migration from bind8 to bind9

Mark Andrews Mark_Andrews at isc.org
Wed Dec 13 21:52:27 UTC 2006 

> Hi,
> We are administrating tr. domain and testing bind9 to upgrade from
> bind8. Below is a bind8 response for a sample query from one of our
> currently operating DNS's:
> 
> -----------------------------------------------------------------------------
> -------------------
> 
> ustun at houston:~$ dig @ns2.nic.tr milliyet.com.tr. -t ns
> 
> ; <<>> DiG 9.3.2-P1 <<>> @ns2.nic.tr milliyet.com.tr. -t ns
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1229
> ;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
> 
> ;; QUESTION SECTION:
> ;milliyet.com.tr.               IN      NS
> 
> ;; ANSWER SECTION:
> milliyet.com.tr.        43200   IN      NS      doldns02.dol.com.tr.
> milliyet.com.tr.        43200   IN      NS      doldns01.dol.com.tr.
> 
> ;; ADDITIONAL SECTION:
> doldns02.dol.com.tr.    43200   IN      A       213.243.1.42
> doldns01.dol.com.tr.    43200   IN      A       213.243.1.40
> 
> ;; Query time: 3 msec
> ;; SERVER: 144.122.95.52#53(144.122.95.52)
> ;; WHEN: Wed Dec 13 16:00:31 2006
> ;; MSG SIZE  rcvd: 115
> 
> ustun at houston:~$
> 
> -----------------------------------------------------------------------------
> -------------------
> 
> and below is the response from bind9 installed on a test machine to
> the same query with the same configuration:
> 
> ustun at houston:~$ dig @144.122.95.178 milliyet.com.tr. -t ns
> 
> ; <<>> DiG 9.3.2-P1 <<>> @144.122.95.178 milliyet.com.tr. -t ns
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34422
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
> 
> ;; QUESTION SECTION:
> ;milliyet.com.tr.               IN      NS
> 
> ;; AUTHORITY SECTION:
> milliyet.com.tr.        43200   IN      NS      doldns02.dol.com.tr.
> milliyet.com.tr.        43200   IN      NS      doldns01.dol.com.tr.
> 
> ;; ADDITIONAL SECTION:
> doldns01.dol.com.tr.    43200   IN      A       213.243.1.40
> doldns02.dol.com.tr.    43200   IN      A       213.243.1.42
> 
> ;; Query time: 89 msec
> ;; SERVER: 144.122.95.178#53(144.122.95.178)
> ;; WHEN: Wed Dec 13 15:59:14 2006
> ;; MSG SIZE  rcvd: 115
> 
> ustun at houston:~$
> 
> -----------------------------------------------------------------------------
> ---------
> recursion is not allowed in both machines. Bind8 looks at the zone
> files at localhost, finds the NS record, queries root servers for
> additional ip information and gives an answer. However, bind9 takes
> this query as recursive,

	It is a recursive query, "rd" is set in the flags.  dig defaults
	to asking recursive queries.  You should use 'dig +norec' for
	the testing of parent servers.  This simulates the queries from
	a iterative resolver rather that a stub resolver.

> and does not return an answer although the NS
> record is available at localhost in "com.tr." zone file.

	Your server does NOT have any answer for milliyet.com.tr. It
	knows where the answers for milliyet.com.tr can be found
	however so it sends a referral.  Iterative resolvers will
	look in the authority section, find the NS RRset, then query
	the authoritative servers for milliyet.com.tr.

> Bind9 logs this:
>
> Dec 13 16:34:11 localhost named[19911]: Dec 13 16:34:11.617 security:
> debug 1: client 144.122.95.150#33024: recursion available: denied
> 
> I searched the list but couldn't find a satisfying answer. So why is
> there a difference? How can we reconfigure bind9 to answer the query
> as bind8 to preserve the same system?
> 
> Thanks and Regards,
> ustun
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list