実験4 旧ゾーンサーバが旧ゾーンデータを持ったまま動作しているケース
-- tss 2013-11-03 00:33:14
旧ゾーンサーバが持っている旧ゾーンデータがクライアント側のキャッシュサーバに及ぼす影響を試す実験
なお、旧ゾーンサーバはキャッシュは兼用しているがオープンリゾルバではない (BIND 9.8.4-P1)
「浸透おそい」と言いそう。(言うな)
root@server3:/ # dig www.bind.nom ; <<>> DiG 9.8.4-P1 <<>> www.bind.nom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11934 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.bind.nom. IN A ;; ANSWER SECTION: www.bind.nom. 60 IN A 172.16.17.1 ;; AUTHORITY SECTION: bind.nom. 180 IN NS ns.bind.nom. ;; ADDITIONAL SECTION: ns.bind.nom. 300 IN A 172.16.17.1 ;; Query time: 3 msec ;; SERVER: 172.16.33.1#53(172.16.33.1) ;; WHEN: Sat Nov 2 07:44:57 2013 ;; MSG SIZE rcvd: 79
この間に .nom サーバにおいて委譲を172.16.1.1 に切り替える。
root@server3:/ # dig www.bind.nom ; <<>> DiG 9.8.4-P1 <<>> www.bind.nom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60248 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.bind.nom. IN A ;; ANSWER SECTION: www.bind.nom. 1 IN A 172.16.17.1 ;; AUTHORITY SECTION: bind.nom. 121 IN NS ns.bind.nom. ;; ADDITIONAL SECTION: ns.bind.nom. 241 IN A 172.16.17.1 ;; Query time: 0 msec ;; SERVER: 172.16.33.1#53(172.16.33.1) ;; WHEN: Sat Nov 2 07:45:56 2013 ;; MSG SIZE rcvd: 79 root@server3:/ # dig www.bind.nom ; <<>> DiG 9.8.4-P1 <<>> www.bind.nom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26828 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.bind.nom. IN A ;; ANSWER SECTION: www.bind.nom. 60 IN A 172.16.17.1 ;; AUTHORITY SECTION: bind.nom. 118 IN NS ns.bind.nom. ;; ADDITIONAL SECTION: ns.bind.nom. 238 IN A 172.16.17.1 ;; Query time: 0 msec ;; SERVER: 172.16.33.1#53(172.16.33.1) ;; WHEN: Sat Nov 2 07:45:59 2013 ;; MSG SIZE rcvd: 79 root@server3:/ # dig www.bind.nom ; <<>> DiG 9.8.4-P1 <<>> www.bind.nom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7392 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.bind.nom. IN A ;; ANSWER SECTION: www.bind.nom. 1 IN A 172.16.17.1 ;; AUTHORITY SECTION: bind.nom. 59 IN NS ns.bind.nom. ;; ADDITIONAL SECTION: ns.bind.nom. 179 IN A 172.16.17.1 ;; Query time: 0 msec ;; SERVER: 172.16.33.1#53(172.16.33.1) ;; WHEN: Sat Nov 2 07:46:58 2013 ;; MSG SIZE rcvd: 79
server3 には NS+A のキャッシュが残っているために旧ゾーンサーバに問い合わせ、繰り返し旧 www.bind.nom の A (172.16.17.1) を得てしまうことがわかる。
root@server3:/ # dig www.bind.nom ; <<>> DiG 9.8.4-P1 <<>> www.bind.nom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 193 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.bind.nom. IN A ;; ANSWER SECTION: www.bind.nom. 60 IN A 172.16.17.1 ;; AUTHORITY SECTION: bind.nom. 57 IN NS ns.bind.nom. ;; ADDITIONAL SECTION: ns.bind.nom. 177 IN A 172.16.17.1 ;; Query time: 0 msec ;; SERVER: 172.16.33.1#53(172.16.33.1) ;; WHEN: Sat Nov 2 07:47:00 2013 ;; MSG SIZE rcvd: 79 root@server3:/ # dig www.bind.nom ; <<>> DiG 9.8.4-P1 <<>> www.bind.nom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33707 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.bind.nom. IN A ;; ANSWER SECTION: www.bind.nom. 4 IN A 172.16.17.1 ;; AUTHORITY SECTION: bind.nom. 1 IN NS ns.bind.nom. ;; ADDITIONAL SECTION: ns.bind.nom. 121 IN A 172.16.17.1 ;; Query time: 0 msec ;; SERVER: 172.16.33.1#53(172.16.33.1) ;; WHEN: Sat Nov 2 07:47:56 2013 ;; MSG SIZE rcvd: 79
次に旧ゾーンサーバの NS のキャッシュが切れ、委譲をたどりなおし、新しいデータを得る。(ルートの NS が一旦入るのは server3 がルートを辿ったものではなく、キャッシュを兼用している旧ゾーンサーバから得たものに見える)
root@server3:/ # dig www.bind.nom ; <<>> DiG 9.8.4-P1 <<>> www.bind.nom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46403 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.bind.nom. IN A ;; ANSWER SECTION: www.bind.nom. 2 IN A 172.16.17.1 ;; AUTHORITY SECTION: . 518219 IN NS a.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 518219 IN A 192.168.255.1 ;; Query time: 0 msec ;; SERVER: 172.16.33.1#53(172.16.33.1) ;; WHEN: Sat Nov 2 07:47:58 2013 ;; MSG SIZE rcvd: 93 root@server3:/ # dig www.bind.nom ; <<>> DiG 9.8.4-P1 <<>> www.bind.nom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12535 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.bind.nom. IN A ;; ANSWER SECTION: www.bind.nom. 1800 IN A 172.16.1.1 ;; AUTHORITY SECTION: bind.nom. 600 IN NS ns.bind.nom. ;; ADDITIONAL SECTION: ns.bind.nom. 300 IN A 172.16.1.1 ;; Query time: 1 msec ;; SERVER: 172.16.33.1#53(172.16.33.1) ;; WHEN: Sat Nov 2 07:48:10 2013 ;; MSG SIZE rcvd: 79 root@server3:/ # dig www.bind.nom ; <<>> DiG 9.8.4-P1 <<>> www.bind.nom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48612 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.bind.nom. IN A ;; ANSWER SECTION: www.bind.nom. 1789 IN A 172.16.1.1 ;; AUTHORITY SECTION: bind.nom. 589 IN NS ns.bind.nom. ;; ADDITIONAL SECTION: ns.bind.nom. 289 IN A 172.16.1.1 ;; Query time: 0 msec ;; SERVER: 172.16.33.1#53(172.16.33.1) ;; WHEN: Sat Nov 2 07:48:21 2013 ;; MSG SIZE rcvd: 79