migration from bind8 to bind9
Mark Andrews
Mark_Andrews at isc.org
Wed Dec 13 21:52:27 UTC 2006
> Hi,
> We are administrating tr. domain and testing bind9 to upgrade from
> bind8. Below is a bind8 response for a sample query from one of our
> currently operating DNS's:
>
> -----------------------------------------------------------------------------
> -------------------
>
> ustun at houston:~$ dig @ns2.nic.tr milliyet.com.tr. -t ns
>
> ; <<>> DiG 9.3.2-P1 <<>> @ns2.nic.tr milliyet.com.tr. -t ns
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1229
> ;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;milliyet.com.tr. IN NS
>
> ;; ANSWER SECTION:
> milliyet.com.tr. 43200 IN NS doldns02.dol.com.tr.
> milliyet.com.tr. 43200 IN NS doldns01.dol.com.tr.
>
> ;; ADDITIONAL SECTION:
> doldns02.dol.com.tr. 43200 IN A 213.243.1.42
> doldns01.dol.com.tr. 43200 IN A 213.243.1.40
>
> ;; Query time: 3 msec
> ;; SERVER: 144.122.95.52#53(144.122.95.52)
> ;; WHEN: Wed Dec 13 16:00:31 2006
> ;; MSG SIZE rcvd: 115
>
> ustun at houston:~$
>
> -----------------------------------------------------------------------------
> -------------------
>
> and below is the response from bind9 installed on a test machine to
> the same query with the same configuration:
>
> ustun at houston:~$ dig @144.122.95.178 milliyet.com.tr. -t ns
>
> ; <<>> DiG 9.3.2-P1 <<>> @144.122.95.178 milliyet.com.tr. -t ns
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34422
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;milliyet.com.tr. IN NS
>
> ;; AUTHORITY SECTION:
> milliyet.com.tr. 43200 IN NS doldns02.dol.com.tr.
> milliyet.com.tr. 43200 IN NS doldns01.dol.com.tr.
>
> ;; ADDITIONAL SECTION:
> doldns01.dol.com.tr. 43200 IN A 213.243.1.40
> doldns02.dol.com.tr. 43200 IN A 213.243.1.42
>
> ;; Query time: 89 msec
> ;; SERVER: 144.122.95.178#53(144.122.95.178)
> ;; WHEN: Wed Dec 13 15:59:14 2006
> ;; MSG SIZE rcvd: 115
>
> ustun at houston:~$
>
> -----------------------------------------------------------------------------
> ---------
> recursion is not allowed in both machines. Bind8 looks at the zone
> files at localhost, finds the NS record, queries root servers for
> additional ip information and gives an answer. However, bind9 takes
> this query as recursive,
It is a recursive query, "rd" is set in the flags. dig defaults
to asking recursive queries. You should use 'dig +norec' for
the testing of parent servers. This simulates the queries from
a iterative resolver rather that a stub resolver.
> and does not return an answer although the NS
> record is available at localhost in "com.tr." zone file.
Your server does NOT have any answer for milliyet.com.tr. It
knows where the answers for milliyet.com.tr can be found
however so it sends a referral. Iterative resolvers will
look in the authority section, find the NS RRset, then query
the authoritative servers for milliyet.com.tr.
> Bind9 logs this:
>
> Dec 13 16:34:11 localhost named[19911]: Dec 13 16:34:11.617 security:
> debug 1: client 144.122.95.150#33024: recursion available: denied
>
> I searched the list but couldn't find a satisfying answer. So why is
> there a difference? How can we reconfigure bind9 to answer the query
> as bind8 to preserve the same system?
>
> Thanks and Regards,
> ustun
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list