recursion for reverse/in-addr.arpa zones

Todd Snyder tsnyder at rim.com
Fri Dec 12 18:38:42 UTC 2008 

On our slave, there are no specific declarations for the 10.131.10 zone,
or even 10.131, just 10.
 
On the server we're slaving off of, there would probably be more, but I
don't know as I'm not in control of that server/servers.
 
Will reverse lookups by default continue to look for more specific
domains, recursing as necessary?  If so, how far will it go?  I'm
slaving an "A" class, and it went and found a "C".  If we'd had the "B"
declared, would it have stopped there, or kept going?
 
This behaviour seems odd to me, and I've not been able to find
information about this behaviour in the book(s).
 
Merci!
 
Todd.

________________________________

From: Ben Croswell [mailto:ben.croswell at gmail.com] 
Sent: Thursday, December 11, 2008 5:15 PM
To: Todd Snyder
Cc: bind-users at isc.org
Subject: Re: recursion for reverse/in-addr.arpa zones


Are there NS records and/or zone forwarding for the 10.131.10.0?
If there is the servers will look to the most specfic domain.

-- 
-Ben Croswell


On Thu, Dec 11, 2008 at 4:38 PM, Todd Snyder <tsnyder at rim.com> wrote:


	Good day,
	
	We are working on an odd issue.  I can provide more detail as
necessary,
	but don't want to fill this email with snips of useless stuff.
All
	IP's/names provided are made up, as they don't matter in this
problem as
	far as I can tell.  This is more a functional question than a
specific
	operating question.
	
	We have 2 servers acting as a slave for the zone
"10.in-addr.arpa".  The
	master(s) for this server are 2 Windows AD servers.  Our servers
(all
	bind9.4 of some variety) are doing zone transfers fine, and
we're
	getting whatever is in the zone.
	
	We've run in to a couple IP's that when we dig them on these
slaves,
	they are timing out.  They are in a specific location, which we
have
	determined are firewalled differently.
	
	For example, we are doing a dig for 10.131.10.1 against these 2
	different locations.  In one location, we get an answer quickly.
In the
	other, it times out.  The problem in our case is that in one
location,
	the slave we're querying can't reach anything but the masters.
	
	What we've figured out is that the 10.in-addr.arpa zone doesn't
contain
	EVERY 10. address we thought, but is missing some.  In this
case, our
	slaved zone doesn't have 10.131.10.1.  But, instead of the slave
server
	(which should be authortative) returning an "I don't know"
error, it
	appears to be doing a recusive query.  Against what, we're not
100% sure
	of yet.  Well, we know which server, because DIG tells us, but
we aren't
	sure why that one.
	
	When I look at the 10.in-addr.arpa zone, there are approximately
20 NS
	records for other AD servers.  My speculation is that the slave
we're
	querying is recusively looking to one of the servers returned in
the
	additional section?  This behaviour seems odd to us, and therein
lies my
	question.
	
	Does doing a reverse lookup (dig -x) cause the queried server to
behave
	differently than a forward lookup?  My slave server is
technically
	authoritative for the 10.in-addr.arpa zone, but it is still
recusively
	going to another server to find an answer.  Why?  Is this
because we
	have defined the zone as 10.in-addr.arpa instead of
creating/slaving
	more specific zones (ie: 10.131.10.in-addr.arpa)?  How can we
control
	this behaviour?
	
	Thank you for any light you can shed on this - we're confident
we know
	what is going on, but we can't figure out why the server behaves
	differently for reverse zones than it would for forward zones.
	
	Cheers,
	
	Todd.
	
	
	------------------------------
	Todd Snyder
	Data Networks Tools
	bb.226.338.2617
	Always On, Always Connected.
	
	
	
---------------------------------------------------------------------
	This transmission (including any attachments) may contain
confidential information, privileged material (including material
protected by the solicitor-client or other applicable privileges), or
constitute non-public information. Any use of this information by anyone
other than the intended recipient is prohibited. If you have received
this transmission in error, please immediately reply to the sender and
delete this information from your system. Use, dissemination,
distribution, or reproduction of this transmission by unintended
recipients is not authorized and may be unlawful.
	_______________________________________________
	bind-users mailing list
	bind-users at lists.isc.org
	https://lists.isc.org/mailman/listinfo/bind-users
	






---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081212/0be8d2a2/attachment.html>

More information about the bind-users mailing list