named-checkzone comes unglues

Mark Andrews Mark_Andrews at isc.org
Thu Jan 10 12:47:28 UTC 2008 

> # named-checkzone from 9.4.2 whines
> 
> $ named-checkzone -d gn gn
> loading "gn" from "gn" class "IN"
> zone gn/IN: cerescor.ac.gn/NS 'ns.uganc.ac.gn' (out of zone) has no addresses
>  records (A or AAAA)

	This is a attempt to check the glue by looking for the real
	records.  That lookup failed.  Two "no answers" and 1 lame
	server.  Missing glue is reported differently.

% dig ns.uganc.ac.gn @217.146.3.235 +norec

; <<>> DiG 9.3.4-P1 <<>> ns.uganc.ac.gn @217.146.3.235 +norec
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached
% dig ns.uganc.ac.gn @208.52.96.34 +norec

; <<>> DiG 9.3.4-P1 <<>> ns.uganc.ac.gn @208.52.96.34 +norec
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached
% dig ns.uganc.ac.gn @193.220.182.2 +norec

; <<>> DiG 9.3.4-P1 <<>> ns.uganc.ac.gn @193.220.182.2 +norec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27723
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; QUESTION SECTION:
;ns.uganc.ac.gn.                        IN      A

;; AUTHORITY SECTION:
gn.                     76456   IN      NS      SUNIC.SUNET.SE.
gn.                     76456   IN      NS      NS1.DNS.AQ.
gn.                     76456   IN      NS      RIP.PSG.COM.
gn.                     76456   IN      NS      HIPPO.RU.AC.ZA.

;; ADDITIONAL SECTION:
RIP.PSG.COM.            76414   IN      A       147.28.0.39

;; Query time: 880 msec
;; SERVER: 193.220.182.2#53(193.220.182.2)
;; WHEN: Thu Jan 10 23:35:52 2008
;; MSG SIZE  rcvd: 153

% 
> zone gn/IN: cerescor.ac.gn/NS 'ns.afripakamsar.net.gn' (out of zone) has no a
> ddresses records (A or AAAA)
> zone gn/IN: uganc.ac.gn/NS 'ns.uganc.ac.gn' (out of zone) has no addresses re
> cords (A or AAAA)
> zone gn/IN: uganc.ac.gn/NS 'ns.afripakamsar.net.gn' (out of zone) has no addr
> esses records (A or AAAA)
> 
> yet the zone has
> 
> afripakamsar.net.gn.    NS      ns.afripakamsar.net.gn.
>                         NS      ns.afripatelecom.net.gn.
> ns.afripakamsar.net.gn. A       208.52.96.34
> 
> afripatelecom.net.gn.   NS      ns.afripatelecom.net.gn.
>                         NS      ns0.xname.org.
>                         NS      ns1.xname.org.
> ns.afripatelecom.net.gn. A      193.220.182.2
> 
> uganc.ac.gn.            NS      ns.uganc.ac.gn.
>                         NS      ns.afripatelecom.net.gn.
>                         NS      ns.afripakamsar.net.gn.
> ns.uganc.ac.gn.         A       217.146.3.235
> 
> oh, and bind 9.3.4 loads the zone just fine

	BIND 9.4 will load it as well.  named-checkzone does checks
	named doesn't.  Named only checks that the zone is self
	consistant, not that it is externally consistant.
	named-checkzone attempts to do the later.
 
           Mode "full" checks that delegation NS records refer to A or AAAA
           record (both in-zone and out-of-zone hostnames). It also checks
           that glue addresses records in the zone match those advertised by
           the child. Mode "local" only checks NS records which refer to
           in-zone hostnames or that some required glue exists, that is when
           the nameserver is in a child zone.

	Mark

> randy
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list