named-checkzone ignoring flags?

Alexander Ottl alexander.ottl at nci.de
Mon Dec 3 07:50:39 UTC 2007 

Alexei Tenitski wrote, On 12/03/2007 03:47 AM:
> Hi
> 
> I have a strange problem with named-checkzone & named-compilezone 
> ignoring value of some of the flag.
> 
> Given this zone:
> 
> example.com. 3600 IN    SOA     example.net. root.example.net. 
> 1196631861 3600 3600 3600 3600
> @ 3600 IN    NS      ns1.example.net.
> @ 3600 IN    NS      ns3
> @ 3600 IN    MX      10 www
> www 3600 IN CNAME  @
> 
> and this bind version:
> 
> # /usr/local/sbin/named-checkzone -v
> 9.4.1-P1
> 
> 
> When i run check with flag "-M fail" (MX -> CNAME) it picks it up and 
> does FAIL as i asked:
> 
> # /usr/local/sbin/named-checkzone -M fail example.com. example.com.zone
> example.com.zone:3: using RFC1035 TTL semantics
> zone example.com/IN: NS 'ns3.example.com' has no address records (A or AAAA)
> zone example.com/IN: example.com/MX 'www.example.com' is a CNAME (illegal)
> 
> 
> However if i try to make it fail on things like -n or -m (no A record 
> for NS or MX) it just ignores those flags and uses mode WARN as usually:

Those flags do not influence the check for missing A record. They check for an NS or MX
record that look like an IP address instead of a hostname. The man page says so.
Try "@ IN NS 10.10.10.10." in your zone file and you'll see. The check for missing A
record on the other hand is special. It is always performed and is always only a
warning. (OK, with one exception: If you turn off integrity checks you don't get MX with
missing A warnings)

> 
> # /usr/local/sbin/named-checkzone -n fail -m fail example.com. 
> example.com.zone
> example.com.zone:3: using RFC1035 TTL semantics
> zone example.com/IN: NS 'ns3.example.com' has no address records (A or AAAA)
> zone example.com/IN: example.com/MX 'www.example.com' is a CNAME (illegal)
> zone example.com/IN: loaded serial 1196631861
> OK
> 
> 
> Also, seems that flag -i does not change anything in check/compile 
> behavior at all...

The -i flag determines if and how the integrity checks (see -M and -S) are performed.
Illegal CNAMES and missing A records will either be found only in-zone (mode local) or
out-of-zone (mode full). The man page might not make that entirely clear. The sibling
options are a bit harder to explain :-)

> 
> Does anyone have any idea? I've tried all i could think of, googled and 
> googled and googled but still have not idea what is going on here... :(
> 
> Regards,
> Alexei
Regards,
Alexander Ottl

More information about the bind-users mailing list