nsupdate problem
Rakesh-Shah
rshah at rupalifinechem.com
Wed Apr 10 05:25:36 UTC 2002
Kevin,
Yes It shows in the logs that it is getting the SOA query, no this nameserver.
It looks like a firewall is timing out this query because as soon as I move this box out of firewall,
It does a success nsupdate :
[rshah at net-lab01 rshah]$ nsupdate -d
> update add w.rupalifinechem.com. 1800 in a 65.185.10.205
>
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51510
;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;w.rupalifinechem.com. IN SOA
;; AUTHORITY SECTION:
rupalifinechem.com. 2560 IN SOA ns1.rupalifinechem.com. postmast
er.rupalifinechem.com. 20020236 16384 2048 1048576 2560
Found zone name: rupalifinechem.com
The master is: ns1.rupalifinechem.com
before getaddrinfo()
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 58523
;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
=====================
And when I put it behind the firewall, I masq my Internal ip 10.20.10.x to my external using NAT and the PIX firewall then times out when it tries to get the responce back on it's external ip.
do you think what I understand is correct ?
Any other thoughts' ?
Also nsupdate on my interanl NS works fine since it has no firewall inside, it just forwardes the non authorative queries to the Root server's.
Thank you
Rakesh Shah
Are you absolutely sure that *this* nameserver is getting the initial SOA query
from nsupdate? Look in the query log to verify.
- Kevin
Rakesh-Home wrote:
> Kevin,
> Yes it gives the correct info when I lookup for SOA record and also zone
> loaded without any errors, I checked the logs to verify that too.
>
> All other resolution also works fine .
> One more input this server is behind the Pix firewall can we have open
> 53/tcp/udp both in and out.
>
> Any thing else need's to be done
>
> Thank you.
> ----- Original Message -----
> From: "Kevin Darcy" <kcd at daimlerchrysler.com>
> To: <bind-users at isc.org>
> Sent: Tuesday, April 09, 2002 2:02 PM
> Subject: Re: Fw: nsupdate problem
>
> >
> > What happens if you do an SOA query of rupalifinechem.com against the
> > 10.20.10.10 nameserver? Does it give reasonable information? If not, then
> > apparently the rupalifinechem.com zone is not loading properly. Look in
> your
> > logs to determine what the problem is.
> >
> >
> > - Kevin
> >
> > Rakesh-Shah wrote:
> >
> > > Sorry to post this question again, but if any one can help me would be
> > > great, since this seems to be a urgent issue.
> > >
> > > Thank you
> > > Rakesh Shah
> > > ----- Original Message -----
> > > From: "Rakesh-Shah" <rshah at rupalifinechem.com>
> > > To: <bind-users at isc.org>; <bind9-users at isc.org>
> > > Sent: Monday, April 08, 2002 9:12 PM
> > > Subject: nsupdate problem
> > >
> > > > Hello
> > > >
> > > > I am having some problem with the nsupdate, for some reason nsupdate
> does
> > > not do the proper updates to the zones
> > > >
> > > > My named.conf looks like this :
> > > > logging {
> > > > channel my_syslog {
> > > > syslog local0;
> > > > severity info;
> > > > };
> > > > channel stat_file {
> > > > file "/var/log/stats.log" versions 3 size 1k;
> > > > };
> > > > channel my_file {
> > > > file "/var/log/named.log" versions 3 size 10m;
> > > > severity dynamic;
> > > > print-category yes;
> > > > print-severity yes;
> > > > print-time yes;
> > > > };
> > > >
> > > > category default { my_syslog; };
> > > > category load { my_syslog; };
> > > > category update { my_syslog; };
> > > > category xfer-in { my_syslog; };
> > > > category xfer-out { my_syslog; };
> > > > category panic { my_syslog; };
> > > > category statistics { my_file; stat_file; };
> > > > category packet { my_file; };
> > > > category eventlib { my_file; };
> > > > category queries { my_file; };
> > > > };
> > > > options {
> > > > directory "/var/named";
> > > > transfer-format one-answer;
> > > > max-transfer-time-in 60; // one hour for zone
> transfering
> > > > coresize 0;
> > > > pid-file "/var/named/named.pid";
> > > > statistics-file "/var/log/named.stats";
> > > > interface-interval 10;
> > > > statistics-interval 1;
> > > > cleaning-interval 60;
> > > > allow-transfer { allow-list; };
> > > >
> > > >
> > > >
> > > > zone "." {
> > > > type hint;
> > > > file "master/db.cache";
> > > > };
> > > >
> > > > zone "0.0.127.in-addr.arpa" {
> > > > type master;
> > > > file "master/db.127.0.0";
> > > > };
> > > >
> > > >
> > > >
> > > > zone "rupalifinechem.com" {
> > > > type master;
> > > > file "master/db.rupalifinechem.com";
> > > > allow-query { any; };
> > > > allow-update { 10.20.10.10; };
> > > > };
> > > >
> > > > Here 10.20.10.10 is the internal ip of this server,
> > > >
> > > > Every thing works fine if I manually update the
> db.rupalifinechem.com
> > > and reload the named.
> > > >
> > > > Also I do not see any thing in the logs that relates to nsupdate.
> > > >
> > > > I checked my syslog.named which i a seperate syslog file for named,
> > > checked named.log and stats.log according to my conf file above
> > > >
> > > > when I give nsupdate
> > > >
> > > > >update add www.rupalifinechem.com. 1800 in a a 10.10.10.X
> > > > >
> > > > $
> > > >
> > > > It returns back to the prompt without any errors and nothing in the
> logs,
> > > I also tried giving allow-update ( any; }; for test but no luck with
> > > logging or dynamic updates, I have turned the debug on as well
> > > >
> > > >
> > > > Can you tell what am I missing here .....
> > > >
> > > > I tried using nsupdate -d and it looks like it is trying to go to
> the
> > > root servers to get the Ip address of the zone rupalifinechem.com and it
> > > times out. any help is appreciated.
> > > >
> > > > ; res_findzonecut: START dname='www.rupalifinechem.com.' class=IN,
> zsize=1025,
> > > naddr
> > > > s=3
> > > > ;; res_findzonecut: get the soa, and see if it has enough glue
> > > > ;; res_nmkquery(QUERY, www.foobar.com., IN, SOA)
> > > > ;; res_send()
> > > > ;; ->>HEADER<<- epode: QUERY, status: NOERROR, id: 45822
> > > > ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > > > ;; QUERY SECTION:
> > > > ;; www.rupalinechem.com, type = SOA, class = IN
> > > >
> > > > ;; Querying server (# 1) address = 10.20.10.10
> > > > ;; got answer:
> > > > ;; ->>HEADER<<- epode: QUERY, status: NXDOMAIN, id: 45822
> > > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
> 0
> > > > ;; QUERY SECTION:
> > > > ;; www.rupalifinechem.com, type = SOA, class = IN
> > > >
> > > > ;; AUTHORITY SECTION:
> > > > com. 1D IN SOA A.GTLD-SERVERS.NET.
> > > NSTLD.VERISIGN-GRS.c
> > > > om. (
> > > > 2002040800 ; serial
> > > > 30M ; refresh
> > > > 15M ; retry
> > > > 1W ; expiry
> > > > 1D ) ; minimum
> > > >
> > > >
> > > > ;; res_findzonecut: get the ns rrset and see if it has enough glue
> > > > ;; res_nmkquery(QUERY, com, IN, NS)
> > > > ;; res_send()
> > > > ;; ->>HEADER<<- epode: QUERY, status: NOERROR, id: 45823
> > > > ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > > > ;; QUERY SECTION:
> > > > ;; com, type = NS, class = IN
> > > >
> > > > ;; Querying server (# 1) address = 10.20.10.10
> > > > ;; got answer:
> > > > ;; ->>HEADER<<- epode: QUERY, status: NOERROR, id: 45823
> > > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
> > > > ;; QUERY SECTION:
> > > > ;; com, type = NS, class = IN
> > > >
> > > > ;; ANSWER SECTION:
> > > > com. 21h19m52s IN NS K.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS E.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS M.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS A.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS G.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS H.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS C.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS I.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS B.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS D.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS L.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS F.GTLD-SERVERS.NET.
> > > > com. 21h19m52s IN NS J.GTLD-SERVERS.NET.
> > > >
> > > > ;; ADDITIONAL SECTION:
> > > > K.GTLD-SERVERS.NET. 1d20h17m4s IN A 213.177.194.5
> > > > E.GTLD-SERVERS.NET. 1d19h6m18s IN A 192.12.94.30
> > > > M.GTLD-SERVERS.NET. 1d20h17m4s IN A 192.55.83.30
> > > > A.GTLD-SERVERS.NET. 3d16h41m18s IN A 192.5.6.30
> > > > G.GTLD-SERVERS.NET. 1d20h17m4s IN A 192.42.93.30
> > > > H.GTLD-SERVERS.NET. 5d17h52m10s IN A 192.54.112.30
> > > > C.GTLD-SERVERS.NET. 1d20h17m4s IN A 192.26.92.30
> > > > I.GTLD-SERVERS.NET. 1d20h17m4s IN A 192.43.172.30
> > > > B.GTLD-SERVERS.NET. 1d20h17m4s IN A 192.33.14.30
> > > > D.GTLD-SERVERS.NET. 1d20h17m4s IN A 192.31.80.30
> > > > L.GTLD-SERVERS.NET. 1d20h17m4s IN A 192.41.162.30
> > > > F.GTLD-SERVERS.NET. 1d20h17m4s IN A 192.35.51.30
> > > > J.GTLD-SERVERS.NET. 1d20h17m4s IN A 210.132.100.101
> > > >
> > > > ;; res_findzonecut: get the missing glue and see if it's finally
> enough
> > > > ;; res_findzonecut: add_addrs: 1
> > > > ;; res_findzonecut: add_addrs: 1
> > > > ;; res_findzonecut: add_addrs: 1
> > > > ;; res_findzonecut: satisfy(A.GTLD-SERVERS.NET): 3
> > > > ;; res_findzonecut: FINISH n=3 (OK)
> > > > ;; res_nupdate: res_mkupdate -> 51
> > > > ;; res_send()
> > > > ;; ->>HEADER<<- epode: UPDATE, status: NOERROR, id: 45824
> > > > ;; flags:; ZONE: 1, PREREQUISITE: 0, UPDATE: 1, ADDITIONAL: 0
> > > > ;; com, type = SOA, class = IN
> > > > www.rupalifinechem.com. 30M IN A 10.20.10.10
> > > > ;; Querying server (# 1) address = 192.5.6.30
> > > > ;; timeout
> > > > ;; Querying server (# 2) address = 213.177.194.5
> > > > ;; new DG socket
> > > > ;; timeout
> > > > ;; Querying server (# 3) address = 192.12.94.30
> > > > ;; timeout
> > > > ;; Querying server (# 1) address = 192.5.6.30
> > > > ;; new DG socket
> > > > ;; timeout
> > > > ;; Querying server (# 2) address = 213.177.194.5
> > > > ;; timeout
> > > > ;; Querying server (# 3) address = 192.12.94.30
> > > > ;; timeout
> > > > ;; Querying server (# 1) address = 192.5.6.30
> > > > ;; timeout
> > > > ;; Querying server (# 2) address = 213.177.194.5
> > > > ^C
> > > >
> > > > All the resolution works fine.
> > > >
> > > >
> > > >
> > > >
> > > > I have Bind 8.2.3 on Solaris 8, I know that I need to upgrade soon to
> bind
> > > 9 but first I need to resolve this.
> > > >
> > > >
> > > >
> > > > Rakesh Shah
> > > >
> > > >
> > > >
> >
More information about the bind-users
mailing list