Problem w/ 8.2.1 ( was: possible problem w/ 8.2.1)

Martin, Kevin kevinm at crt.com
Thu Jul 1 17:21:12 UTC 1999 


> -----Original Message-----
> From: Jim Reid [mailto:jim at mpn.cp.philips.com]
> Sent: Thursday, July 01, 1999 11:33 AM
> To: Martin, Kevin
> Subject: Re: Problem w/ 8.2.1 ( was: possible problem w/ 8.2.1) 
> 
> 
> >>>>> "Kevin" == Martin, Kevin <kevinm at crt.com> writes:
> 
>     Kevin> Let's try this again.  Barry was helping me but I don't
>     Kevin> know if he's given up on me or is working on a solution.
> 
>     Kevin> Here's the relevant facts:
> 
>     Kevin> OS version HPUX 10.20 Bind version 8.2.1
> 
> You missed out a whole lot of relevant facts. Like who's nslookup and
> dig were you using: HP's or the ISC's? Where were you sending the
> queries? And could those name servers have cached incorrect answers
> (including "this name does not exist" answers)? Could any other name
> lookup mechanisms have been involved, like NIS or one of these fancy
> name server cache daemons (nscd)? And what happens when you lookup the
> fully qualified domain name?

nslookup and dig is ISC's compiled and installed w/ the 8.1.2 install.  It
was also the version compiled and installed when I installed 8.2.1.  The
8.2.1 version of nslookup resolving to the 8.1.2 version of named returns
the correct answer.

The query was going to the NS dns1.  dns1 is, in fact, our NIS master as
well but because there is no NIS compatibility compiled into the 8.1.2 or
8.2.1 versions of Bind, it's using the DNS lookup ( as proven by the fact
that it ALWAYS returns the FQDN which it wouldn't do if it used NIS as we
don't have the FQDN's in NIS ).

The nameserver may have it cached but it's cached w/ the correct name and
address information.  It COULD NOT be cached as non-existant.  

There is no ncsd.

A lookup of the FQDN w/ either the 8.1.2 OR the 8.2.1 version finds the host
correctly.

> 
> It looks to me that you're trying to lookup a non-existent name -
> host.nc.il.nb.com. At least that's what the answers you get from dig
> suggest:
> 	>> status: NXDOMAIN
> 		   ^^^^^^^^ No such host/domain
> 	>> QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> 
> 
> ie the reply had no RRs in the answer section, but had 1 in the
> AUTHORITY section (the SOA).

You're correct that host.nc.il.nb.com does not exist.  Barry Margolin asked
me to do that to see if I got the NXDOMAIN response or the SERVFAIL
response.  With the 8.1.2 version of Dig against the 8.1.2 version Bind, I
get the NXDOMAIN.  W/ the 8.2.1 version of Dig against the 8.1.2 version of
Bind, I get the NXDOMAIN.  W/ the 8.2.1 version of Dig against the 8.2.1
version of Bind, I get the SERVFAIL response.  This is what I don't
understand and why I feel there's a bug in the 8.2.1 version of Bind.

> 
> Frankly, I doubt if anyone really cares about nslookup. The fact it
> does stupid and bizarre things is not exactly a revalation. [Vixie is
> on record for wanting to kill it.] nslookup is an awful tool(?) for
> troubleshooting and best avoided.

I don't understand the "nslookup does stupid and bizarre things" comment.  I
DO understand that virtually EVERY platform include nslookup while NOT every
platform includes dig or host!  This is why SOMEBODY should care about
nslookup.  If dig and host are better tools then petition the vendors to
include them in their distributions.  Since virtually everybody has used
nslookup and is familiar with it, maybe we (we being the
customers/consumers/users) would be better served if the functionality
included in dig and host were rolled into nslookup.  If it's really that bad
a tool then it should be removed from the distribution.  This would force us
to use the other tools.  I'm assuming this hasn't been done because there
are enough people who still use it to make it valuable.


> 
> Use host to check what's being looked up - and where! - and how the
> search directive is used. This might give a better insight into
> whatever is misbehaving (if anything) at your site. BTW, I don't think
> that dig/host/nslookup and the BIND resolver library have changed
> significantly in any of the BIND8 releases (apart from making the
> resolver re-entrant for thread-capable systems).
> 
> Here's an example of how host is used. First of all, here's 
> my resolv.conf:
> 
> #
> #	resolv.conf for kludge.mpn.cp.philips.com
> #
> search philips.com origin-it.com origin-srv.com mpn.cp.philips.com
> #
> nameserver 130.139.64.37
> nameserver 130.139.64.82
> nameserver 130.139.36.5
> 
> And now for the lookup.
> 
> % host -v kludge
> Trying domain "philips.com"
> ;; res_nmkquery(QUERY, kludge.philips.com, IN, A)
> ;; res_send()
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10807
> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;;	kludge.philips.com, type = A, class = IN
> ;; Querying server (# 1) address = 130.139.64.37
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10807
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
> ADDITIONAL: 0
> ;;	kludge.philips.com, type = A, class = IN
> philips.com.		1D IN SOA	ns0.philips.com. 
> dns.philips.com. (
> 					1999070102	; serial
> 					3H		; refresh
> 					1H		; retry
> 					1W		; expiry
> 					1D )		; minimum
> 
> rcode = 3 (Non-existent domain), ancount=0
> # JR comment - kludge.philips.com doesn't exist, now try 
> kludge.origin-it.com
> Trying domain "origin-it.com"
> ;; res_nmkquery(QUERY, kludge.origin-it.com, IN, A)
> ;; res_send()
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10808
> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;;	kludge.origin-it.com, type = A, class = IN
> ;; Querying server (# 1) address = 130.139.64.37
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10808
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
> ADDITIONAL: 0
> ;;	kludge.origin-it.com, type = A, class = IN
> origin-it.com.		1D IN SOA	
> ns0.origin-it.com. hostmaster.origin-it.com. (
> 					1999052700	; serial
> 					3H		; refresh
> 					1H		; retry
> 					1W		; expiry
> 					1D )		; minimum
> 
> rcode = 3 (Non-existent domain), ancount=0
> # JR comment - kludge.origin-it.com doesn't exist, now try 
> kludge.origin-srv.com
> Trying domain "origin-srv.com"
> ;; res_nmkquery(QUERY, kludge.origin-srv.com, IN, A)
> ;; res_send()
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10809
> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;;	kludge.origin-srv.com, type = A, class = IN
> ;; Querying server (# 1) address = 130.139.64.37
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10809
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
> ADDITIONAL: 0
> ;;	kludge.origin-srv.com, type = A, class = IN
> origin-srv.com.		1D IN SOA	
> ns0.origin-srv.com. dns.origin-it.com. (
> 					1999060200	; serial
> 					3H		; refresh
> 					1H		; retry
> 					1W		; expiry
> 					1D )		; minimum
> 
> rcode = 3 (Non-existent domain), ancount=0
> # JR comment - kludge.origin-srv.com failed too, now try 
> kludge.mpn.cp.philips.com
> Trying domain "mpn.cp.philips.com"
> ;; res_nmkquery(QUERY, kludge.mpn.cp.philips.com, IN, A)
> ;; res_send()
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10810
> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;;	kludge.mpn.cp.philips.com, type = A, class = IN
> ;; Querying server (# 1) address = 130.139.64.37
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10810
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, 
> ADDITIONAL: 5
> ;;	kludge.mpn.cp.philips.com, type = A, class = IN
> # JR comment- SUCCESS!!
> kludge.mpn.cp.philips.com.  1D IN A  130.139.64.37
> mpn.cp.philips.com.	1D IN NS	hades.mpn.cp.philips.com.
> mpn.cp.philips.com.	1D IN NS	ns0.philips.com.
> mpn.cp.philips.com.	1D IN NS	ns1.philips.com.
> mpn.cp.philips.com.	1D IN NS	ns2.philips.com.
> mpn.cp.philips.com.	1D IN NS	ns3.philips.com.
> hades.mpn.cp.philips.com.  1D IN A  130.139.64.31
> ns0.philips.com.	1D IN A		130.139.36.37
> ns1.philips.com.	1D IN A		130.139.36.5
> ns2.philips.com.	1D IN A		130.140.194.2
> ns3.philips.com.	1D IN A		167.81.233.4
> rcode = 0 (Success), ancount=1
> kludge.mpn.cp.philips.com	86400 IN	A	130.139.64.37
> For authoritative answers, see:
> mpn.cp.philips.com	86400 IN	NS	hades.mpn.cp.philips.com
> mpn.cp.philips.com	86400 IN	NS	ns0.philips.com
> mpn.cp.philips.com	86400 IN	NS	ns1.philips.com
> mpn.cp.philips.com	86400 IN	NS	ns2.philips.com
> mpn.cp.philips.com	86400 IN	NS	ns3.philips.com
> Additional information:
> hades.mpn.cp.philips.com	86400 IN	A	130.139.64.31
> ns0.philips.com	86400 IN	A	130.139.36.37
> ns1.philips.com	86400 IN	A	130.139.36.5
> ns2.philips.com	86400 IN	A	130.140.194.2
> ns3.philips.com	86400 IN	A	167.81.233.4
>

My real issue is not w/ nslookup, dig, or host.  It's with the fact that the
8.2.1 version of Bind is apparently ignoring the search directive in the
resolv.conf file.  It never parses the rest of the domains in the directive
after the first one.  I just proved that fact by starting Bind 8.2.1,
changing my client resolv.conf to put nb.com as my FIRST domain in the
search directive, and doing "nslookup host.nc" on my client.  Low and
behold, the answer came back with the correct information.  I then changed
my resolv.conf back to being "search il.nb.com nb.com" and did the "nslookup
host.nc" and received the error "dns1.il.nb.com  can't find host.nc: Server
failed".  I will play w/ the host command as you show above but I still
maintain that the problem is not w/ the tool but with the server.

Let me know if there is any more info I can provide.

Thanks.

Kevin Martin
Bank of America - CRT
Firewall/DNS/SMTP/Network Admin.
kevinm at crt.com

More information about the bind-users mailing list