[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    Re: [dns-operations] Cname errors?
From:       Andrew Boling <aboling () gmail ! com>
Date:       2015-09-30 18:20:11
Message-ID: CAPnMbcxX2O9NU3_phO6GZm8wyGKnGjuAfHmWBTRJ7HBNHF1Z6A () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


>
> only if a servfail is generated should that log message appear.


It gets dicey because CNAME records can indirectly contribute to a
SERVFAIL. For the hypothetical scenario, imagine a zone that has two NS
records with only one targeting a CNAME record. If an intermittent routing
problem causes the valid NS target to become unreachable, then no
nameservers will be available.

This doesn't necessarily invalidate the suggestion, but it becomes
necessary to log the problems with all associated nameservers at the time
of the SERVFAIL. (as opposed to logging problems as they're observed)

On Wed, Sep 30, 2015 at 1:27 PM, Paul Vixie <paul@redbarn.org> wrote:

>
>
> Robert Edmonds wrote:
> > Paul Vixie wrote:
> >> since every one of these log messages corresponds to an outbound
> >> SERVFAIL, i'd like non-expert users to be able to correlate the failures
> >> they see in their web browsers to log file messages on their server.
> >
> > Are you sure about that?  ...
> >
> > If I understand correctly, the "skipping nameserver ... because it is a
> > CNAME" log message can be generated even if no SERVFAIL is eventually
> > generated.  That is, BIND appears to skip an NS *RR* if it points to a
> > CNAME, it doesn't skip the entire NS RRset.
> >
>
> you make an excellent point. only if a servfail is generated should that
> log message appear.
>
> --
> Paul Vixie
> _______________________________________________
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>

[Attachment #5 (text/html)]

<div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span \
style="font-size:12.8px">only if a servfail is generated should that  </span><span \
style="font-size:12.8px">log message \
appear.</span></blockquote><div><br></div><div>It gets dicey because CNAME records \
can indirectly contribute to a SERVFAIL. For the hypothetical scenario, imagine a \
zone that has two NS records with only one targeting a CNAME record. If an \
intermittent routing problem causes the valid NS target to become unreachable, then \
no nameservers will be available.</div><div><br></div><div>This doesn&#39;t \
necessarily invalidate the suggestion, but it becomes necessary to log the problems \
with all associated nameservers at the time of the SERVFAIL. (as opposed to logging \
problems as they&#39;re observed)</div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Wed, Sep 30, 2015 at 1:27 PM, Paul Vixie <span \
dir="ltr">&lt;<a href="mailto:paul@redbarn.org" \
target="_blank">paul@redbarn.org</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><br> <br>
Robert Edmonds wrote:<br>
<span class="">&gt; Paul Vixie wrote:<br>
&gt;&gt; since every one of these log messages corresponds to an outbound<br>
&gt;&gt; SERVFAIL, i&#39;d like non-expert users to be able to correlate the \
failures<br> &gt;&gt; they see in their web browsers to log file messages on their \
server.<br> &gt;<br>
</span>&gt; Are you sure about that?   ...<br>
&gt;<br>
&gt; If I understand correctly, the &quot;skipping nameserver ... because it is a<br>
&gt; CNAME&quot; log message can be generated even if no SERVFAIL is eventually<br>
&gt; generated.   That is, BIND appears to skip an NS *RR* if it points to a<br>
&gt; CNAME, it doesn&#39;t skip the entire NS RRset.<br>
&gt;<br>
<br>
you make an excellent point. only if a servfail is generated should that<br>
log message appear.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Paul Vixie<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
 <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs" rel="noreferrer" \
target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br> \
dns-jobs</a> mailing list<br> <a \
href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel="noreferrer" \
target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br> \
</div></div></blockquote></div><br></div>



_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic