Hi
In case I offended anyone, I'm sorry, that was not my intention. Writing
"strongly disagree" was a bit too much.
I will gladly show my setup in more detail. I've spun up a test instance to
eliminate background noise and reduce the config even more.
Here's the docker container config:
# cat docker-compose.yml
services:
named-test:
container_name: named-test
hostname: named-test
image: internetsystemsconsortium/bind9:9.20
# Overruling the entrypoint with "-4" to disable all ipv6, and "-d 5 -g" to
enable debugging and sending it to stderr (thus docker logs)
entrypoint: /usr/sbin/named -f -c /etc/bind/named.conf -u bind -4 -d 5 -g
ports:
- "3053:53/udp" # Exposing to a custom port
- "3053:53/tcp" # Exposing to a custom port
volumes:
- etc-bind:/etc/bind
- cache:/var/cache/bind
- lib:/var/lib/bind
- log:/var/log
volumes:
etc-bind:
cache:
lib:
log:
My server uses a non standard docker config - nothing fancy, most notably a
custom bridge domain
# cat /etc/docker/daemon.json
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"bip": "198.18.0.1/24",
"default-address-pools": [
{
"base": "198.18.0.0/15",
"size": 24
}
],
"default-ulimits": {
"memlock": {
"name": "memlock",
"soft": -1,
"hard": -1
},
"nofile": {
"Hard": 1048576,
"Name": "nofile",
"Soft": 1048576
}
}
}
Here's the output of the running bind config. 198.18.0.0/15 is said bridge
domain.
# docker exec -ti named-test named-checkconf -px
acl "rec-queries" {
10.0.0.0/8;
192.168.0.0/16;
127.0.0.0/8;
172.16.0.0/12;
::1/128;
fe80::/128;
198.18.0.0/15;
};
controls {
inet 127.0.0.1 allow {
"localhost";
} keys {
"rndc-key";
};
};
logging {
channel "default_syslog" {
stderr ;
severity dynamic;
print-time yes;
};
category "default" {
"default_syslog";
};
};
options {
directory "/var/cache/bind";
hostname "unknown";
listen-on {
"any";
};
version "unknown";
allow-recursion {
"rec-queries";
};
dnssec-validation no;
allow-transfer {
};
notify no;
};
key "rndc-key" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
Like before, the first lookup of www.semigator.de works. After an hour, the
A-Records get removed and only the AAAA are left.
haufegroup.com. 108454 NS ns1.haufegroup.de.
108454 NS ns2.haufegroup.com.
ns2.haufegroup.com. 108454 AAAA 2001:67c:10b8::103
haufegroup.de. 22054 NS ns1.haufegroup.de.
22054 NS ns2.haufegroup.com.
ns1.haufegroup.de. 22054 AAAA 2001:67c:1bc::103
semigator.de. 22054 NS ns1.haufegroup.de.
22054 NS ns2.haufegroup.com.
; ns2.haufegroup.com. [v4 TTL 10] [v4 failure] [v6 unexpected]
; ns1.haufegroup.de. [v4 TTL 10] [v4 failure] [v6 unexpected]
; www.semigator.de/A [ttl 1]
So now when I look up semigator, it fails as expected.
I just realized the named even sends back "EDE: 22 (No Reachable Authority)"
# dig @localhost -p 3053 www.semigator.de
; <<>> DiG 9.16.23-RH <<>> @localhost -p 3053 www.semigator.de
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45743
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 03805b17f37117250100000069788d61252030504cce4759 (good)
; EDE: 22 (No Reachable Authority)
;; QUESTION SECTION:
;www.semigator.de. IN A
;; Query time: 2 msec
;; SERVER: ::1#3053(::1)
;; WHEN: Tue Jan 27 11:03:13 CET 2026
;; MSG SIZE rcvd: 79
With debug level 5, the logfile spills out a lot of information
27-Jan-2026 10:03:01.279 client @0x7fee5d6dd000 198.18.1.1#37717: UDP request
27-Jan-2026 10:03:01.279 client @0x7fee5d6dd000 198.18.1.1#37717: using view
'_default'
27-Jan-2026 10:03:01.279 client @0x7fee5d6dd000 198.18.1.1#37717: request is
not signed
27-Jan-2026 10:03:01.279 client @0x7fee5d6dd000 198.18.1.1#37717: recursion
available
27-Jan-2026 10:03:01.279 client @0x7fee5d6dd000 198.18.1.1#37717
(www.semigator.de): query (cache) 'www.semigator.de/A/IN' approved
27-Jan-2026 10:03:01.279 fetch: www.semigator.de/A
27-Jan-2026 10:03:01.279 QNAME minimization - not minimized, qmintype 1
qminname www.semigator.de
27-Jan-2026 10:03:01.279 fetch: ns1.haufegroup.de/A
27-Jan-2026 10:03:01.279 QNAME minimization - not minimized, qmintype 1
qminname ns1.haufegroup.de
27-Jan-2026 10:03:01.279 dns_adb_createfind: started A fetch for name
ns1.haufegroup.de (0x7fee5c11c000)
27-Jan-2026 10:03:01.279 createfind: attaching find 0x7fee5d6da3c0 to adbname
0x7fee5c11c000 1
27-Jan-2026 10:03:01.279 fctx 0x7fee5c018800(www.semigator.de/A): createfind
for 198.18.1.1#37717 - success
27-Jan-2026 10:03:01.279 fetch: ns2.haufegroup.com/A
27-Jan-2026 10:03:01.279 QNAME minimization - not minimized, qmintype 1
qminname ns2.haufegroup.com
27-Jan-2026 10:03:01.279 dns_adb_createfind: started A fetch for name
ns2.haufegroup.com (0x7fee5c11c380)
27-Jan-2026 10:03:01.279 createfind: attaching find 0x7fee5d120180 to adbname
0x7fee5c11c380 1
27-Jan-2026 10:03:01.279 fctx 0x7fee5c018800(www.semigator.de/A): createfind
for 198.18.1.1#37717 - success
27-Jan-2026 10:03:01.279 fetch: ns1.haufegroup.de/A
27-Jan-2026 10:03:01.279 fetch loop detected resolving 'ns1.haufegroup.de/A'
27-Jan-2026 10:03:01.279 fctx 0x7fee5d118000(ns1.haufegroup.de/A): createfind
for <unknown> - success
27-Jan-2026 10:03:01.279 dns_adb_destroyfind on find 0x7fee5d6dcf40
27-Jan-2026 10:03:01.279 createfind: attaching find 0x7fee5d6dcf40 to adbname
0x7fee5c11c380 0
27-Jan-2026 10:03:01.279 fctx 0x7fee5d118000(ns1.haufegroup.de/A): createfind
for <unknown> - success
27-Jan-2026 10:03:01.279 createfind: attaching find 0x7fee5d6dad80 to adbname
0x7fee5c11c000 0
27-Jan-2026 10:03:01.279 fctx 0x7fee5d719c00(ns2.haufegroup.com/A): createfind
for <unknown> - success
27-Jan-2026 10:03:01.279 fetch: ns2.haufegroup.com/A
27-Jan-2026 10:03:01.279 fetch loop detected resolving 'ns2.haufegroup.com/A'
27-Jan-2026 10:03:01.279 fctx 0x7fee5d719c00(ns2.haufegroup.com/A): createfind
for <unknown> - success
27-Jan-2026 10:03:01.279 dns_adb_destroyfind on find 0x7fee5d68ce80
27-Jan-2026 10:03:02.278 client @0x7fee5c01cc00 198.18.1.1#52585: UDP request
27-Jan-2026 10:03:02.278 client @0x7fee5c01cc00 198.18.1.1#52585: using view
'_default'
27-Jan-2026 10:03:02.278 client @0x7fee5c01cc00 198.18.1.1#52585: request is
not signed
27-Jan-2026 10:03:02.278 client @0x7fee5c01cc00 198.18.1.1#52585: recursion
available
27-Jan-2026 10:03:02.278 client @0x7fee5c01cc00 198.18.1.1#52585
(www.semigator.de): query (cache) 'www.semigator.de/A/IN' approved
27-Jan-2026 10:03:02.278 fetch: www.semigator.de/A
27-Jan-2026 10:03:07.278 client @0x7fee5d6dec00 198.18.1.1#37717: UDP request
27-Jan-2026 10:03:07.278 client @0x7fee5d6dec00 198.18.1.1#37717: using view
'_default'
27-Jan-2026 10:03:07.278 client @0x7fee5d6dec00 198.18.1.1#37717: request is
not signed
27-Jan-2026 10:03:07.278 client @0x7fee5d6dec00 198.18.1.1#37717: recursion
available
27-Jan-2026 10:03:07.278 client @0x7fee5d6dec00 198.18.1.1#37717
(www.semigator.de): query (cache) 'www.semigator.de/A/IN' approved
27-Jan-2026 10:03:07.278 fetch: www.semigator.de/A
27-Jan-2026 10:03:07.278 client @0x7fee5d6dec00 198.18.1.1#37717
(www.semigator.de): request failed: duplicate query
27-Jan-2026 10:03:07.278 client @0x7fee5d6dec00 198.18.1.1#37717
(www.semigator.de): reset client
27-Jan-2026 10:03:08.278 client @0x7fee5c01b000 198.18.1.1#52585: UDP request
27-Jan-2026 10:03:08.278 client @0x7fee5c01b000 198.18.1.1#52585: using view
'_default'
27-Jan-2026 10:03:08.278 client @0x7fee5c01b000 198.18.1.1#52585: request is
not signed
27-Jan-2026 10:03:08.278 client @0x7fee5c01b000 198.18.1.1#52585: recursion
available
27-Jan-2026 10:03:08.278 client @0x7fee5c01b000 198.18.1.1#52585
(www.semigator.de): query (cache) 'www.semigator.de/A/IN' approved
27-Jan-2026 10:03:08.278 fetch: www.semigator.de/A
27-Jan-2026 10:03:08.278 client @0x7fee5c01b000 198.18.1.1#52585
(www.semigator.de): request failed: duplicate query
27-Jan-2026 10:03:08.278 client @0x7fee5c01b000 198.18.1.1#52585
(www.semigator.de): reset client
27-Jan-2026 10:03:13.278 client @0x7fee5d6dec00 198.18.1.1#37717: UDP request
27-Jan-2026 10:03:13.278 client @0x7fee5d6dec00 198.18.1.1#37717: using view
'_default'
27-Jan-2026 10:03:13.278 client @0x7fee5d6dec00 198.18.1.1#37717: request is
not signed
27-Jan-2026 10:03:13.278 client @0x7fee5d6dec00 198.18.1.1#37717: recursion
available
27-Jan-2026 10:03:13.278 client @0x7fee5d6dec00 198.18.1.1#37717
(www.semigator.de): query (cache) 'www.semigator.de/A/IN' approved
27-Jan-2026 10:03:13.278 fetch: www.semigator.de/A
27-Jan-2026 10:03:13.278 client @0x7fee5d6dec00 198.18.1.1#37717
(www.semigator.de): request failed: duplicate query
27-Jan-2026 10:03:13.278 client @0x7fee5d6dec00 198.18.1.1#37717
(www.semigator.de): reset client
27-Jan-2026 10:03:13.280 shut down hung fetch while resolving
0x7fee5c018800(www.semigator.de/A)
27-Jan-2026 10:03:13.280 set ede: info-code 22 extra-text (null)
27-Jan-2026 10:03:13.280 dns_adb_cancelfind on find 0x7fee5d6da3c0
27-Jan-2026 10:03:13.280 sending find 0x7fee5d6da3c0 to caller
27-Jan-2026 10:03:13.280 dns_adb_cancelfind on find 0x7fee5d120180
27-Jan-2026 10:03:13.280 sending find 0x7fee5d120180 to caller
27-Jan-2026 10:03:13.280 shut down hung fetch while resolving
0x7fee5d118000(ns1.haufegroup.de/A)
27-Jan-2026 10:03:13.280 set ede: info-code 22 extra-text (null)
27-Jan-2026 10:03:13.280 dns_adb_cancelfind on find 0x7fee5d6dcf40
27-Jan-2026 10:03:13.280 sending find 0x7fee5d6dcf40 to caller
27-Jan-2026 10:03:13.280 shut down hung fetch while resolving
0x7fee5d719c00(ns2.haufegroup.com/A)
27-Jan-2026 10:03:13.280 set ede: info-code 22 extra-text (null)
27-Jan-2026 10:03:13.280 dns_adb_cancelfind on find 0x7fee5d6dad80
27-Jan-2026 10:03:13.280 sending find 0x7fee5d6dad80 to caller
27-Jan-2026 10:03:13.280 dns_adb_destroyfind on find 0x7fee5d6da3c0
27-Jan-2026 10:03:13.280 dns_adb_destroyfind on find 0x7fee5d120180
27-Jan-2026 10:03:13.280 client @0x7fee5d6dd000 198.18.1.1#37717
(www.semigator.de): query failed (SERVFAIL) for www.semigator.de/IN/A at
query.c:7851
27-Jan-2026 10:03:13.280 client @0x7fee5c01cc00 198.18.1.1#52585
(www.semigator.de): query failed (SERVFAIL) for www.semigator.de/IN/A at
query.c:7851
27-Jan-2026 10:03:13.280 fetch completed for www.semigator.de/A in 12.001141:
SERVFAIL/success
[domain:semigator.de,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
27-Jan-2026 10:03:13.280 client @0x7fee5c01cc00 198.18.1.1#52585
(www.semigator.de): reset client
27-Jan-2026 10:03:13.280 dns_adb_destroyfind on find 0x7fee5d6dcf40
27-Jan-2026 10:03:13.281 adb: fetch of 'ns1.haufegroup.de' A failed: SERVFAIL
27-Jan-2026 10:03:13.281 dns_adb_destroyfind on find 0x7fee5d6dad80
27-Jan-2026 10:03:13.281 adb: fetch of 'ns2.haufegroup.com' A failed: SERVFAIL
27-Jan-2026 10:03:13.281 client @0x7fee5d6dd000 198.18.1.1#37717
(www.semigator.de): reset client
Regards,
Christian
>-----Ursprüngliche Nachricht-----
>Von: Ondřej Surý <[email protected]>
>Gesendet: Montag, 26. Jänner 2026 17:30
>An: Melbinger Christian <[email protected]>
>Cc: Colin Vidal <[email protected]>; bind-users <[email protected]>
>Betreff: Re: Problem resolving a host wenn TTL of NS-Servers runs out
>
>Before you start strongly disagreeing with a person who tried to help you, why
>don’t you start by giving us the whole picture? The configuration
>(named-checkconf -px), the logs (start >with the lines just after the start
>and before named prints “running” and then the logs around the event), and a
>reliable way how to reproduce this. You gave us your diagnosis, but >omitted
>all the indices that led to it. You might be right, but it is hard to very
>your claims without all the evidence.
>
>Ondrej
>--
>Ondřej Surý — ISC (He/Him)
____________________________________________________________________________
WienIT GmbH, Thomas-Klestil-Platz 13, 1030 Wien,
FN 255649 f, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61296118
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
