<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.yiv5613757701msonormal, li.yiv5613757701msonormal, div.yiv5613757701msonormal
{mso-style-name:yiv5613757701msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.yiv5613757701msochpdefault, li.yiv5613757701msochpdefault, div.yiv5613757701msochpdefault
{mso-style-name:yiv5613757701msochpdefault;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.yiv5613757701msonormal1, li.yiv5613757701msonormal1, div.yiv5613757701msonormal1
{mso-style-name:yiv5613757701msonormal1;
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.yiv5613757701msochpdefault1, li.yiv5613757701msochpdefault1, div.yiv5613757701msochpdefault1
{mso-style-name:yiv5613757701msochpdefault1;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.yiv5613757701msohyperlink
{mso-style-name:yiv5613757701msohyperlink;}
span.yiv5613757701msohyperlinkfollowed
{mso-style-name:yiv5613757701msohyperlinkfollowed;}
span.yiv5613757701emailstyle17
{mso-style-name:yiv5613757701emailstyle17;}
span.yiv5613757701msohyperlink1
{mso-style-name:yiv5613757701msohyperlink1;
color:#0563C1;
text-decoration:underline;}
span.yiv5613757701msohyperlinkfollowed1
{mso-style-name:yiv5613757701msohyperlinkfollowed1;
color:#954F72;
text-decoration:underline;}
span.yiv5613757701emailstyle171
{mso-style-name:yiv5613757701emailstyle171;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle27
{mso-style-type:personal;
color:black;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Hi Kevin,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Thanks for nice explanation.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I am not using ‘forward’ in my dns server.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>It’s a pure caching server.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Gaurav Kansal<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> bind-users-bounces@lists.isc.org [mailto:bind-users-bounces@lists.isc.org] <b>On Behalf Of </b>Darcy Kevin (FCA)<br><b>Sent:</b> Tuesday, June 16, 2015 1:59 AM<br><b>To:</b> bind-users@lists.isc.org<br><b>Subject:</b> RE: Automatic . NS queries from BIND<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'>Right, we know how hints files are used, but I think you guys may be missing the underlying conundrum: why is named querying the NS records of the root zone more often than the TTL of that RRset? See that there is a “NS? .” query at 15:36:44 and then another one at 15:45:52. At 15:45:52 it should have answered its client from the data it cached from the answer to the 15:36:44 query (less than 10 minutes previous).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'>Is named not seeing a response from the root servers in question? Is the max-cache-ttl being capped at a ridiculously-small value?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'>The NS queries of other names besides “.” itself are red herrings. They are all unique names – dot-terminated octet strings, names in the “.mr” TLD, “comp-HP.” -- and we wouldn’t expect them to have been cached previously. But an answer to “NS? .” should be cached for *<b>days</b>*, not just a few minutes.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'>I’m speculating that this might not be a pure “caching DNS server” after all; it might be a forwarder with “forward first” defined. In that case, if the forwarding path experiences occasional delays, then named will fail over to trying iterative resolution, and if the routing and/or firewall rules were never set up to allow that, then the symptoms would be as documented, since named would never get a response from the root servers. General rule: use “forward only” if you must use forwarders *<b>exclusively</b>*; “forward first” is only for *<b>opportunistic</b>* forwarding, where you still have the ability to fall back to iterative resolution, if and when necessary. (Personally, I’m not much of a fan of “forward first”, since it rarely if ever produces the performance benefit expected, or, even if it lowers the <b>average </b>query latency, it does so at the expense of the <b>worst-case</b> latency -- cache miss plus slow authoritative nameservers and/or misconfigured delegations -- and it’s worst-case that causes apps to time out, to break, and ultimately, users to show up bearing pitchforks and burning oil).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'> - Kevin<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> <a href="mailto:bind-users-bounces@lists.isc.org">bind-users-bounces@lists.isc.org</a> [<a href="mailto:bind-users-bounces@lists.isc.org">mailto:bind-users-bounces@lists.isc.org</a>] <b>On Behalf Of </b>Leonard Mills<br><b>Sent:</b> Monday, June 15, 2015 3:05 PM<br><b>To:</b> Gaurav Kansal; <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br><b>Subject:</b> Re: Automatic . NS queries from BIND<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div id="yui_3_16_0_1_1434394331710_8231"><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>The hints hopefully point eventually to an authoritative server for ".". <o:p></o:p></span></p></div><div id="yui_3_16_0_1_1434394331710_8232"><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>Whatever that authoritative server says overrides any hints, just like any other zone's authoritative NS. It does not matter how obsolete a delegation is, so long as some authoritative NS replies, the data from the delegation (hints) no longer matters.<o:p></o:p></span></p></div><div id="yui_3_16_0_1_1434394331710_8422"><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'><o:p> </o:p></span></p></div><div id="yui_3_16_0_1_1434394331710_8426"><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>HtH<o:p></o:p></span></p></div><div id="yui_3_16_0_1_1434394331710_8424"><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>Len<o:p></o:p></span></p></div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'><o:p> </o:p></span></p><div><p class=MsoNormal style='margin-bottom:12.0pt;background:white'><span style='font-family:"Helvetica",sans-serif;color:black'><o:p> </o:p></span></p></div><div><div><div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'>On Monday, June 15, 2015 6:14 AM, Gaurav Kansal <<a href="mailto:gaurav.kansal@nic.in">gaurav.kansal@nic.in</a>> wrote:</span><span style='font-family:"Helvetica",sans-serif;color:black'><o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt;background:white'><span style='font-family:"Helvetica",sans-serif;color:black'><o:p> </o:p></span></p><div><div id=yiv5613757701><div><div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>Dear Team,<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>My caching DNS server is generating log of . NS queries to ROOT Servers. <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>I have a hint file in my bind configuration and the same is up-to date.<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>The same behavior is occurring in multiple versions of BIND (tested on 9.7, 9.9 and on 9.10).<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>It must be for some purpose (may be BIND doesn’t trust hint file and cross check it from root servers).<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>Can anyone put some light on this.<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><u><span style='font-family:"Helvetica",sans-serif;color:black'>Sample tcpdump output :-</span></u><span style='font-family:"Helvetica",sans-serif;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>15:36:42.440831 IP anydnsmby.27938 > k.root-servers.net.domain: 38907 [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>15:36:43.241203 IP anydnsmby.52261 > f.root-servers.net.domain: 3841 [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>15:36:43.624041 IP anydnsmby.48889 > k.root-servers.net.domain: 6314 [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>15:36:44.424047 IP anydnsmby.65507 > c.root-servers.net.domain: 27973 [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>15:37:42.071574 IP anydnsmby.38958 > i.root-servers.net.domain: 53519 [1au] NS? 117.240.177.150. (44)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>15:40:11.121122 IP anydnsmby.7941 > i.root-servers.net.domain: 62400 [1au] NS? 1.mr. (33)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>15:45:52.780062 IP anydnsmby.49432 > e.root-servers.net.domain: 54241+ [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>15:45:59.341780 IP anydnsmby.34368 > e.root-servers.net.domain: 55928+ [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>15:46:04.487088 IP anydnsmby.35621 > e.root-servers.net.domain: 7266+ [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>15:46:35.453029 IP anydnsmby.62875 > i.root-servers.net.domain: 4129 [1au] NS? comp-HP. (36)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>16:16:13.747955 IP anydnsmby.39690 > a.root-servers.net.domain: 8774+ [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>16:16:20.845363 IP anydnsmby.36994 > e.root-servers.net.domain: 63433+ [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>16:16:36.746049 IP anydnsmby.42878 > a.root-servers.net.domain: 48439+ [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>16:16:42.060534 IP anydnsmby.41018 > j.root-servers.net.domain: 5347+ [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>16:16:49.081649 IP anydnsmby.53661 > e.root-servers.net.domain: 54768+ [1au] NS? . (28)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>16:51:14.034065 IP anydnsmby.38025 > k.root-servers.net.domain: 52771 [1au] NS? 116.73.202.141. (43)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>16:51:14.835539 IP anydnsmby.19616 > i.root-servers.net.domain: 14926 [1au] NS? 116.73.202.141. (43)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>17:25:16.706395 IP anydnsmby.58045 > i.root-servers.net.domain: 30880 [1au] NS? 2.mr. (33)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>17:25:16.707072 IP anydnsmby.38495 > i.root-servers.net.domain: 43451 [1au] NS? 6.mr. (33)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>17:25:16.707989 IP anydnsmby.35834 > i.root-servers.net.domain: 61843 [1au] NS? 3.mr. (33)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>17:56:44.855060 IP anydnsmby.61903 > a.root-servers.net.domain: 23284 [1au] NS? 172.192.168.2. (42)<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>Regards,<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica",sans-serif;color:black'>Gaurav Kansal<o:p></o:p></span></p></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt;background:white'><span style='font-family:"Helvetica",sans-serif;color:black'><br>_______________________________________________<br>Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users </a>to unsubscribe from this list<br><br>bind-users mailing list<br><a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><o:p></o:p></span></p></div></div></div></div></div></div></body></html>