weird bind cache server behaviour - unexpected root hint delegation on forward only zone
Kevin Darcy
kcd at chrysler.com
Mon Jun 15 20:01:42 UTC 2009
Does it matter? Two of the servers happened to have root NS records
cached. You could verify this with rndc dumpdb -cache. The other two
servers, apparently, had no root NS records cached.
But if the client is just a stub resolver, or set up to forward, it
doesn't care about the NS records in the Authority Section. It only
cares about the Answer, which is the same in both cases.
- Kevin
Paul Sherratt wrote:
>
> I have 4 bind cache servers running with config close to what is
> listed at the bottom of this post.
>
> All 4 servers have identical bind configuration, running same bind
> version (9.5.1-P1), almost identical system layouts.
>
> The issue is that on two of the four servers, requests for records in
> the 'dnsbl' zone return root hints if the forwarded request comes back
> positive! If the forwarded request returns NXDOMAIN there are no root
> hints returned, expected as it is configured 'forward only'.
>
>
> Am I missing something obvious or anyone have an idea what might be
> going on? Again, the configs _are_ the same, I don't have any other
> options like minimal-responses etc set on the two servers that are
> working as expected!
>
>
> Regards,
>
> Paul
>
>
>
> *$ dig 2.0.0.127.sbl.dnsbl @dns[12]*
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31470
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;2.0.0.127.sbl.dnsbl. IN A
>
> ;; ANSWER SECTION:
> 2.0.0.127.sbl.dnsbl. 300 IN A 127.0.0.2
>
> ;; AUTHORITY SECTION:
> . 516796 IN NS J.ROOT-SERVERS.NET
> <http://J.ROOT-SERVERS.NET>.
> . 516796 IN NS K.ROOT-SERVERS.NET
> <http://K.ROOT-SERVERS.NET>.
> ...
>
> ;; ADDITIONAL SECTION:
> J.ROOT-SERVERS.NET <http://J.ROOT-SERVERS.NET>. 603196 IN
> A 192.58.128.30
> J.ROOT-SERVERS.NET <http://J.ROOT-SERVERS.NET>. 603196 IN
> AAAA 2001:503:c27::2:30
>
> ;; Query time: 8 msec
> ;; SERVER: x.x.x.x#53(x.x.x.x)
> ;; WHEN: Mon Jun 15 20:05:44 2009
> ;; MSG SIZE rcvd: 308
>
>
>
> *$ dig 2.0.0.127.sbl.dnsbl @dns[34]*
>
> ; <<>> DiG 9.4.2 <<>> 2.0.0.127.sbl.dnsbl @tch-cache1.dns
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41117
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;2.0.0.127.sbl.dnsbl. IN A
>
> ;; ANSWER SECTION:
> 2.0.0.127.sbl.dnsbl. 300 IN A 127.0.0.2
>
> ;; Query time: 8 msec
> ;; SERVER: x.x.x.x#53(x.x.x.x)
> ;; WHEN: Mon Jun 15 20:06:56 2009
> ;; MSG SIZE rcvd: 53
>
>
>
> --8<----------------
>
> acl good-mx-nets { 1.1.2.16/29 <http://1.1.2.16/29>; ... };
> acl good-nets { 1.1.1.0/19 <http://1.1.1.0/19>; ... };
>
> view good-mx-view {
> match-clients { good-mail-servers; };
> zone "dnsbl" { type forward; forward only; forwarders { 1.1.1.10;
> }; };
> };
>
> view good {
> match-clients { good-nets; };
> allow-recursion { good-nets; };
>
> zone "." { type hint; file "/etc/bind/db.root"; };
> zone "com" { type delegation-only; };
> zone "net" { type delegation-only; };
>
> // RFC 1912 zones
> zone "localhost" { type master; file "/etc/bind/db.local"; };
> zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; };
> zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; };
> zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };
> };
> ------------------------------------------------------------------------
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list