Forward zone problem

Kevin Darcy kcd at daimlerchrysler.com
Fri Mar 17 00:56:50 UTC 2006 

You're aware the that the .gprs TLD *doesn't*actually*exist* in the 
Internet DNS, right? So if your nameserver ever tries to look up .gprs 
names on the Internet, it'll probably get a "no such domain" response, 
and it will cache that "negative" response for some period of time, and 
any .gprs queries it gets in the interim will be responded to with NXDOMAIN.

For this reason, in the absence of some special "hints" file, you'll 
need to specify your forwarding mode as "forward only". This will 
prevent your nameserver from going out and trying to resolve names in 
the Internet DNS if there is some sort of transient problem talking to 
the forwarder. That's what I suspect is happening here.

- Kevin

Stefanick, Andrew wrote:

>Here is a dig for a name that works with a forward zone on the system
>currently:
>
>
># ./dig wap.cingular.mnc410.mcc310.gprs a
>
>; <<>> DiG 9.2.2 <<>> wap.cingular.mnc410.mcc310.gprs a
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1122
>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
>
>;; QUESTION SECTION:
>;wap.cingular.mnc410.mcc310.gprs. IN    A
>
>;; ANSWER SECTION:
>wap.cingular.mnc410.mcc310.gprs. 234 IN A       66.102.184.193
>wap.cingular.mnc410.mcc310.gprs. 234 IN A       66.102.185.193
>
>;; AUTHORITY SECTION:
>mnc410.mcc310.gprs.     447     IN      NS
>wcrdns1.mnc410.mcc310.gprs.
>mnc410.mcc310.gprs.     447     IN      NS
>atlrdns1.mnc410.mcc310.gprs.
>
>;; ADDITIONAL SECTION:
>wcrdns1.mnc410.mcc310.gprs. 604647 IN   A       66.102.185.70
>atlrdns1.mnc410.mcc310.gprs. 604647 IN  A       66.102.184.70
>
>;; Query time: 9 msec
>;; SERVER: 12.25.118.5#53(12.25.118.5)
>;; WHEN: Thu Mar 16 16:43:06 2006
>;; MSG SIZE  rcvd: 158
>
>#
>
>
>This is a dig against the forwarder that is not working:
>
>
>********************** from epictouch *********************
>
># ./dig internet.epictouch.mnc610.mcc310.gprs a
>
>; <<>> DiG 9.2.2 <<>> internet.epictouch.mnc610.mcc310.gprs a
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47408
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;internet.epictouch.mnc610.mcc310.gprs. IN A
>
>;; AUTHORITY SECTION:
>.                       10800   IN      SOA     a.root-servers.net.
>nstld.verisi
>gn-grs.com. 2006031600 1800 900 604800 86400
>
>;; Query time: 118 msec
>;; SERVER: 12.25.118.10#53(12.25.118.10)
>;; WHEN: Thu Mar 16 16:44:38 2006
>;; MSG SIZE  rcvd: 130
>
>The is no zone file on the machine for any of the configured forward
>zone.  They only exist as directives in named.conf.
>
>But I see the posts that DNS will not forward for something it is
>authoritive for.  Where would this authority reside?  There are no zone
>files with any matching names of the forward zones.
>
>My only thought is perhaps the segment   mcc310.gprs  is somehow
>authoritive on the server, but that would not explain how the cingular
>dig worked then.
>
>
>
>
>
>
>
>
>-----Original Message-----
>From: Stefanick, Andrew 
>Sent: Thursday, March 16, 2006 12:58 PM
>To: bind-users at isc.org
>Subject: Forward zone problem
>
>I am struggling with a forward zone issue in Bind 9
> 
>
>We have many forward zones configured and they work fine.  They really
>amount to no more than a forward directive such as
>
> 
>
> 
>
>zone "name.of.domain" {
>
>    type forward;
>
>    forwarders {w.x.y.z;};
>
>};
>
> 
>
> 
>
>We put in a new one, and it will not work.  nslookup shows it seemingly
>only trying to resolve the query internally.
>
> 
>
>If I set the server to the IP of the forwarder in the nslookup, then we
>can resolve the queries when posed directly to the remote DNS server.
>So, it is not a networking issue.
>
> 
>
>I do not understand the logic/sequence that occurs when a query is posed
>that should be sent to a forwarder.  Where do the root-server  records
>come in, and why even.  Doesn't the forward directive tell the server,
>"don't even bother, just go to w.x.y.z for the answer"
>
> 
>
>here are some example of using dig against some of the forward zones
>that work.  The AUTHORITY section shows the name of the remote DNS that
>controls the domain.
>
> 
>
>When I try dig for the new forwarder, the only AUTHORITY that shows is
>the A.rootserver.
>
> 
>
>I really don't get it.
>
> 
>
>I ONLY put in the 3 line directive, and I am done.
>
> 
>
>I don't even know what to change/try.  It is too simple to implement.
>
> 
>
> 
>
> 
>
># ./dig mnc150.mcc310.gprs
>
> 
>
>; <<>> DiG 9.2.2 <<>> mnc150.mcc310.gprs
>
>;; global options:  printcmd
>
>;; Got answer:
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61159
>
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> 
>
>;; QUESTION SECTION:
>
>;mnc150.mcc310.gprs.            IN      A
>
> 
>
>;; AUTHORITY SECTION:
>
>mnc150.mcc310.gprs.     600     IN      SOA
>wcrdns1.mnc410.mcc310.gprs. root
>
>.wcrdns1.mnc410.mcc310.gprs. 2006030303 600 3600 1209600 600
>
> 
>
>;; Query time: 115 msec
>
>;; SERVER: 12.25.118.5#53(12.25.118.5)
>
>;; WHEN: Thu Mar 16 15:37:45 2006
>
>;; MSG SIZE  rcvd: 92
>
> 
>
># ./dig mnc170.mcc310.gprs
>
> 
>
>; <<>> DiG 9.2.2 <<>> mnc170.mcc310.gprs
>
>;; global options:  printcmd
>
>;; Got answer:
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3961
>
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> 
>
>;; QUESTION SECTION:
>
>;mnc170.mcc310.gprs.            IN      A
>
> 
>
>;; AUTHORITY SECTION:
>
>mnc170.mcc310.gprs.     600     IN      SOA
>wcrdns1.mnc410.mcc310.gprs. root
>
>.wcrdns1.mnc410.mcc310.gprs. 2006030303 600 3600 1209600 600
>
> 
>
>;; Query time: 99 msec
>
>;; SERVER: 12.25.118.5#53(12.25.118.5)
>
>;; WHEN: Thu Mar 16 15:38:05 2006
>
>;; MSG SIZE  rcvd: 92
>
>
>
>
>
>
>
>
>
>  
>

More information about the bind-users mailing list