Problem with NS Delegation Records
Barry Finkel
b19141 at achilles.ctd.anl.gov
Wed Aug 28 15:18:20 UTC 2002
There is a zone on one of our DNS servers (BIND 8.3.3) that has this at
the beginning of the
dis.anl.gov
zone:
--------
$TTL 1w
;
@ IN SOA sherwood.dis.anl.gov. support.dis.anl.gov. (
200208.2700 ; serial yyymm.dd__
10800 ; refresh (3hr)
3600 ; retry (1 hr)
1209600 ; expire (2 wks)
604800 ) ; minimum (1 wk)
_msdcs.dis.anl.gov. IN NS rhino221.anl.gov.
_sites.dis.anl.gov. IN NS rhino221.anl.gov.
_tcp.dis.anl.gov. IN NS rhino221.anl.gov.
_udp.dis.anl.gov. IN NS rhino221.anl.gov.
@ IN NS sherwood.dis.anl.gov.
IN NS athens.dis.anl.gov.
IN NS t1dns1.anl.gov.
IN NS t1dns2.anl.gov.
IN NS dns1.anl.gov.
IN NS dns2.anl.gov.
IN NS nsx.lbl.gov.
IN NS ns2.es.net.
;
--------
When the zone is transferred to my BIND 8.2.5-REL slave at dns1.anl.gov
the zone has, in part,
_tcp 3600 IN NS astoria.dis.anl.gov.
3600 IN NS dns1.anl.gov.
3600 IN NS dns2.anl.gov.
3600 IN NS t1dns1.anl.gov.
3600 IN NS t1dns2.anl.gov.
3600 IN NS nsx.lbl.gov.
3600 IN NS ns2.es.net.
3600 IN NS sherwood.dis.anl.gov.
3600 IN NS athens.dis.anl.gov.
_msdcs 3600 IN NS astoria.dis.anl.gov.
3600 IN NS dns1.anl.gov.
3600 IN NS dns2.anl.gov.
3600 IN NS t1dns1.anl.gov.
3600 IN NS t1dns2.anl.gov.
3600 IN NS nsx.lbl.gov.
3600 IN NS athens.dis.anl.gov.
3600 IN NS sherwood.dis.anl.gov.
3600 IN NS ns2.es.net.
_udp 3600 IN NS astoria.dis.anl.gov.
3600 IN NS dns1.anl.gov.
3600 IN NS dns2.anl.gov.
3600 IN NS t1dns1.anl.gov.
3600 IN NS t1dns2.anl.gov.
3600 IN NS nsx.lbl.gov.
3600 IN NS ns2.es.net.
3600 IN NS sherwood.dis.anl.gov.
3600 IN NS athens.dis.anl.gov.
_sites 3600 IN NS astoria.dis.anl.gov.
3600 IN NS t1dns1.anl.gov.
3600 IN NS dns2.anl.gov.
3600 IN NS dns1.anl.gov.
3600 IN NS t1dns2.anl.gov.
3600 IN NS nsx.lbl.gov.
3600 IN NS ns2.es.net.
3600 IN NS athens.dis.anl.gov.
3600 IN NS sherwood.dis.anl.gov.
I expected to see:
_msdcs 3600 IN NS rhino221.anl.gov.
_sites 3600 IN NS rhino221.anl.gov.
_tcp 3600 IN NS rhino221.anl.gov.
_udp 3600 IN NS rhino221.anl.gov.
The delegations of the four MS W2K "_" zones to rhino221.anl.gov have
been lost, and replaced with the NS records that point to the authorized
name servers for the dis.anl.gov zone.
I ran two tests:
1) Create a test zone on dns0.anl.gov (BIND 9.2.1) and transfer the
zone to dns1.anl.gov (BIND 8.2.5-REL)
2) Create a test zone on dns1.anl.gov and transfer the zone to
dns2.anl.gov (BIND 8.2.5-REL)
In both cases I used the entire dis.anl.gov zone with a few minor
deletions (and changing the zone name from dis.anl.gov to
bsftestdis.anl.gov and bsftestdis1.anl.gov). I saw the correct set of
four NS records on the slave.
_msdcs 604800 IN NS rhino221.anl.gov.
_sites 604800 IN NS rhino221.anl.gov.
_tcp 604800 IN NS rhino221.anl.gov.
_udp 604800 IN NS rhino221.anl.gov.
As another test we took the master from 8.3.3 back to 8.2.3, and the
same problem occurred.
Is there "zone interference" happening here? The master for the
dis.anl.gov
zone, sherwood.dis.anl.gov, is also a slave server for the four zones
_msdcs.dis.anl.gov
_sites.dis.anl.gov
_tcp.dis.anl.gov
_udp.dis.anl.gov
So, technically, all of the nine name servers in the long NS list are
slave servers for the four "_" zones for dis.anl.gov.
Is this causing the NS delegation records to be dropped?
The MS W2k Domain Controllers in dis.anl.gov are having problems
connecting to our Active Directory, and I have a feeling that this DNS
problem is the cause of the connection problem. Because our W2k DNS
server is a hidden master, there is no NS record in the dis.anl.gov
zone that points to it.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list