RE: Problems resolving - no answer section?

Thanks.  See my other post on this thread.  The problem looks like it =
might be on my end, unless a bunch of other people jump in and say they =
are also seeing problems.

-----Original Message-----
From: Barry Margolin [mailto:barry.margolin@xxxxxxxxxx]
Sent: Thursday, May 29, 2003 6:04 PM
To: comp-protocols-dns-bind@xxxxxxx
Subject: Re: Problems resolving - no answer section?


In article <bb631j$2dio$1@xxxxxxxxxxx>,
Treptow, Craig <Treptow.Craig@xxxxxxxxxxxxx> wrote:
>Hi.  We're running BIND 8.3.4 on Solaris.
>
>We're having problems consistently resolving www9.stpaul.com.
>
>Quite frequently, we can't resolve it.  Here is an example:
>
>; <<>> DiG 8.3 <<>> +rec www9.stpaul.com a=3D20
>;; res options: init recurs defnam dnsrch
>;; res_nsend to server default -- 162.131.23.103: Connection timed out
>
>In these cases, I've captured the response coming back from =3D
>pubwood1.stpaul.com or pubchq1.stpaul.com and it will not have an =
answer =3D
>section:
>
>Domain Name System (response)
>    Transaction ID: 0x952d
>    Flags: 0x8080 (Standard query response, No error)
>        1... .... .... .... =3D3D Response: Message is a response
>        .000 0... .... .... =3D3D Opcode: Standard query (0)
>        .... .0.. .... .... =3D3D Authoritative: Server is not an =3D
>authority for domain
>        .... ..0. .... .... =3D3D Truncated: Message is not truncated
>        .... ...0 .... .... =3D3D Recursion desired: Don't do query =3D
>recursively
>        .... .... 1... .... =3D3D Recursion available: Server can do =
=3D
>recursive queries
>        .... .... ..0. .... =3D3D Answer authenticated: =
Answer/authority =3D
>portion was not authenticated by the server
>        .... .... .... 0000 =3D3D Reply code: No error (0)
>    Questions: 1
>    Answer RRs: 0
>    Authority RRs: 2
>    Additional RRs: 3
>    Queries
>        www9.stpaul.com: type A, class inet
>            Name: www9.stpaul.com
>            Type: Host address
>            Class: inet
>    Authoritative nameservers
>        www9.stpaul.com: type NS, class inet, ns chqpubdd1.stpaul.com
>            Name: www9.stpaul.com
>            Type: Authoritative name server
>            Class: inet
>            Time to live: 5 seconds
>            Data length: 12
>            Name server: chqpubdd1.stpaul.com
>        www9.stpaul.com: type NS, class inet, ns woodpubdd1.stpaul.com
>            Name: www9.stpaul.com
>            Type: Authoritative name server
>            Class: inet
>            Time to live: 5 seconds
>            Data length: 13
>            Name server: woodpubdd1.stpaul.com
>    Additional records
>        chqpubdd1.stpaul.com: type A, class inet, addr 170.202.254.250
>            Name: chqpubdd1.stpaul.com
>            Type: Host address
>            Class: inet
>            Time to live: 5 seconds
>            Data length: 4
>            Addr: 170.202.254.250
>        woodpubdd1.stpaul.com: type A, class inet, addr 170.202.224.250
>            Name: woodpubdd1.stpaul.com
>            Type: Host address
>            Class: inet
>            Time to live: 5 seconds
>            Data length: 4
>            Addr: 170.202.224.250
>        <Root>: type OPT, class unknown
>            Name: <Root>
>            Type: EDNS0 option
>            UDP payload size: 4096
>            Higher bits in extended RCODE: 0x0
>            EDNS0 version: 0
>            Must be zero: 0x0
>            Data length: 0
>            Data
>
>Is this just a referral and at this point, my nameservers should be =3D
>querying chqpubdd1.stpaul.com or woodpubdd1.stpaul.com for =3D
>www9.stpaul.com?  They don't, though, so I'm starting to believe that =
=3D
>the response could be bogus.=3D20

Yes, it's a perfectly valid referral.  It looks like stpaul.com uses =
Cisco
Distributed Directors to distribute the load for www9.stpaul.com, so the
subdomain is delegated to chqpubdd1.stpaul.com and =
woodpubdd1.stpaul.com.

I suspect the problem is related to the 5-second TTLs on the NS and A
records in the referral.  I'm not sure why they have such short timeouts =
on
this -- it's normal to have short timeouts on the answers that the DD's
send (they're set to 10 seconds), but there's rarely a good reason for
short timeouts on the delegation records.  However, I'm not sure why =
this
would cause problems, it's just the only suspicious thing I can see.

--=20
Barry Margolin, barry.margolin@xxxxxxxxxx
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to =
newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the =
group.