Two nslookup questions

Kevin Darcy kcd at daimlerchrysler.com
Sat Mar 17 02:19:18 UTC 2001 

adykes at panix.com wrote:

> The example of zone transfer via nslookup shown in ORA DNS & Bind
> shows the ls command  returning an SOA record with useful values.

Hmmm... I don't remember *any* version of nslookup that would return
*all* of the records in the zone for a plain old "ls". Usually that
requires "ls -d". Is that what you are doing?

> When I try this against my name servers I don't get an SOA record.
> Any idea why ?
>
> FWIW I think I'm talking to the authorative server.

You *must* talk to an authoritative server. Non-authoritative servers
can't give you a zone transfer (or, at least, they shouldn't even be
_trying_ to do so, even if they are recursive).

> Is there any way to determine what DNS server is authorative
> for a given domain ?

You can find out what servers *should* be authoritative for a zone by
doing a query of type NS for the name of the zone. Whether those servers
actually consider *themselves* authoritative is another matter. If they
are not configured to be authoritative for the zone, if they cannot load
the zonefile properly, e.g. because of a syntax error, or if they are a
slave and the zone has expired, then they may answer non-authoritatively
for the zone, even if they are in the zone's NS records. This is what is
known as a "lame delegation", and they are very common on the Internet.

If a server considers itself authoritative for a zone, then responses it
gives for queries of names in the zone have the "AA" (authoritative
answer) bit set. Note, however, that sometimes you may see the AA bit
set even on responses from non-authoritative, recursive servers, because
such servers may just be "passing through" an answer from an
authoritative source with the AA bit intact. To be sure, make sure to
issue only non-recursive queries.

By the way, nslookup sucks at this kind of troubleshooting. The
"dig" utility makes things clearer by explicitly showing you whether the
AA bit is set in a response or not. Also, with "dig" you can just issue
a query of type "AXFR" to get a zone transfer, without having to mess
around with various "ls" variations...


- Kevin

More information about the bind-users mailing list