CNAME and other data
Mark Andrews
Mark_Andrews at isc.org
Thu Jan 20 22:57:13 UTC 2005
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> I'm seeing:
>
> Jan 20 10:50:41 marajade named[6342]: transfer of 'sandelman.ca/IN' from 205.
> 150.200.254#53: failed while receiving responses: CNAME and other data
> Jan 20 10:50:41 marajade named[6342]: transfer of 'sandelman.ca/IN' from 205.
> 150.200.254#53: end of transfer
>
> with:
>
> marajade-[/var/tmp] mcr 1027 %bindversion 127.0.0.1
> version.bind. 0 CH TXT "9.3.0"
>
> marajade-[/var/tmp] mcr 1028 %bindversion 205.150.200.254
> version.bind. 0 CH TXT "9.3.0s20021115"
>
> There are *no* duplicates that I can find.
> (It would be nice if named would log what the conflict is)
You are trying to load a DNSSEC zone (with a CNAME) on a
DNSSECbis server.
Upgrade the master and re-sign.
It's not good to try to server a DNSSEC zone from a DNSSECbis
server and vice versa.
> dig @205.150.200.254 sandelman.ca. axfr >|n1
> (snippet of file inline at bottom)
>
> The only "duplicates" are that the 9.3.0s20021115 is naturally doing
> pre-TCR SIG/NXT. I think that bind 9.3. should be tolerant of zones like
> that. Or at least provide a more intelligent error message.
>
> I built bind 9.3 on 205.150.200.254, and resigned by zones.
> I noticed that I had to edit K*.key -> s/KEY/DNSKEY/.
> dnssec-signer complains about the K*.private file, which is confusing.
>
> {I noticed this because my laptop is a stealth secondary for my zone,
> and it got upgraded to bind 9.3 sometime in the last month, and the
> on-disk copy of the zone finally expired...}
>
> I'm concerned that a pre-9.3.0 secondary may NOW complain that there
> is CNAME + NSEC!
It will. DNSSSECbis requires that the servers be DNSSECbis
aware.
Mark
> Jan 20 11:11:06 bud named[25400]: transfer of 'sandelman.ca/IN' from 205.150.
> 200.254#53: failed while receiving responses: CNAME and other data
>
> For instance 9.2.3 says:
>
> Jan 20 11:11:06 bud named[25400]: transfer of 'sandelman.ca/IN' from 205.150.
> 200.254#53: failed while receiving responses: CNAME and other data
>
>
> ===============
>
> ; <<>> DiG 9.3.0s20021115 <<>> @205.150.200.254 sandelman.ca. axfr
> ;; global options: printcmd
> cooperix.sandelman.ca. 7200 IN CNAME aragorn.sandelman.ca.
> cooperix.sandelman.ca. 7200 IN SIG CNAME 1 3 7200 20050219
> 143302 20050120143302 3649 sandelman.ca. kZB1YEZFJ8Uom7KfJ+pqxVIC5AqwZpq/qFUe
> g23ECLsy7SVQNbLfniRc 8OAYzyQXt+2Ak25R6cM8AiO2tB3UoZmOfk+fx5qMdmrbyS4NPnkCmP0+
> hWCgMAjw+OdEEeCg0FM7uXQEiLTTo9zs+rrIZUcp07GF4eqnplqNKhHi JP4=
> cooperix.sandelman.ca. 7200 IN NXT cvs.sandelman.ca. CNAME
> SIG NXT
> cooperix.sandelman.ca. 7200 IN SIG NXT 1 3 7200 2005021914
> 3302 20050120143302 3649 sandelman.ca. P60ZTJhC3sJI+fPTIYp/wX5GCFCg8RmmfgM4Mu
> FtkKbvXzPK8l5U2n7F kUeKfyyGHK6CTDS6oc/os8YG26s+CXvU626X8xNxeZbqXnuBygOYCI+o 6
> uecubsmlx7kK4/YXHIWBkffqAx37sOBOG7uHpNMWrj8D9cSFQDe3/mt vM8=
>
>
> - --
> ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls
> [
> ] mcr @ xelerance.com Now doing IPsec training, see |net architec
> t[
> ] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device drive
> r[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy");
> [
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
>
> iQCVAwUBQe/YZIqHRg3pndX9AQEb9wQAvL/Uy/SNz5MHzxSRtuK9alyJNzcAsNlC
> vT3SIU6Wjc1CRy8JImYwpYCutvSzYSkfvabcxIcAN2lpXaK7VoIiOHCIT0Zs9Yat
> 0JADONO3rDmYqg6Cl94YouBgGSln0gBFUKgEzUXCyZtFkTSjy4+3PqaP56iLWWwK
> pKJGqNehP0Y=
> =UfBs
> -----END PGP SIGNATURE-----
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list