On 9/22/2011 8:49 PM, Drunkard Zhang wrote:
2011/9/23 Kevin Darcy<k...@chrysler.com>:
On 9/21/2011 10:01 PM, Drunkard Zhang wrote:
Why are you going through all of these gyrations? The forwarding
algorithm
in BIND has for a long time been based on RTT, so if one forwarder, or a
set
of forwarders, stops working, the other(s) will be used automatically. In
other words, forwarder failover works without any special configuration.
I don't even understand your "forward first" solution. "Forward first"
says
to use iterative (non-recursive) resolution if forwarding fails (i.e. all
the forwarders are non-responsive). How then can you use it to fail over
from one set of forwarders to another? I don't get it. If you send a
non-recursive query to a forwarder, you're at the mercy of whatever
happens
to be in its cache at that particular time. You can't get reliable
resolution that way.
Oops, I misunderstood. But I want to resolve this problem: take
news.qq.com for example, I DID saw that it's unresolvable to one group
(they returned NXDomain), at meantime it's no problem to another
group, and "dig news.qq.com +trace" returned correct answer on both
group. It seems like it's just a temporary failure, but I want to
correct. Any other choices?
NXDOMAIN is a *permanent* response; at least it's "permanent" in the absence
of any change the relevant DNS RRset or zone.
You're almost certainly getting the NXDOMAIN because you're spoofing the
root servers, and your "fake" root servers don't have the same knowledge as
the real ones, so they'll return NXDOMAIN for some queries (whereas dig
+trace does not, because it follows the hierarchy down and asks different
nameservers). In other words, you're shooting yourself in the foot with your
hints-file trickery.
No, I got 2 layers of DNS, recursive resolution DNS and dns-cache
which forward all it's queries to recursive DNS. I want the spoofing
of root servers happened on dns-cache (still not by now), I certainly
won't spoofing root-servers on recursive DNS.
The NXDOMAIN returned from one group of recursive DNS is temporary
failure, while it's successed from another group of recursive DNS. But
I want the dns-cache return successed all the time, so I hope the
dns-cache ignore NXDomain from one, and forward the same query to
another recursive DNS again, guess this can't be done with bind :-(
No, NXDOMAIN is *not* a temporary failure, as per the DNS standards.
It's considered "permanent" (again, subject to a change to the DNS
database itself), and is cached according to the negative-caching TTL.
See RFC 2308.
Are you forwarding to an ISP that does DNS hijacking (see Wikipedia), by
any chance? That might explain why you're getting NXDOMAIN on one set of
resolvers, but not another, for a given name.
But it's still not a "temporary" error condition, and should not be
failed over. If your ISP is doing DNS hijacking, you should find a
better ISP.
- Kevin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
