Athority in Bind 9

Kevin Darcy kcd at daimlerchrysler.com
Tue Feb 13 00:28:27 UTC 2001 

Ruben I Safir - Brooklyn Linux Solutions CEO wrote:

> >
> > You mean only one *usable* authority record, right? home.rm-cpa.com is not
> usable
> > because it's on a private address.
>
> Right  The other address is the internal addres of the same machine.
>
> > They shouldn't be advertising that publically. Seems
> > someone needs to learn how to do split DNS...
>
> Amoung other things about DNS
>
> I've removed that record as the NS record and changed the serial numbers
> and restarted named
>
> > In this case, yes. wynn.com is delegated from .com to 3 nameservers. But you
> can only
> > tell that for sure by querying the .com servers directly.
>
> OK - How would I go about doing this?

dig the "com" zone for NS records from a root server. Pick one of the .com servers
(at random of course -- let's be nice) and ask it about the wynn.com zone.

> > Well, I'm not surprised. Not only is mail.rm-cpa.com publishing one bogus and
> only one
> > working NS for rm-cpa.com,
>  but two of the three delegated servers for that domain are
> > *not*only* lame, they are also returning an SOA-less authoritative NXDOMAIN
> for
> > everything outside of their authoritative zones (except for the root zone,
> which
> > returns FORMERR).
>
> How do you get that infomration?
>
> When I checked the com site I get this....
>
> > dig @com rm-cpa.com
>
> ; <<>> DiG 8.2 <<>> @com rm-cpa.com
> ; Bad server: com -- using default server and timer opts
> ; (2 servers found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      rm-cpa.com, type = A, class = IN
>
> ;; AUTHORITY SECTION:
> rm-cpa.com.             1D IN SOA       rm-cpa.com. root.home.rc-cpa.com. (
>                                         5               ; serial
>                                         12H             ; refresh
>                                         1H              ; retry
>                                         4W              ; expiry
>                                         1D )            ; minimum
>
> ;; Total query time: 2 msec
> ;; FROM: superman.rm-cpa.com to SERVER: default -- 192.168.0.100
> ;; WHEN: Sat Feb 10 22:39:58 2001
> ;; MSG SIZE  sent: 28  rcvd: 81
>
> There is no machine rm-cpa.com and I see nothing about the up stream
> DNS which I thought we had.

 Um, look more closely at that output. Your "dig" misfired, since there's no
machine called "com". It failed over to using your local nameserver. I'm not sure
why you were asking about an "rm-cpa.com" A record anyway. I never indicated that
such a thing existed (although the SOA MNAME for the domain *does* make that
implication; yet another thing that's wrong about their DNS).

Try pointing your dig at ns1.cnchost.com and ns2.cnchost.com, two of the delegated
nameservers for rm-cpa.com. They are clueless about that domain. They're not only
lame for it, but actually *dis*informative.

> >All of this makes resolution of rm-cpa.com names rather difficult: a
> > two-thirds chance of getting a bad delegation to start with, and a Single
> Point of
> > Failure even if you get "lucky". Talk about running the gauntlet...
> >
> > > Can I use anyone as a authoritative
> > > DNS and just make a record?
> >
> > Sure, technically you can delegate to anyone. But it's rude to delegate
> without
> > permission,
>
> Yeah - I ment someone who I know and a friend - or myself
>
> Would I do this by just adding the authoritative servers to the
> NS records?

To do it right, make sure to add the same NS records to the delegations as well as
to the zone itself.


- Kevin

More information about the bind-users mailing list