on TTL expiry BIND sends 'ANY' query, gets back 'NOANSWER'

Chuck Anderson cra at WPI.EDU
Wed Apr 8 21:00:08 UTC 2015 

On Wed, Apr 08, 2015 at 03:58:00PM -0400, Barry Margolin wrote:
> In article <mailman.1922.1428521124.26362.bind-users at lists.isc.org>,
>  Chuck Anderson <cra at WPI.EDU> wrote:
> > 1. On TTL expiry, BIND sends an 'ANY' query for the RR in question to
> >    the authoritative servers for the zone (load balancers).  This
> >    happens even if there is no current recursive query being processed
> >    by BIND for this name.  It seems that BIND does this to attempt to
> >    "refresh" the cache in advance of another recursive query coming
> >    in.
> 
> Are you sure it's BIND doing this? Refreshing without a query in 
> progress is called "proactive refresh" (sometimes abbreviated 
> "prefresh"), and there are some nameservers that do it, but I didn't 
> think BIND was among them.

No, you are right.  My filtered view of the packet capture was missing
the fact that another unrelated client did an 'ANY' query.  I found it
in the query log.  BIND 9.10 implements prefresh, but I'm on 9.8.2.

> > 2. Unfortunately, the load balancer answers 'NOANSWER' when queried
> >    with the 'ANY' type ('A' queries work fine).  Is this correct
> >    behavior?
> 
> No. An authoritative server should respond with all the records for the 
> name, a caching server should respond with all the records it has cached 
> for the name.
> 
> > 
> > 3. BIND caches the 'NOANSWER' response.
> 
> Correct.
> 
> > 
> > 4. When the next recursive query for the 'A' RR for this name comes
> >    in, BIND responds 'NOANSWER' from cache.
> 
> Correct.
> 
> > 
> > 5. After some time (zone SOA TTL???), BIND ages out this 'NOANSWER'
> 
> The negative cache TTL, i.e. the MinTTL field in the SOA record.
> 
> >    from the cache and sends an 'A' query to the auth servers (load
> >    balancers).  Again, this happens even if there is no current
> >    recursive query being serviced for this name, perhaps to "refresh"
> >    the cache once again.
> 
> Again, I don't think BIND will force a refresh if there's no query being 
> services.
> 
> > 
> > 6. The load balancer answers with the correct 'A' record response.
> > 
> > 7. BIND caches the correct 'A' response.
> > 
> > 8. When the next recursive query for the 'A' RR for this name comes
> >    in, BIND responds with the correct 'A' record from cache.
> > 
> > My questions are, what is at fault here?  Is it a BIND bug to expect
> > 'ANY' queries to work?  Is it a load balancer bug to respond
> 
> ANY queries should be expected to work when sending to the authoritative 
> server, but they're not reliable when sending to a caching server. But 
> this is the first I've heard of BIND spontaneously sending ANY queries 
> as you describe.

Thanks for your help!  It looks like whenever an 'ANY' query comes
into BIND due to the load balancer misbehavior it causes 'NOANSWER' to
be cached for the MinTTL.

I will now go back to the load balancer vendor and see if they can
make it answer 'ANY' queries correctly.

> > 'NOANSWER' to an 'ANY' query?  Is it a BIND bug to cache this
> > 'NOANSWER', or should it have instead immediately issued an 'A' query
> > before expiring the cache?  Should BIND have not cached 'NOANSWER' at
> > all, and instead just have done an 'A' query as needed when recursing
> > during the servicing of the next query from the client?
> > 
> > And finally, is there something I can tweak in BIND to avoid this
> > problem?

More information about the bind-users mailing list