Problem with forward zone and recursion
Luis Muñoz
lem at cantv.net
Tue Oct 1 19:04:53 UTC 2002
Hi folks:
In my network, we're running BIND 8.2.4_REL. (I know an upgrade is due, but
this question is in part to help me decide to which version).
I have a number of zones configured like this at the authoritative servers:
zone "129.11.200.in-addr.arpa" {
type forward;
forward only;
forwarders { 200.44.32.89; 200.44.32.88; };
};
The problem is that the answers are only found when recursion is specified
in the query. This obviously won't work when said query comes from a name
server, as in these cases the recursion would not be requested. This is an
example:
bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235 +norecurse
; <<>> DiG 8.3 <<>> @200.44.32.10 -x +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58582
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 7
;; QUERY SECTION:
;; 235.129.11.200.in-addr.arpa, type = ANY, class = IN
;; AUTHORITY SECTION:
200.in-addr.arpa. 2h4m40s IN NS ARROWROOT.ARIN.NET.
200.in-addr.arpa. 2h4m40s IN NS BUCHU.ARIN.NET.
200.in-addr.arpa. 2h4m40s IN NS CHIA.ARIN.NET.
200.in-addr.arpa. 2h4m40s IN NS DILL.ARIN.NET.
200.in-addr.arpa. 2h4m40s IN NS NS.LACNIC.ORG.
200.in-addr.arpa. 2h4m40s IN NS NS.DNS.BR.
200.in-addr.arpa. 2h4m40s IN NS NS2.DNS.BR.
;; ADDITIONAL SECTION:
ARROWROOT.ARIN.NET. 17m46s IN A 198.133.199.110
BUCHU.ARIN.NET. 1h16m39s IN A 192.100.59.110
CHIA.ARIN.NET. 19m17s IN A 192.5.6.32
DILL.ARIN.NET. 19m16s IN A 192.35.51.32
NS.LACNIC.ORG. 14m57s IN A 200.160.0.7
NS.DNS.BR. 14h7m24s IN A 200.160.0.5
NS2.DNS.BR. 10h3m38s IN A 200.19.119.99
;; Total query time: 19 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
;; WHEN: Tue Oct 1 13:46:47 2002
;; MSG SIZE sent: 45 rcvd: 315
bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235 +recurse
; <<>> DiG 8.3 <<>> @200.44.32.10 -x +recurse
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22129
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; 235.129.11.200.in-addr.arpa, type = ANY, class = IN
;; ANSWER SECTION:
235.129.11.200.in-addr.arpa. 1H IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
;; Total query time: 72 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
;; WHEN: Tue Oct 1 13:46:55 2002
;; MSG SIZE sent: 45 rcvd: 109
bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235 +recurse
; <<>> DiG 8.3 <<>> @200.44.32.10 -x +recurse
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10092
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 7
;; QUERY SECTION:
;; 235.129.11.200.in-addr.arpa, type = ANY, class = IN
;; ANSWER SECTION:
235.129.11.200.in-addr.arpa. 59m52s IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
;; AUTHORITY SECTION:
200.in-addr.arpa. 2h4m24s IN NS ARROWROOT.ARIN.net.
200.in-addr.arpa. 2h4m24s IN NS BUCHU.ARIN.net.
200.in-addr.arpa. 2h4m24s IN NS CHIA.ARIN.net.
200.in-addr.arpa. 2h4m24s IN NS DILL.ARIN.net.
200.in-addr.arpa. 2h4m24s IN NS NS.LACNIC.ORG.
200.in-addr.arpa. 2h4m24s IN NS NS.DNS.BR.
200.in-addr.arpa. 2h4m24s IN NS NS2.DNS.BR.
;; ADDITIONAL SECTION:
ARROWROOT.ARIN.net. 17m30s IN A 198.133.199.110
BUCHU.ARIN.net. 1h16m23s IN A 192.100.59.110
CHIA.ARIN.net. 19m1s IN A 192.5.6.32
DILL.ARIN.net. 19M IN A 192.35.51.32
NS.LACNIC.ORG. 14m41s IN A 200.160.0.7
NS.DNS.BR. 14h7m8s IN A 200.160.0.5
NS2.DNS.BR. 10h3m22s IN A 200.19.119.99
;; Total query time: 89 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
;; WHEN: Tue Oct 1 13:47:03 2002
;; MSG SIZE sent: 45 rcvd: 376
After this point, and until the RR expires, I can get the expected answers
from BIND's cache even with recursion turned off.
However, when I query the server to which the zones are forwarded, I get an
answer no mater what the recursion bit is set to:
bash2.05 lem at ws157-46 ~ % dig @200.44.32.89 -x 200.11.129.235 +recurse
; <<>> DiG 8.3 <<>> @200.44.32.89 -x +recurse
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14945
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; 235.129.11.200.in-addr.arpa, type = ANY, class = IN
;; ANSWER SECTION:
235.129.11.200.in-addr.arpa. 1H IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
;; Total query time: 305 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.89
;; WHEN: Tue Oct 1 13:48:11 2002
;; MSG SIZE sent: 45 rcvd: 109
bash2.05 lem at ws157-46 ~ % dig @200.44.32.89 -x 200.11.129.235 +norecurse
; <<>> DiG 8.3 <<>> @200.44.32.89 -x +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53497
;; flags: aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; 235.129.11.200.in-addr.arpa, type = ANY, class = IN
;; ANSWER SECTION:
235.129.11.200.in-addr.arpa. 1H IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
;; Total query time: 260 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.89
;; WHEN: Tue Oct 1 13:48:14 2002
;; MSG SIZE sent: 45 rcvd: 109
bash2.05 lem at ws157-46 ~ % dig @200.44.32.88 -x 200.11.129.235 +recurse
; <<>> DiG 8.3 <<>> @200.44.32.88 -x +recurse
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62878
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; 235.129.11.200.in-addr.arpa, type = ANY, class = IN
;; ANSWER SECTION:
235.129.11.200.in-addr.arpa. 1H IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
;; Total query time: 84 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.88
;; WHEN: Tue Oct 1 13:48:26 2002
;; MSG SIZE sent: 45 rcvd: 109
bash2.05 lem at ws157-46 ~ % dig @200.44.32.88 -x 200.11.129.235 +norecurse
; <<>> DiG 8.3 <<>> @200.44.32.88 -x +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35029
;; flags: aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; 235.129.11.200.in-addr.arpa, type = ANY, class = IN
;; ANSWER SECTION:
235.129.11.200.in-addr.arpa. 1H IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
;; Total query time: 171 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.88
;; WHEN: Tue Oct 1 13:48:29 2002
;; MSG SIZE sent: 45 rcvd: 109
I would like to know if this is a bug or a feature. If it is a bug, does
anybody know which version of BIND fixes this?
Thanks a lot and please excuse the lengthy post.
Regards.
-lem
--
--
#!/usr/bin/perl -w
use strict;
$_[$_]=0 for 0..7;my$i;
for my$a(grep{s@^00@@}unpack'B8'x28,join'',map{chr}split/\*+/,q{61*31*28*
32*20*40*25*63*63*9*52*58*49*18*30*47*20*2*10*4*8*63*63*1*36*2*13*30}){$i
=0;grep{$_[$i++].=$_}split //,$a;length$_[0]==8&&print pack'B8',$_ for at _;
length$_[0]==8&&grep{$_=0}@_;}print"\n";
More information about the bind-users
mailing list