strange dig behavior

Pamela Rock prock111 at yahoo.com
Mon Dec 21 14:58:54 UTC 2009 


--- On Sun, 12/20/09, Barry Margolin <barmar at alum.mit.edu> wrote:

> From: Barry Margolin <barmar at alum.mit.edu>
> Subject: Re: strange dig behavior
> To: comp-protocols-dns-bind at isc.org
> Date: Sunday, December 20, 2009, 10:59 PM
> In article <mailman.18.1261358139.21153.bind-users at lists.isc.org>,
>  Pamela Rock <prock111 at yahoo.com>
> wrote:
> 
> > I've got the following three scenarios
> > 
> > The client can query a domain A residing on a
> recursive name server.
> 
> What do you mean by a domain "residing" on a recursive
> nameserver?  If a 
> domain resides on a server, the server should be
> authoritative for that 
> domain.
> 
> > 
> > The client can query a domain B on an authratative
> name server.
> > 
> > When client queries domain B through the RNS, a
> Status: refused results.
> > 
> > I don't know what is causing the refused.  IP
> tables is off everywhere, and 
> > there are no ACL's on routers or firewalls.  
> > 
> > The only error I'm seeing is the following in the
> debug log
> > 
> > 20-Dec-2009 19:21:09.443 query-errors: debug 3: client
> 172.16.0.5#41484: 
> > query failed (REFUSED) for test.com/IN/A at
> query.c:3882
> > 
> > I'm running bind 9.6.1 on RH ES 5 64 bit O/S. 
> Any ideas?  Thanks!!
> 
> Is that log on the recursive nameserver or the
> authoritative nameserver?
> 
> If it's on the recursive server, is the client in the
> allow-recursion 
> ACL on the server?

I did not have allow-recursion turned on.  I turned it on and it worked.  Thanks!!  So "recursion yes;" was not enough.  I also had to "allow-recursion { 10.10.1.1; }' to the specific client IP as well.

Thanks!!

> 
> If it's on the authoritative server, is the recursive
> server in the 
> allow-query ACL?
> 
> -- 
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE don't copy me on replies, I'll read them in the
> group ***
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list