DNS "chicken-and-egg" Problem

Hays, Ken hays at otc.fsu.edu
Thu Oct 30 21:25:28 UTC 2008


Barry, If the dig ends with @128.97.94.1, the reply is authoritative.
Later, Ken

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of bsfinkel at anl.gov
Sent: Thursday, October 30, 2008 5:07 PM
To: bind-users at isc.org
Subject: Re: DNS "chicken-and-egg" Problem

To summarize this problem -

    1) One of my mailers is trying to find the "A" record for

           igpp.ucla.edu

       so that it can verify that mail from that domain is
       legitimate mail.

    2) The ucla.edu name servers delegate the zone to a name server

           igpp.ucla.edu

       I talked with a DNS admin at UCLA, and he told me that they have
       in the ucla.edu zone a delegation and glue:

            igpp.ucla.edu.          6H IN NS        igpp.ucla.edu
            igpp.ucla.edu.          6H IN A         128.97.94.1

    3) When I query the four ucla.edu name servers, dig returns:

        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
        ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
1
        ;; QUERY SECTION:
        ;;      igpp.ucla.edu, type = A, class = IN
        
        ;; AUTHORITY SECTION:
        igpp.ucla.edu.          6H IN NS        igpp.ucla.edu.
        
        ;; ADDITIONAL SECTION:
        igpp.ucla.edu.          6H IN A         128.97.94.1

    4) Why is this information not in the cache on my server?
       Jinmei Tatuya said it might be due to a cache-clearing bug
       in 9.5.0 (I am running 9.5.0-P2).  I ran a test with
       "max-cache-size 256M", and I did not see the record cached.
       And I doubt that the cache was full.

    5) Someone (I do not remember who, and I cannot find the reply in
       the list archives) pointed out to me that the answers I am
       getting from UCLA are not authoritative - the "aa" flag is
       missing.

What could cause glue information (that I think is correct) in the
ucla.edu zones to be returned to my server as not authoritative?
I now assume that the reason that my BIND does not cache the glue is
that the glue is not marked authoritative.  Thanks.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994



More information about the bind-users mailing list