9.2.3rc2 NS lookups failing

Dave Lugo dlugo at etherboy.com
Thu Sep 18 00:52:57 UTC 2003 

(reposting into a new thread)

I've built and installed 9.2.3rc2 to workaround the verisign issue.

Wildcards in the root are no longer a problem, however, I'm seeing what 
seems (IMVHO) to be incorrect behaviour.

The announcement of the new release states:

"...Briefly, a zone which has been declared "delegation-only" will be 
effectively limited to containing NS RRs for subdomains, but no actual 
data outside its apex (for example, its SOA RR and apex NS RRset)..."

By my reading of the above, I _should_ be able to do something like:

    dig ns $domain_that_exists.[com|net]

...and get an answer.  What I am instead seeing is:


root at severe# dig ns grape.com

; <<>> DiG 9.2.2rc1 <<>> ns grape.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44941
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;grape.com.                     IN      NS

;; Query time: 252 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 17 20:48:12 2003
;; MSG SIZE  rcvd: 27


...and I see a corresponding "no!" in the logs:

Sep 17 20:48:12 severe named[5167]: enforced delegation-only for 'com' 
(grape.com


It seems that the only way to get around this new issue, and get the 
entire NS set for domain from the root, is to do a `dig any $domain` 
instead:

root at severe# dig any grape.com

; <<>> DiG 9.2.2rc1 <<>> any grape.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13192
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;grape.com.                     IN      ANY

;; ANSWER SECTION:
grape.com.              172800  IN      NS      gold.sbcidc.com.
grape.com.              172800  IN      NS      ns.savaii.com.

;; AUTHORITY SECTION:
grape.com.              172800  IN      NS      gold.sbcidc.com.
grape.com.              172800  IN      NS      ns.savaii.com.

;; ADDITIONAL SECTION:
ns.savaii.com.          172800  IN      A       216.154.253.185
gold.sbcidc.com.        172800  IN      A       216.65.209.34

;; Query time: 1270 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 17 20:49:32 2003
;; MSG SIZE  rcvd: 137



Is this the desired behaviour of `delegation-only`?  I'm very pleased 
that the new zonetype stops wildcards, but I'm somewhat concerned that 
something else may have been broken.

Thanks,

Dave

-- 
--------------------------------------------------------
Dave Lugo   dlugo at etherboy.com    LC Unit #260   TINLC
Have you hugged your firewall today?   No spam, thanks.
--------------------------------------------------------
Are you the police?  . . . .  No ma'am, we're sysadmins.

More information about the bind-users mailing list