AW: Problem resolving a host wenn TTL of NS-Servers runs out

Melbinger Christian via bind-users Tue, 27 Jan 2026 07:24:34 -0800

Hi

> Also, the ACL `FE80::` suggested you would except the resolver to listen to 
> IPv6 locally
You're right, FE80:: and ::1 make no sense with all ipv6 disabled. It can never 
receive a query on those ranges.


> Back to the problem, you can give a try to `dual-stack-servers`
Hm, sadly, that did not work. It sounds like a workaround that I could 
implement, and the description sounds exactly like what I need, but even after 
completely stopping and starting the container, the named didn't try to query 
the upstream server.

I created a test-instance and modified the named.conf to include the statement
#  docker exec -ti named-test named-checkconf -px
[...]
options {
        directory "/var/cache/bind";
        hostname "unknown";
        listen-on  {
                "any";
        };
        version "unknown";
        allow-recursion {
                "rec-queries";
        };
        dnssec-validation no;
        dual-stack-servers {
                9.9.9.9;
                149.112.112.112;
        };
        allow-transfer  {
        };
        notify no;
};
[...]


But the named never asked one of those quad9 server. I even checked with a 
tcpdump on the physical-interface, no traffic.
(When issuing a dig from within a container shell, directly to quad9, I can 
successfully contact both IPs. At least not a network issue)


Here are the logs with level 5 set.

27-Jan-2026 14:58:08.021 client @0x7f5953b18000 198.18.1.1#46760: UDP request
27-Jan-2026 14:58:08.022 client @0x7f5953b18000 198.18.1.1#46760: using view 
'_default'
27-Jan-2026 14:58:08.022 client @0x7f5953b18000 198.18.1.1#46760: request is 
not signed
27-Jan-2026 14:58:08.022 client @0x7f5953b18000 198.18.1.1#46760: recursion 
available
27-Jan-2026 14:58:08.022 client @0x7f5953b18000 198.18.1.1#46760 
(www.semigator.de): query (cache) 'www.semigator.de/A/IN' approved
27-Jan-2026 14:58:08.022 fetch: www.semigator.de/A
27-Jan-2026 14:58:08.022 QNAME minimization - not minimized, qmintype 1 
qminname www.semigator.de
27-Jan-2026 14:58:08.022 expiring v4 for name 0x7f59521a7000
27-Jan-2026 14:58:08.022 fetch: ns1.haufegroup.de/A
27-Jan-2026 14:58:08.022 QNAME minimization - not minimized, qmintype 1 
qminname ns1.haufegroup.de
27-Jan-2026 14:58:08.022 dns_adb_createfind: started A fetch for name 
ns1.haufegroup.de (0x7f59521a7000)
27-Jan-2026 14:58:08.022 createfind: attaching find 0x7f595408cc40 to adbname 
0x7f59521a7000 1
27-Jan-2026 14:58:08.022 fctx 0x7f59540e0000(www.semigator.de/A): createfind 
for 198.18.1.1#46760 - success
27-Jan-2026 14:58:08.022 expiring v4 for name 0x7f59521a7380
27-Jan-2026 14:58:08.022 fetch: ns2.haufegroup.com/A
27-Jan-2026 14:58:08.022 QNAME minimization - not minimized, qmintype 1 
qminname ns2.haufegroup.com
27-Jan-2026 14:58:08.022 dns_adb_createfind: started A fetch for name 
ns2.haufegroup.com (0x7f59521a7380)
27-Jan-2026 14:58:08.022 createfind: attaching find 0x7f595408cd00 to adbname 
0x7f59521a7380 1
27-Jan-2026 14:58:08.022 fctx 0x7f59540e0000(www.semigator.de/A): createfind 
for 198.18.1.1#46760 - success
27-Jan-2026 14:58:08.022 fetch: ns1.haufegroup.de/A
27-Jan-2026 14:58:08.022 fetch loop detected resolving 'ns1.haufegroup.de/A'
27-Jan-2026 14:58:08.022 fctx 0x7f59540e1400(ns1.haufegroup.de/A): createfind 
for <unknown> - success
27-Jan-2026 14:58:08.022 dns_adb_destroyfind on find 0x7f595408cdc0
27-Jan-2026 14:58:08.022 createfind: attaching find 0x7f595408cdc0 to adbname 
0x7f59521a7380 0
27-Jan-2026 14:58:08.022 fctx 0x7f59540e1400(ns1.haufegroup.de/A): createfind 
for <unknown> - success
27-Jan-2026 14:58:08.022 createfind: attaching find 0x7f595408ce80 to adbname 
0x7f59521a7000 0
27-Jan-2026 14:58:08.022 fctx 0x7f5954119c00(ns2.haufegroup.com/A): createfind 
for <unknown> - success
27-Jan-2026 14:58:08.022 fetch: ns2.haufegroup.com/A
27-Jan-2026 14:58:08.022 fetch loop detected resolving 'ns2.haufegroup.com/A'
27-Jan-2026 14:58:08.022 fctx 0x7f5954119c00(ns2.haufegroup.com/A): createfind 
for <unknown> - success
27-Jan-2026 14:58:08.022 dns_adb_destroyfind on find 0x7f595408cf40
27-Jan-2026 14:58:09.021 client @0x7f5953013000 198.18.1.1#53774: UDP request
27-Jan-2026 14:58:09.021 client @0x7f5953013000 198.18.1.1#53774: using view 
'_default'
27-Jan-2026 14:58:09.021 client @0x7f5953013000 198.18.1.1#53774: request is 
not signed
27-Jan-2026 14:58:09.021 client @0x7f5953013000 198.18.1.1#53774: recursion 
available
27-Jan-2026 14:58:09.021 client @0x7f5953013000 198.18.1.1#53774 
(www.semigator.de): query (cache) 'www.semigator.de/A/IN' approved
27-Jan-2026 14:58:09.021 fetch: www.semigator.de/A
27-Jan-2026 14:58:14.021 client @0x7f5953b19c00 (no-peer): allocate new client
27-Jan-2026 14:58:14.021 client @0x7f5953b19c00 198.18.1.1#46760: UDP request
27-Jan-2026 14:58:14.021 client @0x7f5953b19c00 198.18.1.1#46760: using view 
'_default'
27-Jan-2026 14:58:14.021 client @0x7f5953b19c00 198.18.1.1#46760: request is 
not signed
27-Jan-2026 14:58:14.021 client @0x7f5953b19c00 198.18.1.1#46760: recursion 
available
27-Jan-2026 14:58:14.021 client @0x7f5953b19c00 198.18.1.1#46760 
(www.semigator.de): query (cache) 'www.semigator.de/A/IN' approved
27-Jan-2026 14:58:14.021 fetch: www.semigator.de/A
27-Jan-2026 14:58:14.021 client @0x7f5953b19c00 198.18.1.1#46760 
(www.semigator.de): request failed: duplicate query
27-Jan-2026 14:58:14.021 client @0x7f5953b19c00 198.18.1.1#46760 
(www.semigator.de): reset client
27-Jan-2026 14:58:15.021 client @0x7f5953014c00 (no-peer): allocate new client
27-Jan-2026 14:58:15.021 client @0x7f5953014c00 198.18.1.1#53774: UDP request
27-Jan-2026 14:58:15.021 client @0x7f5953014c00 198.18.1.1#53774: using view 
'_default'
27-Jan-2026 14:58:15.021 client @0x7f5953014c00 198.18.1.1#53774: request is 
not signed
27-Jan-2026 14:58:15.021 client @0x7f5953014c00 198.18.1.1#53774: recursion 
available
27-Jan-2026 14:58:15.021 client @0x7f5953014c00 198.18.1.1#53774 
(www.semigator.de): query (cache) 'www.semigator.de/A/IN' approved
27-Jan-2026 14:58:15.021 fetch: www.semigator.de/A
27-Jan-2026 14:58:15.021 client @0x7f5953014c00 198.18.1.1#53774 
(www.semigator.de): request failed: duplicate query
27-Jan-2026 14:58:15.021 client @0x7f5953014c00 198.18.1.1#53774 
(www.semigator.de): reset client
27-Jan-2026 14:58:20.021 client @0x7f5953b19c00 198.18.1.1#46760: UDP request
27-Jan-2026 14:58:20.021 client @0x7f5953b19c00 198.18.1.1#46760: using view 
'_default'
27-Jan-2026 14:58:20.021 client @0x7f5953b19c00 198.18.1.1#46760: request is 
not signed
27-Jan-2026 14:58:20.021 client @0x7f5953b19c00 198.18.1.1#46760: recursion 
available
27-Jan-2026 14:58:20.021 client @0x7f5953b19c00 198.18.1.1#46760 
(www.semigator.de): query (cache) 'www.semigator.de/A/IN' approved
27-Jan-2026 14:58:20.021 fetch: www.semigator.de/A
27-Jan-2026 14:58:20.021 client @0x7f5953b19c00 198.18.1.1#46760 
(www.semigator.de): request failed: duplicate query
27-Jan-2026 14:58:20.021 client @0x7f5953b19c00 198.18.1.1#46760 
(www.semigator.de): reset client
27-Jan-2026 14:58:20.021 shut down hung fetch while resolving 
0x7f59540e0000(www.semigator.de/A)
27-Jan-2026 14:58:20.021 set ede: info-code 22 extra-text (null)
27-Jan-2026 14:58:20.021 dns_adb_cancelfind on find 0x7f595408cc40
27-Jan-2026 14:58:20.021 sending find 0x7f595408cc40 to caller
27-Jan-2026 14:58:20.021 dns_adb_cancelfind on find 0x7f595408cd00
27-Jan-2026 14:58:20.021 sending find 0x7f595408cd00 to caller
27-Jan-2026 14:58:20.021 shut down hung fetch while resolving 
0x7f59540e1400(ns1.haufegroup.de/A)
27-Jan-2026 14:58:20.021 set ede: info-code 22 extra-text (null)
27-Jan-2026 14:58:20.021 dns_adb_cancelfind on find 0x7f595408cdc0
27-Jan-2026 14:58:20.021 sending find 0x7f595408cdc0 to caller
27-Jan-2026 14:58:20.021 shut down hung fetch while resolving 
0x7f5954119c00(ns2.haufegroup.com/A)
27-Jan-2026 14:58:20.021 set ede: info-code 22 extra-text (null)
27-Jan-2026 14:58:20.021 dns_adb_cancelfind on find 0x7f595408ce80
27-Jan-2026 14:58:20.021 sending find 0x7f595408ce80 to caller
27-Jan-2026 14:58:20.021 dns_adb_destroyfind on find 0x7f595408cc40
27-Jan-2026 14:58:20.021 dns_adb_destroyfind on find 0x7f595408cd00
27-Jan-2026 14:58:20.021 client @0x7f5953b18000 198.18.1.1#46760 
(www.semigator.de): query failed (SERVFAIL) for www.semigator.de/IN/A at 
query.c:7851
27-Jan-2026 14:58:20.021 fetch completed for www.semigator.de/A in 11.999147: 
SERVFAIL/success 
[domain:semigator.de,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
27-Jan-2026 14:58:20.021 dns_adb_destroyfind on find 0x7f595408cdc0
27-Jan-2026 14:58:20.021 adb: fetch of 'ns1.haufegroup.de' A failed: SERVFAIL
27-Jan-2026 14:58:20.021 dns_adb_destroyfind on find 0x7f595408ce80
27-Jan-2026 14:58:20.021 adb: fetch of 'ns2.haufegroup.com' A failed: SERVFAIL
27-Jan-2026 14:58:20.021 client @0x7f5953b18000 198.18.1.1#46760 
(www.semigator.de): reset client
27-Jan-2026 14:58:20.021 client @0x7f5953013000 198.18.1.1#53774 
(www.semigator.de): query failed (SERVFAIL) for www.semigator.de/IN/A at 
query.c:7851
27-Jan-2026 14:58:20.021 client @0x7f5953013000 198.18.1.1#53774 
(www.semigator.de): reset client
27-Jan-2026 14:58:20.044 client @0x7f5953014c00 198.18.1.1#37432: UDP request
27-Jan-2026 14:58:20.044 client @0x7f5953014c00 198.18.1.1#37432: using view 
'_default'
27-Jan-2026 14:58:20.044 client @0x7f5953014c00 198.18.1.1#37432: request is 
not signed
27-Jan-2026 14:58:20.044 client @0x7f5953014c00 198.18.1.1#37432: recursion 
available
27-Jan-2026 14:58:20.044 client @0x7f5953014c00 198.18.1.1#37432 
(www.semigator.de): servfail cache hit www.semigator.de/A (CD=0)
27-Jan-2026 14:58:20.044 client @0x7f5953014c00 198.18.1.1#37432 
(www.semigator.de): query failed (SERVFAIL) for www.semigator.de/IN/A at 
query.c:7086
27-Jan-2026 14:58:20.044 client @0x7f5953014c00 198.18.1.1#37432 
(www.semigator.de): reset client

Regards,
Christian


>-----Ursprüngliche Nachricht-----
>Von: Colin Vidal <[email protected]>
>Gesendet: Montag, 26. Jänner 2026 21:02
>An: Melbinger Christian <[email protected]>
>Cc: bind-users <[email protected]>; Ondřej Surý <[email protected]>
>Betreff: Re: Problem resolving a host wenn TTL of NS-Servers runs out
>
>Hi,
>
>> I already start the daemon with the -4 option. It should never user IPv6.
>
>Indeed. `query-source-v6 none;` would avoid IPv6 upstream queries while still 
>listening on IPv6. I guess you could use it so you wouldn't need to override 
>the entry point. (Also, the ACL `FE80::` suggested you would except the 
>resolver to listen to IPv6 locally.)
>
>Back to the problem, you can give a try to `dual-stack-servers`:
>
>https://bind9.readthedocs.io/en/v9.20.18/reference.html#namedconf-statement-dual-stack-servers
>AFAIK iff the resolver can't find any IPv4 server to contact, it will forward 
>the query to an alternative server supporting both IPv4 and IPv6.
>
>> So my working theory is, for some reason, bind saves the shorter TTL for the 
>> A-Record, and the longer for the AAAA. Once the A-Record expires, it tries 
>> to resolve the domain via the AAAA-NS, but it can't, as it does not have an 
>> IPv6 IP. And so it simply fails.
>
>BIND9 is (currently) child-centric and (currently) store in the same cache the 
>RRset from delegations and authoritative responses, so it is possible it 
>resolved/got an authoritative response for `ns2.haufegroup.com.` at some point 
>after having cached the delegation and then overridden it with the 
>authoritative response. That would explain the RNDC dumps you got. (Logs would 
>help.)
>
>Independently of BIND9 current implementation, the delegation should have the 
>same TTL of the authoritative zone.
>
>--
>Colin Vidal -- [email protected]
>Internet Systems Consortium
____________________________________________________________________________

WienIT GmbH, Thomas-Klestil-Platz 13, 1030 Wien,
FN 255649 f, Handelsgericht Wien,  DVR: 2109667, UID-Nr. ATU61296118
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list.

AW: Problem resolving a host wenn TTL of NS-Servers runs out

Reply via email to