From owner-freebsd-hackers Mon Jul 16 21:45:44 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id EDD9A37B405; Mon, 16 Jul 2001 21:45:39 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6H4jVE37861; Mon, 16 Jul 2001 21:45:31 -0700 (PDT) (envelope-from dillon) Date: Mon, 16 Jul 2001 21:45:31 -0700 (PDT) From: Matt Dillon Message-Id: <200107170445.f6H4jVE37861@earth.backplane.com> To: Mike Silbersack Cc: Len Conrad , dougb@freebsd.org, Subject: Re: Weird named problem - IN A for nameservers being lost! References: <20010716215231.T417-100000@achilles.silby.com> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG :... :> Interesting. He describes in the section about 'expiring glue' :> creating loops in the DNS server, but doesn't mention a particular :> bug. :> :> However, there's another section where he mentions something about :> bind reducing the TTL by 5% for certain credibility cases. :> :> Going back to my original posting... the NS is 2016 and fuji :> is 1846 = 170 = 5%. :> :> I think This credibility stuff reducing the TTL in named is :> responsible for these blowups. I am going to email the bind group :> with this whole mess to see what they have to say. :> :> -Matt : :I wish you luck in getting it fixed. That 5% may have been intended for :removal; 8.1.2 used to reduce the TTL by 5% for _each_ query. That was :clearly removed for 8.2, but perhaps the initial decrement was forgotten. : :However, the problem probably indicates a more serious problem in 8.x's :resolver, which may be fixed in 9 and is not intended to be backported. I :guess Mark'll have to answer that. (He seems to read and reply to :-security, so he appears reachable.) : :Mike "Silby" Silbersack I submitted a bug report. Mark and I are talking about it. Basically what it comes down to is that the 5% code is still there, but conditionalized with NOADDITIONAL. That is, if you set NOADDITIONAL then the 5% code is ripped out. I also took a look on Google. The problem appears to be well known for a long time, I just don't know why the bind guys haven't ripped out this 5% code stuff. I am going to commit a change to /usr/src/usr.sbin/named/Makefile.inc (in -current and MFC to -stable 3 days later) that turns on NOADDITIONAL and effectively fixes this problem for 8.2.x. Hopefully the bind guys will rip out the code entirely, it just doesn't belong there. I mean, it's ok for bind to fail instantly, or to allow the case, but it isn't ok for bind to allow the case 40 minutes and then fail from that point on until it's restarted. Judging from the Google, this has been the source of many, many problems, and I don't quite understand why it wasn't ripped out last year. I am also CCing Doug Barton, who appears to be responsible for bind8 in ports. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message