A tale of two nameservers - resolution problems
John Miller
johnmill at brandeis.edu
Tue Sep 1 13:20:12 UTC 2015
If you check pcap, logs, etc., is the server's following delegation
for 0.centos.pool.ntp.org? Where do outbound packets stop?
John
On Tue, Sep 1, 2015 at 9:09 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
> I have one nameserver running bind 9.8.2 and a new one running 9.9.4.
>
> Both can resolve www.ietf.org
>
> Only the 9.8.2 can resolve 0.centos.pool.ntp.org
>
> I literally rsynced all the of the conf and zone files from the old to the
> new, then changed all of the server name references. I have done this
> before. I have another box running the 9.8.2 code that I built the same way
> and it resolves both fqdns just fine.
>
> I am a lost at what is the problem. Both have the same named.conf:
>
> //
> //
>
> include "/etc/named/named.acl";
>
> options
> {
> listen-on port 53 { any; };
> listen-on-v6 port 53 { any; };
>
> allow-query { localhost; };
> allow-query-cache { localhost; };
> recursion no;
>
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> // dnssec-enable yes;
> // dnssec-validation yes;
> // dnssec-lookaside auto;
>
> dnssec-enable no;
> dnssec-validation no;
>
> /* Path to ISC DLV key */
> // bindkeys-file "/etc/named.iscdlv.key";
>
> // managed-keys-directory "/var/named/dynamic";
>
>
> };
> logging
> {
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
> * named will try to write the 'named.run' file in the $directory
> (/var/named).
> * By default, SELinux policy does not allow named to modify the
> /var/named directory,
> * so put the default debug log file in data/ :
> */
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> view "internal"
> {
>
> include "/etc/named/named.internal";
>
> };
> view "external"
> {
>
> include "/etc/named/named.external";
>
> };
>
> include "/etc/named/rndc.key";
>
> ==============
> and named.internal has:
>
> /* This view will contain zones you want to serve only to "internal" clients
> * that have addresses that are not on your directly attached LAN interface
> subnets:
> */
> match-clients { httnets; };
> match-destinations { httnets; };
> allow-query { httnets; };
> allow-query-cache { httnets; };
> allow-recursion { httnets; };
> recursion yes;
> empty-zones-enable yes;
>
> // include "/etc/named/named.trusted.key";
> include "/etc/named.rfc1912.zones";
>
> zone "." IN {
> type hint;
> file "named.root";
> };
>
> // These are your "authoritative" internal zones:
>
> zone "htt-consult.com" {
> type master;
> file "httin-consult.com.zone";
> };
>
> etc.
>
>
> ==============
>
>
> Is the dnssec disabled possibly the problem? Like required now?
More information about the bind-users
mailing list