I've got a mess

Bill Larson wllarso at swcp.com
Fri Apr 16 02:45:51 UTC 2004 

On Apr 15, 2004, at 6:56 PM, Michael Barber wrote:

> A few more Questions and Comments interspersed....if you get a chance.

>> The zone files are fully compatible between versions of BIND.
>> Actually, this was required by the RFC which defines DNS.  All of the
>> resource records, SOA, NS, MX, A, TXT, etc., will move from one DNS
>> server to another, regardless of BIND version, or really even software
>> developer.  There is one exception to this though.  The current
>> versions of BIND use a "$TTL" declaration at the beginning of the zone
>> file to specify the actual minimum TTL for the resource records.  The
>> old "minimum TTL" specified in the SOA record is now used for
>> specifying the cached lifetime for the records.  If this "$TTL" isn't
>> specified, you will get a warning when you start up the named process.
>
> My zone files do not have a $TTL at the top and I don't see that 
> causing any
> warning.  The only warning I see is: directory G:\\bind is 
> world-writable
> and nothing we can do makes this go away even when that path is 
> read-only
> for domain admins.

Looking through "DNS & BIND", the change requiring this $TTL came in 
BIND-8.2.  Before 8-2, the information in the SOA was used.

What version of BIND-8 are you running?

This world writable directory is a security issue that should not 
impact your providing DNS information - unless someone decides to do a 
"delete *.*" while in this directory.

> I don't understand the difference between  "cached lifetime for the 
> records"
> and "minimum TTL for the recorce records"...they sound the same.  
> There is
> also a TTL value in front of every SOA record, A record, etc.

Sorry, absolute brain lock on my part.

The TTL value specified in the SOA record is used for ***negative**** 
caching results.  This means that if someone queried for a foo.bar name 
in the bar zone and foo.bar did not exist, then the negative response, 
i.e. there is no foo.bar, would be cached for the period of time 
specified in the SOA record for the bar zone.

>> The configuration files, although similar, are NOT the same.  You
>> should be able to migrate the old configuration fairly quickly, but
>> there definitely be some work involved.
>
> I don't have the original zone files only what has already been 
> "partially"
> migrated so I need to work with what I have.

Please make sure that you distinguish between your configuration file 
("named.cnf" under the Windows version of BIND?) and the zone files 
which contain the resource records for the zones that you are 
responsible for.  I think that there is some confusion here.

>> Note that all of these identify how zone transfers will be handled by
>> the DNS server.  It doesn't say anything about identifying what zones
>> are out there that can be transfered.
>
> Yes.  Should these really be specified or will they default to logical
> choices without inclusion?  I've seen named-xfer and transfer-source 
> only.
> I'm worried that specifying these values may actually be breaking 
> things.

Generally, the defaults values are reasonable.  I'd suggest setting 
these only if there is a specific problem that you need to address.  
Otherwise let named use it's defaults.

I have specified the "transfer-source", but only on a machine that had 
multiple interfaces and I needed to insure that the transfers took 
place using the correct interface.  Setting "transfers-in" can be 
necessary if too many zone transfers are occurring at the same time - 
it throttles the server.

>>> 4.  My secondary is taking a long time to update from the master....
>>> its
>>> the
>>> 604800  that is affecting that right?
>>>
>>> 1800 IN SOA ns.comcity.com. webmaster.comcity.com. (
>>>   2004041306 43200 7200 604800 1800 )
>>
>> Slow updates, assuming that NOTIFY isn't used, is controlled by the
>> refresh value specified in the SOA record.  This refresh value is the
>> SECOND value in the parentheses not second from last.  Your refresh is
>> 43200 seconds, or 12 hours.  Under a worst case, your slaves could 
>> take
>> up to 24 hours to sync with the master, but something closer to twelve
>> hours is what you should expect.  Is this the "long time" that you are
>> referring to?
>
> No...I'm looking at updated zone files in the master that have not 
> updated
> in over 7 days.  I had to manually copy the zone files over and reload 
> the
> secondary (slave) to fix this.  But, it could have been that the master
> ns.comcity.com whois record had not been updated and so the secondary 
> had no
> authoritative DNS to pull from.  From that earlier Email I think that 
> was
> fouling things up badly.  The old ns.comcity.com running bind 4.9.5 
> was at
> 209.66.93.2 and the new master is at 207.168.174.130.  Eventhough
> ns.comcity.com was correctly pointing to 207.168.174.130 in the zone 
> for
> comcity.com...the whois record was still at 209.66.93.2.  When I saw 
> someone
> else post about that....it looked awfully suspicious as to what was 
> going on
> here and I checked and sure enough it was.

Is your slave configured to get the zones from the master?  Remember 
that the DNS protocol itself does not distinguish between master and 
slave servers, this is information that you need to explicitly 
configure into your servers.  If you do not tell the slave what the IP 
address is of the master, then it won't have any idea who to send a 
zone transfer request to.

On your slave you should have something like the following in your 
named.cnf file:

	zone "xyz.example" {
		type slave;
		masters { 192.168.1.1; };
		file "db.xyz";
	};

You must specify the IP address for the master server in the 
configuration for the slave.  If you do not, you will never be able to 
contact the master for the zone transfers.  Also, make sure that on the 
slave you haven't defined the zone to be a master.  If you do this, 
then you will have to manually transfer the zone to the slave.

Also, are you sure that your slave CAN get this zone transfer from the 
master?  There may be blocks somewhere that will prevent the slave from 
getting a zone transfer from the master.  On the slave you should 
always be able to run:

	dig @master_ip_addr zone_name axfr

If you can't, then there must be something that is blocking these 
transfers.  It could be configuration, but it could also be the network 
architecture (firewalls).

You may seriously want to consider posting your configuration files 
such that the people that you are asking for help can see the whole 
picture rather than little bits and pieces.  I know that this is a 
"management" issue and some management doesn't consider letting this 
information out to be acceptable.  But, this is also the same 
management that has paying customers complain that what they are paying 
for isn't working.  You can "sanitize" the information, but if you make 
it too clean you may also loose the errors that are causing your 
problems.

Also, since you have identified that comcity.com is one of the zones 
that you are responsible for, I played around a little looking at this 
zone.  Make the that the NS records for this zone are correct.  You 
have "ns.comcity.com" at 207.168.174.130 defined, which seems to be 
functioning.  You also have a "ns2.comcity.com" at 209.10.62.39, which 
although running a DNS server, does not appear to be authoritative for 
your "comcity.com" zone.  This problem on ns2 could be caused by 
either; not being configured at all for this zone, or there is a 
problem loading this zone.

Bill Larson

More information about the bind-users mailing list