named-checkzone ignoring flags?
Alexander Ottl
alexander.ottl at nci.de
Mon Dec 3 07:50:39 UTC 2007
Alexei Tenitski wrote, On 12/03/2007 03:47 AM:
> Hi
>
> I have a strange problem with named-checkzone & named-compilezone
> ignoring value of some of the flag.
>
> Given this zone:
>
> example.com. 3600 IN SOA example.net. root.example.net.
> 1196631861 3600 3600 3600 3600
> @ 3600 IN NS ns1.example.net.
> @ 3600 IN NS ns3
> @ 3600 IN MX 10 www
> www 3600 IN CNAME @
>
> and this bind version:
>
> # /usr/local/sbin/named-checkzone -v
> 9.4.1-P1
>
>
> When i run check with flag "-M fail" (MX -> CNAME) it picks it up and
> does FAIL as i asked:
>
> # /usr/local/sbin/named-checkzone -M fail example.com. example.com.zone
> example.com.zone:3: using RFC1035 TTL semantics
> zone example.com/IN: NS 'ns3.example.com' has no address records (A or AAAA)
> zone example.com/IN: example.com/MX 'www.example.com' is a CNAME (illegal)
>
>
> However if i try to make it fail on things like -n or -m (no A record
> for NS or MX) it just ignores those flags and uses mode WARN as usually:
Those flags do not influence the check for missing A record. They check for an NS or MX
record that look like an IP address instead of a hostname. The man page says so.
Try "@ IN NS 10.10.10.10." in your zone file and you'll see. The check for missing A
record on the other hand is special. It is always performed and is always only a
warning. (OK, with one exception: If you turn off integrity checks you don't get MX with
missing A warnings)
>
> # /usr/local/sbin/named-checkzone -n fail -m fail example.com.
> example.com.zone
> example.com.zone:3: using RFC1035 TTL semantics
> zone example.com/IN: NS 'ns3.example.com' has no address records (A or AAAA)
> zone example.com/IN: example.com/MX 'www.example.com' is a CNAME (illegal)
> zone example.com/IN: loaded serial 1196631861
> OK
>
>
> Also, seems that flag -i does not change anything in check/compile
> behavior at all...
The -i flag determines if and how the integrity checks (see -M and -S) are performed.
Illegal CNAMES and missing A records will either be found only in-zone (mode local) or
out-of-zone (mode full). The man page might not make that entirely clear. The sibling
options are a bit harder to explain :-)
>
> Does anyone have any idea? I've tried all i could think of, googled and
> googled and googled but still have not idea what is going on here... :(
>
> Regards,
> Alexei
Regards,
Alexander Ottl
More information about the bind-users
mailing list