Howdy all, we're running 9.5.0-P2 (fairly recent) on two servers that are recursive DNS sources for a medium sized college. This week, we had more than a few users complaining about craigslist.org and www.chase.com not resolving, and sure enough when I checked with dig one of Craigslist's NS servers was not working right (sending SERVFAIL replies).
An "rndc flush" did not seem to get things working again immediately, so I stopped and restarted named. I don't know what was up with Chase, I didn't hear about that problem with that until after I fixed it. I am tempted to chalk this up to negative caching, but the default is only a few hours and by the time I was notified, the users were complaining they had been having problems with Craigslist for 2 weeks. Just out of curiosity, I tuned max-ncache-ttl down to 10 min, but max-ncache-ttl only affects caching of NXDOMAIN replies as I understand it. Is BIND negative caching on SERVFAIL responses as well as NXDOMAIN responses? (Unlikely.) What's the behavior of a recursive lookup when one NS host is dead and the others are working? Does BIND try all of them or give up after the first? Our setup is pretty generic, except that we allow the whole world access for authoritative responses but allow recursive access only to "inside" addresses with an "allow-recursion" statement. I suppose this allows the rest of the world to try their hand at messing up our cache. Chase and Craigslist being high-profile targets ... I searched around and Craigslist did have some DNS problems last month, but mostly it was just people whining about it being their carrier's fault somehow. Well, I'll stop my rambling on about this and if anyone has any thoughts on the matter, thanks in advance, -W Sanders http://wsanders.net _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
