Primary name server updates propagating to secondary
Chris Buxton
cbuxton at menandmice.com
Mon Jan 28 23:44:59 UTC 2008
The most important thing to understand is that, while nslookup is fine
for most people who need to find information from the DNS, it is not
suitable to use in debugging DNS configuration problems. Use 'dig'
instead.
The problem you're describing is one of master->slave data
replication. Without thoroughly reviewing your two named.conf files, I
notice that there are far fewer zone statements on the slave than on
the master - if your intent is that they should each have the same
data, then they must define the same zones. In your example, the
master has "mysite2.com", but the slave does not; this is why the
response from the slave is marked as non-authoritative.
To test this with dig, using your sanitized nomenclature:
dig mysite2.com SOA +norec @primary_ns
dig mysite2.com SOA +norec @secondary_ns
In the results of those two commands, look near the top for a line
that starts with ";; flags:". There will be 1 or more two-byte flag
names present, representing the DNS header flags that have been turned
on in the response. You want to see the "aa" flag (Authoritative
Answer) when you are querying your server for data that it should have
in its own zones.
For example:
$ dig menandmice.com soa @dns1.menandmice.com +norec | grep flags
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3
(Note that the command syntax for 'dig' is very flexible and is almost
never case-sensitive. Thus you may notice some differences between
what I suggested before and the command quoted above.)
Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbuxton at menandmice.com
www.menandmice.com
Men & Mice
We bring control and flexibility to network management
This e-mail and its attachments may contain confidential and
privileged information only intended for the person or entity to which
it is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any retention, dissemination,
distribution or copy of this e-mail is strictly prohibited. If you
have received this e-mail in error, please notify us immediately by
reply e-mail and immediately delete this message and all its attachment.
On Jan 28, 2008, at 2:52 PM, Oscar Usifer wrote:
> Folks,
>
> Our primary name server, (bind-9.3.4) currently set up to resolve
> our server host names, needs to propagate changes to our secondary
> name server. From nslookup I see that the A records has propagated,
> but the SOA record has not. If the primary name server goes off
> line, does that imply that the hostname translation will not
> resolve? The following is part of our primary and secondary /etc/
> named.conf file (modified for
> illustration purposes). If this is the case, how can I cause our
> secondary NS to list the SOA record?
>
> Thanks,
> -OSC
>
>
> osc at frag ~]$ nslookup mysite2.com primary_ns
> Server: primary_ns
> Address: x.x.132.253#53
>
> Name: mysite2.com
> Address: x.x.132.140
>
> [osc at frag ~]$ nslookup mysite2.com secondary_ns
> Server: secondary_ns
> Address: x.x.132.252#53
>
> Non-authoritative answer:
> Name: mysite2.com
> Address: x.x.132.140
>
> [osc at frag ~]$
>
>
> // primary name server /etc/named.conf
> acl secondaries {
> <secondary ip addr>; /* our secondary ns ip addr */
> };
>
> acl trusted {
> 127.0.0.1;
> 192.168.2.0/24;
> 192.168.1.0/24;
> y.y.132.128/25;
> y.y.52.1;
> };
>
> acl drop {
> z.0.0.0/24;
> };
>
> logging {
> channel my_syslog {
> syslog local2;
> severity debug;
> };
>
> category default { my_syslog; };
> category lame-servers { null; };
> };
>
>
> options {
> directory "/var/named";
> pid-file "/var/run/named/named.pid";
> statistics-file "/var/run/named/named.stats";
> datasize 64M;
> cleaning-interval 5;
> transfer-format many-answers;
> max-transfer-time-in 60;
> interface-interval 0;
>
> allow-transfer {
> secondaries;
> };
>
> allow-query {
> trusted;
> };
>
> blackhole {
> drop;
> };
> };
>
>
> view "all-in-one" in {
> allow-query { any; };
> match-clients { any; };
> recursion yes;
> allow-recursion {
> trusted;
> };
>
> additional-from-auth yes;
> additional-from-cache yes;
>
> zone "." in {
> type hint;
> file "root.cache";
> };
>
> zone "127.in-addr.arpa" in {
> type master;
> file "master/127.in-addr.arpa";
> allow-query {
> any;
> };
> allow-transfer {
> none;
> };
> };
>
> zone "localhost" in {
> type master;
> allow-query { any; };
> file "master/localhost";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> allow-query { any; };
> file "master/0.in-addr.arpa";
> };
> zone "255.in-addr.arpa" {
> type master;
> allow-query { any; };
> file "master/255.in-addr.arpa";
> };
>
> zone "com." {
> type delegation-only;
> };
> zone "net." {
> type delegation-only;
> };
> zone "0.168.192.in-addr.arpa" IN {
> type master;
> file "master/0.168.192.in-addr.arpa";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "1.168.192.in-addr.arpa" IN {
> type master;
> file "master/1.168.192.in-addr.arpa";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "2.168.192.in-addr.arpa" IN {
> type master;
> file "master/2.168.192.in-addr.arpa";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "5.168.192.in-addr.arpa" IN {
> type master;
> file "master/5.168.192.in-addr.arpa";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "mysite.com" IN {
> type master;
> file "master/mysite.com";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "mysite2.com" IN {
> type master;
> file "master/mysite.com";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "test.mysite.com" IN {
> type master;
> file "master/test.mysite.com";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "test.mysite3.com" IN {
> type master;
> file "master/test.mysite.com";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "mysite.cn" IN {
> type master;
> file "master/mysite.com";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "mysite1.cn" IN {
> type master;
> file "master/mysite.com";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "mysite2.cn" IN {
> type master;
> file "master/mysite.com";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "mysite3.cn" IN {
> type master;
> file "master/mysite.com";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
> zone "128-255.132.x.x.in-addr.arpa" IN {
> type master;
> file "master/128-255.132.x.x.in-addr.arpa";
> allow-update { none; };
> allow-transfer { secondaries; };
> notify yes;
> };
>
> };
>
> view tighten-chaos chaos {
> match-clients { any; };
> recursion no;
> zone "." chaos {
> type hint;
> file "/dev/null";
> };
> zone "bind" chaos {
> type master;
> file "master/bind.chaos";
> allow-query { none; };
> allow-transfer { none; };
> };
> };
>
> key "xxxx" {
> algorithm xxxx;
> secret "xxxxx";
> };
>
>
> // secondary name server /etc/named.conf
> acl secondaries {
> localhost;
> };
>
> acl trusted {
> localhost;
> 192.168.2.0/24;
> 192.168.1.0/24;
> y.y.132.128/25;
> };
>
> acl drop {
> z.0.0.0/24;
> };
>
> logging {
> channel my_syslog {
> syslog local2;
> severity debug;
> };
> category default { my_syslog; };
> category lame-servers { null; };
> };
>
> options {
> directory "/var/named";
> pid-file "/var/run/named/named.pid";
> statistics-file "/var/run/named/named.stats";
> datasize 64M;
> cleaning-interval 5;
> transfer-format many-answers;
> max-transfer-time-in 60;
> interface-interval 0;
> allow-transfer {
> secondaries;
> };
> allow-query {
> trusted;
> };
> blackhole {
> drop;
> };
> };
>
> view "all-in-one" in {
> allow-query { any; };
> match-clients { any; };
> recursion yes;
> allow-recursion {
> trusted;
> };
> additional-from-auth yes;
> additional-from-cache yes;
>
> zone "." in {
> type hint;
> file "root.cache";
> };
> zone "127.in-addr.arpa" in {
> type master;
> file "master/127.in-addr.arpa";
> allow-query {
> any;
> };
> allow-transfer {
> none;
> };
> };
> zone "localhost" in {
> type master;
> allow-query { any; };
> file "master/localhost";
> };
> zone "0.in-addr.arpa" {
> type master;
> allow-query { any; };
> file "master/0.in-addr.arpa";
> };
> zone "255.in-addr.arpa" {
> type master;
> allow-query { any; };
> file "master/255.in-addr.arpa";
> };
> zone "com." {
> type delegation-only;
> };
> zone "net." {
> type delegation-only;
> };
> zone "0.168.192.in-addr.arpa" IN {
> type slave;
> file "slave/0.168.192.in-addr.arpa";
> masters { <primary name server ip>; };
> allow-transfer { none; };
> notify no;
> };
> zone "1.168.192.in-addr.arpa" IN {
> type slave;
> file "slave/1.168.192.in-addr.arpa";
> masters { <primary name server ip>; };
> allow-transfer { none; };
> notify no;
> };
> zone "2.168.192.in-addr.arpa" IN {
> type slave;
> file "slave/2.168.192.in-addr.arpa";
> masters { <primary name server ip>; };
> allow-transfer { none; };
> notify no;
> };
> zone "5.168.192.in-addr.arpa" IN {
> type slave;
> file "slave/5.168.192.in-addr.arpa";
> masters { <primary name server ip>; };
> allow-transfer { none; };
> notify no;
> };
>
> zone "mysite.com" IN {
> type slave;
> file "slave/mysite.com";
> masters { <primary name server ip>; };
> allow-transfer { none; };
> notify no;
> };
> zone "test.mysite.com" IN {
> type slave;
> file "slave/test.mysite.com";
> masters { <primary name server ip>; };
> allow-transfer { none; };
> notify no;
> };
> zone "128-255.132.x.x.in-addr.arpa" IN {
> type slave;
> file "slave/128-255.132.x.x.in-addr.arpa";
> masters { <primary name server ip>; };
> allow-transfer { none; };
> notify no;
> };
>
> };
>
> view tighten-chaos chaos {
> match-clients { any; };
> recursion no;
>
> zone "." chaos {
> type hint;
> file "/dev/null";
> };
>
> zone "bind" chaos {
> type master;
> file "master/bind.chaos";
> allow-query { none; };
> allow-transfer { none; };
> };
> };
>
> key "xxxx" {
> algorithm xxxx;
> secret "xxxxxxxx";
> };
>
>
> --
> Want an e-mail address like mine?
> Get a free e-mail account today at www.mail.com!
>
>
More information about the bind-users
mailing list