Problem with forward zone and recursion

Luis Muñoz lem at cantv.net
Tue Oct 1 19:04:53 UTC 2002 


Hi folks:

In my network, we're running BIND 8.2.4_REL. (I know an upgrade is due, but
this question is in part to help me decide to which version).

I have a number of zones configured like this at the authoritative servers:

zone "129.11.200.in-addr.arpa" {
        type forward;
        forward only;
        forwarders { 200.44.32.89; 200.44.32.88; };
};

The problem is that the answers are only found when recursion is specified
in the query. This obviously won't work when said query comes from a name
server, as in these cases the recursion would not be requested. This is an
example:

bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235 +norecurse

; <<>> DiG 8.3 <<>> @200.44.32.10 -x +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58582
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 7
;; QUERY SECTION:
;;      235.129.11.200.in-addr.arpa, type = ANY, class = IN

;; AUTHORITY SECTION:
200.in-addr.arpa.       2h4m40s IN NS   ARROWROOT.ARIN.NET.
200.in-addr.arpa.       2h4m40s IN NS   BUCHU.ARIN.NET.
200.in-addr.arpa.       2h4m40s IN NS   CHIA.ARIN.NET.
200.in-addr.arpa.       2h4m40s IN NS   DILL.ARIN.NET.
200.in-addr.arpa.       2h4m40s IN NS   NS.LACNIC.ORG.
200.in-addr.arpa.       2h4m40s IN NS   NS.DNS.BR.
200.in-addr.arpa.       2h4m40s IN NS   NS2.DNS.BR.

;; ADDITIONAL SECTION:
ARROWROOT.ARIN.NET.     17m46s IN A     198.133.199.110
BUCHU.ARIN.NET.         1h16m39s IN A   192.100.59.110
CHIA.ARIN.NET.          19m17s IN A     192.5.6.32
DILL.ARIN.NET.          19m16s IN A     192.35.51.32
NS.LACNIC.ORG.          14m57s IN A     200.160.0.7
NS.DNS.BR.              14h7m24s IN A   200.160.0.5
NS2.DNS.BR.             10h3m38s IN A   200.19.119.99

;; Total query time: 19 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
;; WHEN: Tue Oct  1 13:46:47 2002
;; MSG SIZE  sent: 45  rcvd: 315

bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235 +recurse

; <<>> DiG 8.3 <<>> @200.44.32.10 -x +recurse
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22129
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      235.129.11.200.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
235.129.11.200.in-addr.arpa.  1H IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.

;; Total query time: 72 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
;; WHEN: Tue Oct  1 13:46:55 2002
;; MSG SIZE  sent: 45  rcvd: 109

bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235 +recurse

; <<>> DiG 8.3 <<>> @200.44.32.10 -x +recurse
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10092
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 7
;; QUERY SECTION:
;;      235.129.11.200.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
235.129.11.200.in-addr.arpa.  59m52s IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.

;; AUTHORITY SECTION:
200.in-addr.arpa.       2h4m24s IN NS   ARROWROOT.ARIN.net.
200.in-addr.arpa.       2h4m24s IN NS   BUCHU.ARIN.net.
200.in-addr.arpa.       2h4m24s IN NS   CHIA.ARIN.net.
200.in-addr.arpa.       2h4m24s IN NS   DILL.ARIN.net.
200.in-addr.arpa.       2h4m24s IN NS   NS.LACNIC.ORG.
200.in-addr.arpa.       2h4m24s IN NS   NS.DNS.BR.
200.in-addr.arpa.       2h4m24s IN NS   NS2.DNS.BR.

;; ADDITIONAL SECTION:
ARROWROOT.ARIN.net.     17m30s IN A     198.133.199.110
BUCHU.ARIN.net.         1h16m23s IN A   192.100.59.110
CHIA.ARIN.net.          19m1s IN A      192.5.6.32
DILL.ARIN.net.          19M IN A        192.35.51.32
NS.LACNIC.ORG.          14m41s IN A     200.160.0.7
NS.DNS.BR.              14h7m8s IN A    200.160.0.5
NS2.DNS.BR.             10h3m22s IN A   200.19.119.99

;; Total query time: 89 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
;; WHEN: Tue Oct  1 13:47:03 2002
;; MSG SIZE  sent: 45  rcvd: 376

After this point, and until the RR expires, I can get the expected answers
from BIND's cache even with recursion turned off.

However, when I query the server to which the zones are forwarded, I get an
answer no mater what the recursion bit is set to:

bash2.05 lem at ws157-46 ~ % dig @200.44.32.89 -x 200.11.129.235 +recurse

; <<>> DiG 8.3 <<>> @200.44.32.89 -x +recurse
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14945
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      235.129.11.200.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
235.129.11.200.in-addr.arpa.  1H IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.

;; Total query time: 305 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.89
;; WHEN: Tue Oct  1 13:48:11 2002
;; MSG SIZE  sent: 45  rcvd: 109

bash2.05 lem at ws157-46 ~ % dig @200.44.32.89 -x 200.11.129.235 +norecurse

; <<>> DiG 8.3 <<>> @200.44.32.89 -x +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53497
;; flags: aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      235.129.11.200.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
235.129.11.200.in-addr.arpa.  1H IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.

;; Total query time: 260 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.89
;; WHEN: Tue Oct  1 13:48:14 2002
;; MSG SIZE  sent: 45  rcvd: 109

bash2.05 lem at ws157-46 ~ % dig @200.44.32.88 -x 200.11.129.235 +recurse

; <<>> DiG 8.3 <<>> @200.44.32.88 -x +recurse
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62878
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      235.129.11.200.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
235.129.11.200.in-addr.arpa.  1H IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.

;; Total query time: 84 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.88
;; WHEN: Tue Oct  1 13:48:26 2002
;; MSG SIZE  sent: 45  rcvd: 109

bash2.05 lem at ws157-46 ~ % dig @200.44.32.88 -x 200.11.129.235 +norecurse

; <<>> DiG 8.3 <<>> @200.44.32.88 -x +norecurse
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35029
;; flags: aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      235.129.11.200.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
235.129.11.200.in-addr.arpa.  1H IN PTR
dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.

;; Total query time: 171 msec
;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.88
;; WHEN: Tue Oct  1 13:48:29 2002
;; MSG SIZE  sent: 45  rcvd: 109

I would like to know if this is a bug or a feature. If it is a bug, does
anybody  know which version of BIND fixes this?

Thanks a lot and please excuse the lengthy post.

Regards.

-lem

-- 
 --
#!/usr/bin/perl -w
use strict;
$_[$_]=0 for 0..7;my$i;
for my$a(grep{s@^00@@}unpack'B8'x28,join'',map{chr}split/\*+/,q{61*31*28*
32*20*40*25*63*63*9*52*58*49*18*30*47*20*2*10*4*8*63*63*1*36*2*13*30}){$i
=0;grep{$_[$i++].=$_}split //,$a;length$_[0]==8&&print pack'B8',$_ for at _;
length$_[0]==8&&grep{$_=0}@_;}print"\n";

More information about the bind-users mailing list