I have upgrade the bind version on one of my cache servers to 9.9.5. This has resolved the issue of non-authoritative responses not being passed on to clients.
Thank you for your assistance. Jared Empson Systems Administrator Zito Media 814.260.9450 On Aug 6, 2014, at 8:45 PM, Jared Empson <jared.emp...@zitomedia.com> wrote: > > Jared Empson > Systems Administrator > Zito Media > 814.260.9450 > > > > On Aug 6, 2014, at 7:28 PM, Mark Andrews <ma...@isc.org> wrote: > >> >> In message <3a1ebfdb-a033-4e07-be61-9f6ba6916...@zitomedia.com>, Jared >> Empson w >> rites: >>> >>> I manage a small group of cache only servers for an ISP. We run Bind 9.7 >> >> You run BIND 9.7.0 and haven't applied any of the maintainence releases >> to BIND 9.7. > > I just updated the bind instance with the Ubuntu Lucid packages so I’m > running version BIND 9.7.0-P1. > >> >>> and have noticed that several domains our customers would like to access >>> are unavailable from our cache servers. These same domains work on other >>> provider networks such as Verizon or Google. >> >> In BIND 9.7.0 we restored the code to skip to non authorative answers >> from supposedly authorative servers having fixed a bug in named. >> Unfortunately there are some zones for which all the servers are >> broken and don't return authorative (aa=1) answers. >> >> BIND 9.7.1 reversed the change to skip non authorative answers >> despite it being technically correct. > > Do you suggest we upgrade to bind version 9.7.1? > >> >>> What I have found is that these domains all have misconfigured glue >>> records. This could be cause by a recent change of registrar or a >>> misconfigured zone file pointing to NS records that no longer exist as >>> glue records. Because of this any query of a host from these domains >>> receive a non-authoratative response and are dropped by our cache servers. >>> >>> How do I configure the cache server to accept the non-authoritative >>> response to provide our customers access to these domains with out >>> forwarding to Google's caching servers? >> >> >>> An example domain is losscontrol360.com. >>> What our customers receive: >>> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 >>> >>> ;; QUESTION SECTION: >>> ;losscontrol360.com. IN A >>> >>> ;; Query time: 1380 msec >>> ;; SERVER: 10.100.2.11#53(10.100.2.11) >>> ;; WHEN: Wed Aug 6 16:00:55 2014 >>> ;; MSG SIZE rcvd: 36 >>> >>> What our cache server receives: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38342 >>> ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags: do; udp: 1280 >>> ;; QUESTION SECTION: >>> ;losscontrol360.com. IN A >>> >>> ;; ANSWER SECTION: >>> losscontrol360.com. 173 IN A 74.208.98.80 >>> >>> What Google provides: >>> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com @8.8.8.8 >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >>> >>> ;; QUESTION SECTION: >>> ;losscontrol360.com. IN A >>> >>> ;; ANSWER SECTION: >>> losscontrol360.com. 586 IN A 74.208.98.80 >>> >>> ;; Query time: 174 msec >>> ;; SERVER: 8.8.8.8#53(8.8.8.8) >>> ;; WHEN: Wed Aug 6 16:01:07 2014 >>> ;; MSG SIZE rcvd: 52 >>> >>> Jared Empson >>> Systems Administrator >>> Zito Media >> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
