[nsd-users] aa flag not set
Camiel Dobbelaar
cd at sentia.nl
Thu Apr 19 11:47:41 UTC 2012
I see that this was a fix in 3.2.9. We're on 3.2.8.
We'll do the upgrade first, sorry for the noise. :-)
Regards,
Camiel
On 19-4-2012 13:05, Camiel Dobbelaar wrote:
>
> We have problems with the following zone, which is configured for a
> "netscaler". ( http://support.citrix.com/article/CTX124727 )
>
> (obfuscated and shortened, real domain/zone on request)
>
> domain. 2560 SOA ns.sentia.nl. postmaster.domain.
> 161803399 16384 2048 1048576 2560
>
> domain. 259200 NS ns.sentia.nl.
> domain. 259200 NS ns2.sentia.nl.
> domain. 259200 NS ns.sentia.net.
>
> gslb.domain. NS ns1.gslb.domain.
>
> ns1.gslb.domain. A 1.1.1.1
>
> portal0.domain. CNAME portal0.gslb.domain.
>
>
> The point is that queries for "portal0.domain" should ultimately be
> answered by the nameserver running on the loadbalancer, so the gslb
> subdomain is delegated to the loadbalancer.
>
>
> Here's what we think is the problem. NSD does not set the 'aa' flag
> when asked for "portal0.domain". It does try to be helpful with other
> records though.
>
> ; <<>> DiG 9.4.2-P2 <<>> @ns.sentia.net portal0.domain
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64200
> ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;portal0.domain. IN A
>
> ;; ANSWER SECTION:
> portal0.domain. 86400 IN CNAME portal0.gslb.domain.
>
> ;; AUTHORITY SECTION:
> gslb.domain. 86400 IN NS ns1.gslb.domain.
> domain. 259200 IN NS ns.sentia.nl.
> domain. 259200 IN NS ns2.sentia.nl.
> domain. 259200 IN NS ns.sentia.net.
>
> ;; ADDITIONAL SECTION:
> ns1.gslb.domain. 86400 IN A 1.1.1.1
>
> ;; Query time: 19 msec
> ;; SERVER: 85.158.166.69#53(85.158.166.69)
> ;; WHEN: Thu Apr 19 12:54:02 2012
> ;; MSG SIZE rcvd: 188
>
>
> When asking explicitly for a cname it _does_ set the aa flag:
>
> ; <<>> DiG 9.4.2-P2 <<>> @ns.sentia.net cname portal0.domain
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34697
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;portal0.domain. IN CNAME
>
> ;; ANSWER SECTION:
> portal0.domain. 86400 IN CNAME portal0.gslb.domain.
>
> ;; AUTHORITY SECTION:
> domain. 259200 IN NS ns.sentia.nl.
> domain. 259200 IN NS ns2.sentia.nl.
> domain. 259200 IN NS ns.sentia.net.
>
> ;; Query time: 16 msec
> ;; SERVER: 85.158.166.69#53(85.158.166.69)
> ;; WHEN: Thu Apr 19 12:55:11 2012
> ;; MSG SIZE rcvd: 154
>
>
> This causes problems for a Bind9 resolver. When we flush the cache it
> cannot resolve "portal0.domain". Only after asking for the cname
> explicitly first, it can subsequently be resolved.
>
> One more data point: a dnscache resolver does not seem to have a problem
> with it.
>
>
> Regards,
> Camiel
>
>
>
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
More information about the nsd-users
mailing list