BIND9.3 zonename Problem

Pete Ehlke pde at rfc822.net
Sun Oct 31 13:25:35 UTC 2004 

On Sun Oct 31, 2004 at 13:19:17 +0100, jesk wrote:
>Hello,
>
>i just configured a classles Reverse Delegation from BIND8 to BIND9.3.
>the zonename on the BIND9.3 (ns0.example.com) system is
>"224-239.xxx.xxx.xxx.in-addr.arpa".
>i configured the zone as follows:
>---
>zone "224-239.xxx.xxx.xxx.in-addr.arpa" {
>        type master;
>        file "master/224-239.xxx.xxx.xxx.in-addr.arpa";
>        allow-query { any; };
>};
>---
>the zone itself looks like this:
>---
>$TTL                            18000
>@  IN SOA  ns0.example.com.  hostmaster.example.com. (
>                                2004103009  ; Serial number
>                                3H                 ; Refresh every 3 hours
>                                15M              ; Retry after 15 Minutes
>                                1W                ; Expire after 1 week
>                                4H )               ; Minimum 4 hourse
>
>        IN      NS      ns0.example.com.
>        IN      NS      ns1.example.com.
>
>225     IN      PTR     ns0.example.com.
>226     IN      PTR     mx0.example.com.
>227     IN      PTR     www.example.com.
>---
>
>now i recognized that resolving a ip of the subnet directly from
>ns0.example.com wont work:
>---
>"host xxx.xxx.xxx.227 ns0.example.com" 
>"Host 227.xxx.xxx.xxx.in-addr.arpa not found: 5(REFUSED)"
>---
>On ns0.example.com BIND9.3 says:
>---
>"named[53719]: client x.x.x.x#58160: query (cache) '
>227.xxx.xxx.xxx.in-addr.arpa/PTR/IN' denied"
>---
>
>It seems that ns0.example.com doesnt feel authoritativ for the zone,
>cause when setting allow-query { any; }; globally then resolving from
>a other bind9.3 resolver will work but from a bind8 resolver it wont...
>Am i totally stupid or whats going on there?
>
You told your server to be authoritative for
224-239.xxx.xxx.xxx.in-addr.arpa, and told it to allow queries for that
zone. Then you query it for a record in xxx.xxx.xxx.in-addr.arpa, for
which you have not told it to be authoritative, and for which it has not
been told to allow queries. Therefore, your server refused your query.

Clinets on the internet that want to resolve
227.xxx.xxx.xxx.in-addr.arpa/PTR/IN will ask your upstream's servers,
which will pass them a CNAME that points to
227.224-239.xxx.xxx.xxx.in-addr.arpa, for which your server will provide
an answer.

Also, please don't obscure your DNS data. It's silly, gets you no
privacy (the DNS is inherently public), often masks the real problem,
and hinders people who want to help you. And it leads to nearly
unreadable answers like the one I had to produce above...

-Pete

More information about the bind-users mailing list