<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">My guess is that MS DNS is failing to treat the authoritative CNAME result from the <a href="http://www.careerone.com.au">www.careerone.com.au</a> servers (which shouldn't even be authoritative) as more trustworthy than the NS records it received in the referral from the parent zone. This then causes that CNAME record to be rejected, which then kills the whole process.<div><br></div><div>The BIND name server sees the CNAME record and, apparently, at least works with it long enough to build an answer to the query it received. It doesn't seem to want to cache it, and so ends up looking it up again more often than should be necessary. But at least it's able to answer queries.</div><div><br></div><div>Chris Buxton</div><div>BlueCat Networks<br><div><br><div><div>On Sep 18, 2012, at 9:59 AM, M. Meadows wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div class="hmmessage" style="font-size: 10pt; font-family: Tahoma; "><div dir="ltr"><br>Thanks Kevin. I understand how the chained alias works. Sorry, I didn't explain my question very well.<br><br>I can see that the 8.8.8.8 google public dns server gets an answer.<br><br>I know that this domain has a cname coexisting with an SOA record and NS records ... both of which I have read are a bad thing. And I've seen the other reply that indicates that this combination of records in a zone file wouldn't even load in BIND ... so it's done with some other more forgiving DNS app.<span class="Apple-converted-space"> </span><br><br>What I also see (but failed to explain) is that we have a local nameserver that can't find an answer to the dig<a href="http://www.careerone.com.au/">www.careerone.com.au</a><span class="Apple-converted-space"> </span>query. Gets no record back. Our local nameserver is an AD server that just throws up its imaginary hands in despair. So is this what we should expect from this problematic DNS setup in the<span class="Apple-converted-space"> </span><a href="http://www.careerone.com.au/">www.careerone.com.au</a><span class="Apple-converted-space"> </span>zone file? Erratic or somewhat erratic results? Just curious why google and some other public facing dns servers get an answer when our own local nameserver can't figure it out.<br><br><br><br><div><div id="SkyDrivePlaceholder"></div><hr id="stopSpelling">Date: Tue, 18 Sep 2012 11:18:58 -0400<br>From: <a href="mailto:kcd@chrysler.com">kcd@chrysler.com</a><br>To: <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>Subject: Re: question about how a particular dig works ...<br><br><div class="ecxmoz-cite-prefix">On 9/18/2012 9:45 AM, M. Meadows wrote:<br></div><blockquote cite="mid:BLU156-W176DCC64F05372698F1620F3940@phx.gbl"><div dir="ltr"><br>dig<span class="Apple-converted-space"> </span><a class="ecxmoz-txt-link-abbreviated" href="http://www.careerone.com.au/" target="_blank">www.careerone.com.au</a><span class="Apple-converted-space"> </span>+short @8.8.8.8<br><a class="ecxmoz-txt-link-abbreviated" href="http://www.careerone.com.au.edgesuite.net/" target="_blank">www.careerone.com.au.edgesuite.net</a>.<br><a href="http://a903.g.akamai.net">a903.g.akamai.net</a>.<br>208.44.23.99<br>208.44.23.121<br><br>Why does the above dig work when<span class="Apple-converted-space"> </span><br><br>dig <a href="http://careerone.com.au">careerone.com.au</a> +nssearch @8.8.8.8<br>SOA <a href="http://dns0.news.com.au">dns0.news.com.au</a>. <a href="http://hostmaster.news.com.au">hostmaster.news.com.au</a>. 2012082200 3600 1200 86400 1200 from server <a href="http://usw1.akam.net">usw1.akam.net</a> in 106 ms.<br>SOA <a href="http://dns0.news.com.au">dns0.news.com.au</a>. <a href="http://hostmaster.news.com.au">hostmaster.news.com.au</a>. 2012082200 3600 1200 86400 1200 from server <a href="http://usw4.akam.net">usw4.akam.net</a> in 136 ms.<br>SOA <a href="http://dns0.news.com.au">dns0.news.com.au</a>. <a href="http://hostmaster.news.com.au">hostmaster.news.com.au</a>. 2012082200 3600 1200 86400 1200 from server <a href="http://usc4.akam.net">usc4.akam.net</a> in 124 ms.<br>SOA <a href="http://dns0.news.com.au">dns0.news.com.au</a>. <a href="http://hostmaster.news.com.au">hostmaster.news.com.au</a>. 2012082200 3600 1200 86400 1200 from server <a href="http://usc1.akam.net">usc1.akam.net</a> in 40 ms.<br>SOA <a href="http://dns0.news.com.au">dns0.news.com.au</a>. <a href="http://hostmaster.news.com.au">hostmaster.news.com.au</a>. 2012082200 3600 1200 86400 1200 from server <a href="http://usw5.akam.net">usw5.akam.net</a> in 190 ms.<br>SOA <a href="http://dns0.news.com.au">dns0.news.com.au</a>. <a href="http://hostmaster.news.com.au">hostmaster.news.com.au</a>. 2012082200 3600 1200 86400 1200 from server <a href="http://ns1-24.akam.net">ns1-24.akam.net</a> in 171 ms.<br>SOA <a href="http://dns0.news.com.au">dns0.news.com.au</a>. <a href="http://hostmaster.news.com.au">hostmaster.news.com.au</a>. 2012082200 3600 1200 86400 1200 from server <a href="http://asia1.akam.net">asia1.akam.net</a> in 161 ms.<br>SOA <a href="http://dns0.news.com.au">dns0.news.com.au</a>. <a href="http://hostmaster.news.com.au">hostmaster.news.com.au</a>. 2012082200 3600 1200 86400 1200 from server <a href="http://ns1-50.akam.net">ns1-50.akam.net</a> in 161 ms.<br><br>shows 8 auth nameservers for <a href="http://careerone.com.au">careerone.com.au</a><br><br>and if you use<span class="Apple-converted-space"> </span><br><br>dig<span class="Apple-converted-space"> </span><a class="ecxmoz-txt-link-abbreviated" href="http://www.careerone.com.au/" target="_blank">www.careerone.com.au</a><span class="Apple-converted-space"> </span>+short @<any of the 8 auth nameservers><span class="Apple-converted-space"> </span><br><br>you get no answer.<br><br>How does that work? Where does the 8.8.8.8 google public dns server get its answer from?<br><br></div></blockquote><a class="ecxmoz-txt-link-abbreviated" href="http://www.careerone.com.au/" target="_blank">www.careerone.com.au</a><span class="Apple-converted-space"> </span>is an alias (through chained aliasing) ultimately to <a href="http://a903.g.akamai.net">a903.g.akamai.net</a>. To get an authoritative answer for <a href="http://a903g.akamai.net">a903g.akamai.net</a> you'd need to ask one of the <a href="http://g.akamai.net">g.akamai.net</a> nameservers. Which is presumably what Google's public resolver did to get the answers it returned to your query.<br><br> - Kevin<br><br>_______________________________________________ Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list bind-users mailing list <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a> <a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></div></div>_______________________________________________<br>Please visit<span class="Apple-converted-space"> </span><a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a><span class="Apple-converted-space"> </span>to unsubscribe from this list<br><br>bind-users mailing list<br><a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br><a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></div></span></blockquote></div><br></div></div></body></html>