9.2.3rc2 NS lookups failing
Dave Lugo
dlugo at etherboy.com
Thu Sep 18 00:52:57 UTC 2003
(reposting into a new thread)
I've built and installed 9.2.3rc2 to workaround the verisign issue.
Wildcards in the root are no longer a problem, however, I'm seeing what
seems (IMVHO) to be incorrect behaviour.
The announcement of the new release states:
"...Briefly, a zone which has been declared "delegation-only" will be
effectively limited to containing NS RRs for subdomains, but no actual
data outside its apex (for example, its SOA RR and apex NS RRset)..."
By my reading of the above, I _should_ be able to do something like:
dig ns $domain_that_exists.[com|net]
...and get an answer. What I am instead seeing is:
root at severe# dig ns grape.com
; <<>> DiG 9.2.2rc1 <<>> ns grape.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44941
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;grape.com. IN NS
;; Query time: 252 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 17 20:48:12 2003
;; MSG SIZE rcvd: 27
...and I see a corresponding "no!" in the logs:
Sep 17 20:48:12 severe named[5167]: enforced delegation-only for 'com'
(grape.com
It seems that the only way to get around this new issue, and get the
entire NS set for domain from the root, is to do a `dig any $domain`
instead:
root at severe# dig any grape.com
; <<>> DiG 9.2.2rc1 <<>> any grape.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13192
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;grape.com. IN ANY
;; ANSWER SECTION:
grape.com. 172800 IN NS gold.sbcidc.com.
grape.com. 172800 IN NS ns.savaii.com.
;; AUTHORITY SECTION:
grape.com. 172800 IN NS gold.sbcidc.com.
grape.com. 172800 IN NS ns.savaii.com.
;; ADDITIONAL SECTION:
ns.savaii.com. 172800 IN A 216.154.253.185
gold.sbcidc.com. 172800 IN A 216.65.209.34
;; Query time: 1270 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 17 20:49:32 2003
;; MSG SIZE rcvd: 137
Is this the desired behaviour of `delegation-only`? I'm very pleased
that the new zonetype stops wildcards, but I'm somewhat concerned that
something else may have been broken.
Thanks,
Dave
--
--------------------------------------------------------
Dave Lugo dlugo at etherboy.com LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.
More information about the bind-users
mailing list