Fwd: IPv6 client and negative cache - some doubts

Mark Andrews marka at isc.org
Tue Feb 23 22:19:16 UTC 2010


In message <f677fefa1002230600n4694161cu315e5dd4beaaab02 at mail.gmail.com>, Micha
l Wesolowski writes:
> 
> sorry for replying directly, still have some problems with gmail UI.
> 
> ---------- Forwarded message ----------
> From: Michal Wesolowski <gmickyw at gmail.com>
> Date: Tue, Feb 23, 2010 at 2:47 PM
> Subject: Re: IPv6 client and negative cache - some doubts
> To: Sam Wilson <Sam.Wilson at ed.ac.uk>
> 
> 
> On Tue, Feb 23, 2010 at 1:33 PM, Sam Wilson <Sam.Wilson at ed.ac.uk> wrote:
> 
> > In article <mailman.529.1266923597.21153.bind-users at lists.isc.org>,
> >  Michal Wesolowski <gmickyw at gmail.com> wrote:
> >
> > > Hello Everyone
> > >
> > > I have a problem with Bind 9.3.6-P1 (included in Solaris 10) but honestly
> > I
> > > don't even understand if it is wrong Bind behaviour or my ignorance. It
> > does
> > > apply only to some specific cases when external domain delegation is also
> > > somewhat broken. My server is caching only. Let me show it by the
> > example:
> > >
> > Host "www.goleszow.pl" has bad NS delegation on country root servers
> > level
> > > because virtual.sincom.pl is not resolvable:
> > >
> > > goleszow.pl.        86400    IN    NS    virtual.sincom.pl.
> > > goleszow.pl.        86400    IN    NS    virtual.jasnet.pl.
> > > ;; Received 91 bytes from 149.156.1.6#53(G-DNS.pl) in 19 ms
> >
> > That may be part of the problem, and it needs to be fixed, but I don't
> > think that's all of it.
> >
> 
> > > When dns client asks my server for A record of "www.goleszow.pl" -
> > > everything is fine. But when first query (after cache is flushed) asks
> > for
> > > AAAA record - my server seems to cache negative answer and all subsequent
> > > queries for A record also fails. ...
> > > [snip]
> > > This is what I found in the Bind cache:
> > > # rndc dumpdb -all
> > > # cat /var/named/log/named_dump.db | grep virt
> > > goleszow.pl.            85994   NS      virtual.jasnet.pl.
> > >                         85994   NS      virtual.sincom.pl.
> > > virtual.jasnet.pl.      3194    A       85.202.208.254
> > > virtual.sincom.pl.      3194    \-ANY   ;-$NXDOMAIN
> > > ; virtual.jasnet.pl alias jasnet.pl [v4 TTL 3194] [target TTL 3194] [v4
> > > success] [v6 unexpected]
> > > ; virtual.sincom.pl [v4 TTL 3194] [v6 TTL 3194] [v4 nxdomain] [v6
> > nxdomain]
> > >
> > > Which for me doesn't explain this behaviour. Please advice.
> >
> > Note that line beginning "virtual.jasnet.pl alias jasnet.pl".  jasnet.pl
> > is delegated to ns10.az.pl and ns11.az.pl.  If you ask them for an A
> > record for virtual.jasnet.pl you get an A record; if you ask for AAAA
> > you get a CNAME pointing to jasnet.pl.  I can't imagine what sort of
> > configuration could cause that to happen.  I'm also not sure how that
> > might be screwing up your lookups, but it's certainly weird.  On the
> > 'fix what you know to be broken' principle I'd try to get that and the
> > broken delegation sorted first before looking any further.
> >
> > Sam
> >
> >
> Thank you Sam for pointing this out. This is probably real source of the
> problem. I looked over what could cause such situation and so far found old
> bug in PowerDNS (but don't know if they use it!) which generated such
> answers when using wildcards.
> 
> After some reading my present understanding is that correct response to AAAA
> query when there is such record in the zone and there exists another record
> of different type for the same name - is to reply with empty answer and no
> error (this applies to authoritative NS). So what ns10.az.pl does is not
> consistent with specification.
> However I'm still not sure if bind shouldn't cope with this somehow. I
> understand that if it applied to final query for "www.goliszew.pl" than it
> would be correct for bind to cache it as negative for all types of records.
> But if it concerns bad respond for NS? - I don't know.
> 
> Thanks
> 
> Michal

Well one of the nameservers does not exist and the other is a CNAME.
Both of these are fatal errors for the particular nameserver and
as there are only two nameservers for the zone lookups fail.

Add A records to the sincom.pl and jasnet.pl zones for virtual.sincom.pl
and virtual.jasnet.pl respectively.

Mark

; <<>> DiG 9.3.6-P1 <<>> virtual.sincom.pl aaaa @ns11.az.pl
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45587
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;virtual.sincom.pl.		IN	AAAA

;; AUTHORITY SECTION:
sincom.pl.		3600	IN	SOA	ns10.az.pl. admin.az.pl. 2009101603 10800 3600 604800 3600

;; Query time: 356 msec
;; SERVER: 62.146.68.200#53(62.146.68.200)
;; WHEN: Wed Feb 24 09:12:16 2010
;; MSG SIZE  rcvd: 85


; <<>> DiG 9.7.0rc1 <<>> virtual.jasnet.pl aaaa @ns11.az.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11702
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;virtual.jasnet.pl.		IN	AAAA

;; ANSWER SECTION:
virtual.jasnet.pl.	3600	IN	CNAME	jasnet.pl.

;; AUTHORITY SECTION:
jasnet.pl.		3600	IN	SOA	ns10.az.pl. admin.az.pl. 2009091500 10800 3600 604800 3600

;; Query time: 334 msec
;; SERVER: 62.146.68.200#53(62.146.68.200)
;; WHEN: Wed Feb 24 09:13:32 2010
;; MSG SIZE  rcvd: 99

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list