 9.5.0-P2 (which is
32MB).  Using such small size of cache on a moderately busy server
tends to trigger this cache management bug.  So, as a workaround I'd
suggest you raise the cache size (if you didn't) to a reasonable large
value, e.g., 256MB or even more, depending on the available memory on
your machine.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.


More information about the bind-users mailing list