Bind8 -> Bind9 Problems [FreeBSD-5]

Mark_Andrews at isc.org Mark_Andrews at isc.org
Mon Feb 3 03:06:55 UTC 2003 

> Hello you all,
> 
> I get crazy, but I can't resolve the following problems...
> 
> I am/was running BIND 8.3.4-REL without problems on my home machine 
> under FreeBSD 5.0-CURRENT. Now I installed BIND 9.2.2rc1 in parallel 
> under /usr/local (BIND 8.3.4-REL resides under /usr).
> 
> First I noticed that BIND9 doesn't support the -g <group> commandline 
> switch anymore, so the startup scripts have to be changed accordingly 
> and can't be used for both versions of bind :-(
> 
> But my real problem is, that with BIND9 I cannot login as ordinary user 
> via xdm/kdm any more. The login-screen freezes for approx. 5 minutes 
> until the login succeeds. But then I cannot use xterm, there's no 
> keyboard input possible. (???) This never happened with BIND8...
> 
> It works as 'root' via xdm/kdm and it works on the console for any(!) 
> user... (???)
> 
> I switched on tracing and got the following (when logging in as ordinary 
> user via 'kdm'):
> 
> --------8><------------------------
> 
> --- debuglevel 1 ---
> 
> Feb 01 18:15:29.270 client 192.168.200.1#49211: query: . IN A
> Feb 01 18:15:29.280 createfetch: . A
> Feb 01 18:15:49.280 client 192.168.200.1#49212: query: . IN A
> Feb 01 18:15:49.280 createfetch: . A
> 
> --- debuglevel 2 ---
> 
> Feb 01 18:17:45.831 received control channel command 'trace'
> Feb 01 18:17:58.639 client 192.168.200.1#49213: query: . IN AAAA
> Feb 01 18:17:58.640 createfetch: . AAAA
> Feb 01 18:18:03.642 client 192.168.200.1#49214: query: . IN AAAA
> Feb 01 18:18:03.642 createfetch: . AAAA
> Feb 01 18:18:13.652 client 192.168.200.1#49215: query: . IN AAAA
> Feb 01 18:18:13.724 createfetch: . AAAA
> Feb 01 18:18:33.662 client 192.168.200.1#49216: query: . IN AAAA
> Feb 01 18:18:33.663 createfetch: . AAAA
> Feb 01 18:19:13.673 client 192.168.200.1#49217: query: . IN A
> Feb 01 18:19:13.673 createfetch: . A
> Feb 01 18:19:18.683 client 192.168.200.1#49218: query: . IN A
> Feb 01 18:19:18.684 createfetch: . A
> 
> --------8><------------------------

	Well the first question is what why are you getting queries
	for "." in the first place.  It looks like something is
	doing getaddrinfo("")/gethostname(".").
 
> (I did it up to debuglevel 4, but for the first posting this is long 
> enough I think :-)
> 
> I have to mention here that I've no IPv6 interfaces configured nor do I 
> have IPv6 support compiled into the kernel. Why the AAAA queries?

	Because you really do need to make both AAAA and A queries
	when following a search list otherwise getaddrinfo("foo")
	can result in addresses that refer to different machines
	depending apon the flags.
 
> OK, then, it queries the root-domain so I compared the behaviour of 
> BIND8 and BIND9:
> 
> I did a 'dig .' with BIND8...
> 
> ; <<>> DiG 8.3 <<>> . 
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      ., type = A, class = IN
> 
> ;; Total query time: 1 msec
> ;; FROM: current.best-eng.de to SERVER: default -- 192.168.200.1
> ;; WHEN: Sun Feb  2 09:09:53 2003
> ;; MSG SIZE  sent: 17  rcvd: 17
> 
> ... and with BIND9
> 
> ; <<>> DiG 9.2.2rc1 <<>> .
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
> *With* an external connection I got:
> 
> ; <<>> DiG 9.2.2rc1 <<>> .
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23948
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;.                              IN      A
> 
> ;; AUTHORITY SECTION:
> .                       10764   IN      SOA     A.ROOT-SERVERS.NET. NSTL
> D.VERISIGN-GRS.COM. 2003020101 1800 900 604800 86400
> 
> ;; Query time: 1 msec
> ;; SERVER: 192.168.200.1#53(192.168.200.1)
> ;; WHEN: Sun Feb  2 09:15:52 2003
> ;; MSG SIZE  rcvd: 92
> 
> so the query was forwarded and answered.
> 
> But why isn't it working without INet-connection any more? I have the 
> feeling that I'm close to the solution but I can't see it...

	Because the client is timing out before named gives up.
 
> What is my 'named.root' good for? The root-servers are noticed there...

	It's to provide hints as to where the root servers are.  It
	isn't used to answer queries but to find out where to get
	answers from.

	If you want answers from the root zone when disconnected from the
	net then you need to have a local copy of the root zone.  The
	same is true for any other zone.
 
> Finally. I include my 'named.conf' here, but I assume it's correct - at 
> least for BIND8 it *is* obviously correct...

	It's also correct for BIND 9.

	You can work around this problem by making your server a
	slave of ".".  A number of root servers allow "." to be
	transfered.  You can also get via ftp in which case you
	would make yourself a master.  "notify no;" is *very*
	important to prevent your nameserver sending unnecessary
	NOTIFY requests to the roots.  This replaces the root
	hints zone.

	zone "." {
		type slave;
		masters {
			 192.5.5.241;	// f.root-servers.net
		};
		file "root.db";
		notify no;		// don't send notify requests
	};

	Note 1. the jury is still out on if this causes more or less load
	on the root servers than using a hints zone.

	Note 2. if you have multiple server only one should do this.  The
	other servers should tranfer from this servers.

	Mark
 
> --------8><------------------------
> 
> // $FreeBSD: src/etc/namedb/named.conf,v 1.13 2002/11/26 07:55:44 ume 
> Exp $
> //
> 
> options {
>         directory "/etc/namedb";
>         pid-file "/var/run/named/pid";
>         listen-on {
>             192.168.200.1;
>             127.0.0.1;
>         };
> 
>         forward only;
> 
>         forwarders {
>                 213.73.102.1;
>                 62.50.1.159;
>         };
> 
>         /* Do not allow any zone transfers */
>         allow-transfer { none; };
> 
>         /* This is a local Server only */
>         allow-query {
>                 192.168.200.0/24;
>                 127.0.0.0/8;
>         };
> 
> };
> 
> zone "." {
>         type hint;
>         file "named.root";
> };
> 
> zone "0.0.127.in-addr.arpa" {
>         type master;
>         file "localhost.rev";
> };
> 
> // RFC 3152
> zone 
> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" 
> {
>         type master;
>         file "localhost-v6.rev";
> };
> 
> // RFC 1886 -- deprecated
> zone 
> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" 
> {
>         type master;
>         file "localhost-v6.rev";
> };
> 
> 
> key DHCP_UPDATER {
> algorithm HMAC-MD5.SIG-ALG.REG.INT;
> secret xxxxxxxxxxxxxxxxxxxxxxxxxx;
> };
> 
> zone "best-eng.de" {
>         type master;
>         file "db.best-eng";
>         allow-update {
>             key DHCP_UPDATER;
>             192.168.200.0/24;
>         };
> };
> 
> zone "200.168.192.in-addr.arpa" {
>         type master;
>         file "db.192.168.200";
>         allow-update {
>             key DHCP_UPDATER;
>             192.168.200.0/24;
>         };
> };
> 
> --------8><------------------------
> 
> Can anyone please help me?
> -- 
> Ciao/BSD - Matthias
> 
> Matthias Schuendehuette <msch [at] snafu.de>, Berlin (Germany)
> Powered by FreeBSD 5.0-CURRENT
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list