Problem with NS Delegation Records
Kevin Darcy
kcd at daimlerchrysler.com
Wed Aug 28 19:49:14 UTC 2002
Yes, this is a known problem in BIND 8. If you're authoritative for a parent
zone and slave for a child zone, then the NS records from both zones get
intermingled on zone transfers. Fixed in BIND 9.
What's even *more* fun is that if the parent zone in this scenario is Dynamic
Update-enabled, then the delegation records are *missing* from the zone file
when named writes it out. So if you turn on Dynamic Update, named writes out
the zone file, and then you turn Dynamic Update off again, the child zone
unexpectedly disappears from the face of the earth, as far as any caching
server on your network is concerned. Cool!
- Kevin
Barry Finkel wrote:
> There is a zone on one of our DNS servers (BIND 8.3.3) that has this at
> the beginning of the
>
> dis.anl.gov
>
> zone:
> --------
> $TTL 1w
> ;
> @ IN SOA sherwood.dis.anl.gov. support.dis.anl.gov. (
> 200208.2700 ; serial yyymm.dd__
> 10800 ; refresh (3hr)
> 3600 ; retry (1 hr)
> 1209600 ; expire (2 wks)
> 604800 ) ; minimum (1 wk)
> _msdcs.dis.anl.gov. IN NS rhino221.anl.gov.
> _sites.dis.anl.gov. IN NS rhino221.anl.gov.
> _tcp.dis.anl.gov. IN NS rhino221.anl.gov.
> _udp.dis.anl.gov. IN NS rhino221.anl.gov.
> @ IN NS sherwood.dis.anl.gov.
> IN NS athens.dis.anl.gov.
> IN NS t1dns1.anl.gov.
> IN NS t1dns2.anl.gov.
> IN NS dns1.anl.gov.
> IN NS dns2.anl.gov.
> IN NS nsx.lbl.gov.
> IN NS ns2.es.net.
> ;
> --------
>
> When the zone is transferred to my BIND 8.2.5-REL slave at dns1.anl.gov
> the zone has, in part,
>
> _tcp 3600 IN NS astoria.dis.anl.gov.
> 3600 IN NS dns1.anl.gov.
> 3600 IN NS dns2.anl.gov.
> 3600 IN NS t1dns1.anl.gov.
> 3600 IN NS t1dns2.anl.gov.
> 3600 IN NS nsx.lbl.gov.
> 3600 IN NS ns2.es.net.
> 3600 IN NS sherwood.dis.anl.gov.
> 3600 IN NS athens.dis.anl.gov.
> _msdcs 3600 IN NS astoria.dis.anl.gov.
> 3600 IN NS dns1.anl.gov.
> 3600 IN NS dns2.anl.gov.
> 3600 IN NS t1dns1.anl.gov.
> 3600 IN NS t1dns2.anl.gov.
> 3600 IN NS nsx.lbl.gov.
> 3600 IN NS athens.dis.anl.gov.
> 3600 IN NS sherwood.dis.anl.gov.
> 3600 IN NS ns2.es.net.
> _udp 3600 IN NS astoria.dis.anl.gov.
> 3600 IN NS dns1.anl.gov.
> 3600 IN NS dns2.anl.gov.
> 3600 IN NS t1dns1.anl.gov.
> 3600 IN NS t1dns2.anl.gov.
> 3600 IN NS nsx.lbl.gov.
> 3600 IN NS ns2.es.net.
> 3600 IN NS sherwood.dis.anl.gov.
> 3600 IN NS athens.dis.anl.gov.
> _sites 3600 IN NS astoria.dis.anl.gov.
> 3600 IN NS t1dns1.anl.gov.
> 3600 IN NS dns2.anl.gov.
> 3600 IN NS dns1.anl.gov.
> 3600 IN NS t1dns2.anl.gov.
> 3600 IN NS nsx.lbl.gov.
> 3600 IN NS ns2.es.net.
> 3600 IN NS athens.dis.anl.gov.
> 3600 IN NS sherwood.dis.anl.gov.
>
> I expected to see:
>
> _msdcs 3600 IN NS rhino221.anl.gov.
> _sites 3600 IN NS rhino221.anl.gov.
> _tcp 3600 IN NS rhino221.anl.gov.
> _udp 3600 IN NS rhino221.anl.gov.
>
> The delegations of the four MS W2K "_" zones to rhino221.anl.gov have
> been lost, and replaced with the NS records that point to the authorized
> name servers for the dis.anl.gov zone.
>
> I ran two tests:
>
> 1) Create a test zone on dns0.anl.gov (BIND 9.2.1) and transfer the
> zone to dns1.anl.gov (BIND 8.2.5-REL)
>
> 2) Create a test zone on dns1.anl.gov and transfer the zone to
> dns2.anl.gov (BIND 8.2.5-REL)
>
> In both cases I used the entire dis.anl.gov zone with a few minor
> deletions (and changing the zone name from dis.anl.gov to
> bsftestdis.anl.gov and bsftestdis1.anl.gov). I saw the correct set of
> four NS records on the slave.
>
> _msdcs 604800 IN NS rhino221.anl.gov.
> _sites 604800 IN NS rhino221.anl.gov.
> _tcp 604800 IN NS rhino221.anl.gov.
> _udp 604800 IN NS rhino221.anl.gov.
>
> As another test we took the master from 8.3.3 back to 8.2.3, and the
> same problem occurred.
>
> Is there "zone interference" happening here? The master for the
>
> dis.anl.gov
>
> zone, sherwood.dis.anl.gov, is also a slave server for the four zones
>
> _msdcs.dis.anl.gov
> _sites.dis.anl.gov
> _tcp.dis.anl.gov
> _udp.dis.anl.gov
>
> So, technically, all of the nine name servers in the long NS list are
> slave servers for the four "_" zones for dis.anl.gov.
> Is this causing the NS delegation records to be dropped?
>
> The MS W2k Domain Controllers in dis.anl.gov are having problems
> connecting to our Active Directory, and I have a feeling that this DNS
> problem is the cause of the connection problem. Because our W2k DNS
> server is a hidden master, there is no NS record in the dis.anl.gov
> zone that points to it.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory Phone: +1 (630) 252-7277
> 9700 South Cass Avenue Facsimile:+1 (630) 252-4601
> Building 222, Room D209 Internet: BSFinkel at anl.gov
> Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list