Reverse lookup failing when arpa.dlv.isc.org appeared

Chris Thompson cet1 at cam.ac.uk
Thu Mar 25 12:21:55 UTC 2010


I'll be reporting this to bind-bugs, but I thought I would mention it here
in case others can confirm the effect.

Our two main ecursive nameservers used DNSSEC validation via dlv.isc.org.
In the past we have had suspicions that there are glitches when new entries
appear in the DLV zone. For example, we got reports that users were
temporarily unable to access CERN web sites on the morning that "cz"
went into dlv.isc.org.

So I have been waiting with some trepidation for "arpa" to go in,
although I held out the hope that any bugs of this sort would have
been fixed by BIND 9.6.2, which we are now using. Well, it seems
that they haven't. "arpa" went into dlv.isc.org this morning, and
by the time I noticed that, one of the nameservers was giving SERVFAILs
for many reverse lookups until I did an "rndc flushname arpa" on it.
The other seemed OK, but I suspect it had been giving such SERVFAILs
earlier.

Of course, in an ideal world I would have taken cache dumps, etc, but
these are operationally significant servers and it was more important
to get reverse lookup working again asap.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk



More information about the bind-users mailing list