Re: Problems resolving - no answer section?: msg#00663 network.dns.bind.user

In article <bb631j$2dio$1@xxxxxxxxxxx>,
Treptow, Craig <Treptow.Craig@xxxxxxxxxxxxx> wrote:
>Hi. We're running BIND 8.3.4 on Solaris.
>
>We're having problems consistently resolving www9.stpaul.com.
>
>Quite frequently, we can't resolve it. Here is an example:
>
>; <<>> DiG 8.3 <<>> +rec www9.stpaul.com a=20
>;; res options: init recurs defnam dnsrch
>;; res_nsend to server default -- 162.131.23.103: Connection timed out
>
>In these cases, I've captured the response coming back from =
>pubwood1.stpaul.com or pubchq1.stpaul.com and it will not have an answer =
>section:
>
>Domain Name System (response)
> Transaction ID: 0x952d
> Flags: 0x8080 (Standard query response, No error)
> 1... .... .... .... =3D Response: Message is a response
> .000 0... .... .... =3D Opcode: Standard query (0)
> .... .0.. .... .... =3D Authoritative: Server is not an =
>authority for domain
> .... ..0. .... .... =3D Truncated: Message is not truncated
> .... ...0 .... .... =3D Recursion desired: Don't do query =
>recursively
> .... .... 1... .... =3D Recursion available: Server can do =
>recursive queries
> .... .... ..0. .... =3D Answer authenticated: Answer/authority =
>portion was not authenticated by the server
> .... .... .... 0000 =3D Reply code: No error (0)
> Questions: 1
> Answer RRs: 0
> Authority RRs: 2
> Additional RRs: 3
> Queries
> www9.stpaul.com: type A, class inet
> Name: www9.stpaul.com
> Type: Host address
> Class: inet
> Authoritative nameservers
> www9.stpaul.com: type NS, class inet, ns chqpubdd1.stpaul.com
> Name: www9.stpaul.com
> Type: Authoritative name server
> Class: inet
> Time to live: 5 seconds
> Data length: 12
> Name server: chqpubdd1.stpaul.com
> www9.stpaul.com: type NS, class inet, ns woodpubdd1.stpaul.com
> Name: www9.stpaul.com
> Type: Authoritative name server
> Class: inet
> Time to live: 5 seconds
> Data length: 13
> Name server: woodpubdd1.stpaul.com
> Additional records
> chqpubdd1.stpaul.com: type A, class inet, addr 170.202.254.250
> Name: chqpubdd1.stpaul.com
> Type: Host address
> Class: inet
> Time to live: 5 seconds
> Data length: 4
> Addr: 170.202.254.250
> woodpubdd1.stpaul.com: type A, class inet, addr 170.202.224.250
> Name: woodpubdd1.stpaul.com
> Type: Host address
> Class: inet
> Time to live: 5 seconds
> Data length: 4
> Addr: 170.202.224.250
> <Root>: type OPT, class unknown
> Name: <Root>
> Type: EDNS0 option
> UDP payload size: 4096
> Higher bits in extended RCODE: 0x0
> EDNS0 version: 0
> Must be zero: 0x0
> Data length: 0
> Data
>
>Is this just a referral and at this point, my nameservers should be =
>querying chqpubdd1.stpaul.com or woodpubdd1.stpaul.com for =
>www9.stpaul.com? They don't, though, so I'm starting to believe that =
>the response could be bogus.=20

Yes, it's a perfectly valid referral. It looks like stpaul.com uses Cisco
Distributed Directors to distribute the load for www9.stpaul.com, so the
subdomain is delegated to chqpubdd1.stpaul.com and woodpubdd1.stpaul.com.

I suspect the problem is related to the 5-second TTLs on the NS and A
records in the referral. I'm not sure why they have such short timeouts on
this -- it's normal to have short timeouts on the answers that the DD's
send (they're set to 10 seconds), but there's rarely a good reason for
short timeouts on the delegation records. However, I'm not sure why this
would cause problems, it's just the only suspicious thing I can see.

--
Barry Margolin, barry.margolin@xxxxxxxxxx
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Previous by Date:	RE: Problems resolving - no answer section?: 00663, Treptow, Craig
Next by Date:	RE: Problems resolving - no answer section?: 00663, Treptow, Craig
Previous by Thread:	RE: Problems resolving - no answer section?i: 00663, Treptow, Craig
Next by Thread:	RE: Problems resolving - no answer section?: 00663, Treptow, Craig
Indexes:	[Date] [Thread] [Top] [All Lists]