On Sunday, February 21, 2016 at 8:46:19 PM UTC-8, Mark Andrews wrote: > In message <2f868c2b-d04b-4caf-abd7-8176352cc...@googlegroups.com>, blrmaani > wr > ites: > > On Friday, February 19, 2016 at 5:09:02 PM UTC-8, blrmaani wrote: > > > We have a DNS setup where we forward a name in one domain to 5 external > > > nam > > eservers. We see NXDOMAIN error intermittently (once in couple of weeks). > > How > > do I debug this issue? > > > > > > I took a cache dump on our DNS and 2 out of 5 nameserver IPs appear in > > > "Una > > ssociated entries" when the problem happens. > > > > > > Any advice to troubleshoot this issue is greatly appreciated. > > > > > > Thanks > > > Blr > > > > the cache dump also has this entry (myname.mydomain.com is name I am > > interest > > ed in) > > > > myname.mydomain.com 10324 \-ANY ;-$NXDOMAIN > > > > Which probably means if anyone requests for myname.mydomain.com, they will > > be > > handed NXDOMAIN for upto 10324 seconds from now.. > > Correct. > > > Our current work around is to restart named (which cache) or we could do a > > 'r > > ndc flush'. > > > > Question: Is there a BIND option to say 'Don't cache myname.mydomain.com > > for > > NXDOMAIN error code?' > > No. Fix the source of the NXDOMAIN. Ask all the external nameservers > for "myname.mydomain.com type666" and see what they respond with. If > it is NXDOMAIN then you have the source(s) if the NXDOMAIN. > > e.g. > dig @server myname.mydomain.com type666 > > This is a case of Garbage In (NXDOMAIN) - Garbage Out (NXDOMAIN). > > > Alternatively, I can have a local query for this and flush cache if error > > cod > > e is NXDOMAIN, but is hacky.. I would like a config option > > > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe > > from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Thanks a lot for the responses .. I ran dig several times in a loop querying for the name with type=type666 and see only SERVFAIL. The NXDOMAIN occurs approx once in 2 weeks (per incident report). I guess I have to run several iterations of queries to see NXDOMAIN.. I see this in the cache dump: ... ... ; authauthority myname.mydomain.com 10324 \-ANY ;-$NXDOMAIN <SOA line for the above domain here> ... ... _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
