[CLOSED] Domaine Non-authoritative answer

Wed Jul 16 16:57:04 UTC 2008

I've finally solved the problem... a weird one in fact...

Stéphane Repeating that it was a zone not loaded problem, I started
verifying all bind files on the server...
I remembered that bind 8 had installed itself after apt-get, and I had had
to use another repo to apt-get bind 9

Yet /etc/init.d/bind9 never got installed for a reason that escapes me,
leaving only in init.d bind file (version 8 on it)
When loading bind, it could not load the zones as there were no conf files
for it... and I did not search further which version was really running...

After transferring init.d/bind9 from another server using same versions, and
a init.d/bind9 start... all went smoothly...

I knew my conf was not so dumb.... 

All zones are currently active, and I'm now getting dns secure (open
recursive, cache, etc)
AND cardiffusion.fr is currently under transfer...

Thanks a lot Stephane for your help, it saved me precious time this
evening....
(even if a newb would not always have understood you)

-----Message d'origine-----
De : bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] De la part
de [Cardiff] Tugdual de Lassat
Envoyé : mercredi 16 juillet 2008 16:37
À : 'Stephane Bortzmeyer'
Cc : bind-users at isc.org
Objet : RE: Domaine Non-authoritative answer

Well this is the problem, as it is supposed to be installed on
ns6.cardiffdns.fr

It is called in named.conf, and file is physically present on server....

ns2014342:~# named-checkzone cardiffusion.fr /etc/bind/cardiffusion.fr.db
zone cardiffusion.fr/IN: loaded serial 2008071501
OK

Yet, I always have Zonecheck.fr response: 
SOA is not authoritative ns6.cardiffdns.fr./91.121.119.48
I know I have a problem, and am certainly not going to blame afnic for being
restrictive.
And I know the server is open recursive, as I opened it up voluntary, due to
these problems, and will close it down as soon as I'm sure domains are
resolving...

Nevertheless the object of my problem is certainly not the .fr domain, but
bind zones in general on this server...
Why is my bind server responding not-AA when all zones are inserted, that
named-checkzone answers ok on all zones, that named-checkconf -z is ok on
all zones... ??? why are the flags aa absent ???

Now tell me, what would be the normal zone or named.conf I should use that
would respond my needs... ???

Tugdual de Lassat

-----Message d'origine-----
De : bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] De la part
de Stephane Bortzmeyer
Envoyé : mercredi 16 juillet 2008 16:14
À : list-bind at cardiff.fr
Cc : bind-users at isc.org
Objet : Re: Domaine Non-authoritative answer

On Wed, Jul 16, 2008 at 03:07:48PM +0200,
 list-bind at cardiff.fr <list-bind at cardiff.fr> wrote 
 a message of 442 lines which said:

> Cardiffusion.fr resolves to following ns's : ns4.cardiffdns.fr /
> ns2.cardiffdns.fr but is parked and will be transferred to new's dns
> as soon as soa problems are solved (afnic restrictive dns policy)

? In what way is it restrictive? What's the actual problem?

Currently, ns2.cardiffdns.fr gives the following delegation for this
domain:

ns2.cardiffdns.fr.
ns6.cardiffdns.fr.

But Cardiffusion.fr is not even installed on ns6!

% dig @ns6.cardiffdns.fr. ANY Cardiffusion.fr

; <<>> DiG 9.4.2-P1 <<>> @ns6.cardiffdns.fr. ANY Cardiffusion.fr
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21318
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 3

[No "aa" flag]

You can hardly blame AFNIC policy for such a misconfiguration!

BTW, ns6.cardiffdns.fr is an open recursive name server, which is Bad
<http://www.afnic.fr/actu/nouvelles/general/NN20060404_en>.