Odd config problem

Mark Andrews Mark_Andrews at isc.org
Mon May 18 14:17:58 UTC 2009 

In message <61D78605-0CB2-485E-AA75-A49BA3C45625 at vallden.com>, Hans Vallden wri
tes:
> Hello all,
> 
> I use the secure BIND template by Rob Thomas (http://www.cymru.com/Documents/
> secure-bind-template.html 
> ). I have had a peculiar problem with this template conf, which I have  
> not been able to resolve. My problem is that some slave zones return  
> REFUSED when queried from the external view for ANY records while  
> others return the expected values. For example:
> 
> dig @194.86.83.21 ruoka.fi ANY
> 
> returns nothing, but when queried from master zone:
> 
> dig @194.86.83.27 ruoka.fi ANY
> 
> returns expected values.  Furthermore, a seemingly identical zone (see  
> complete zone configs below) for another domain returns expected  
> values from both servers:

What do you have infront of the nameserver?  Firewall? NAT?
Note the reply is to the wrong port.

00:15:38.593884 211.30.172.21.57914 > 194.86.83.21.53:  60775 ANY? ruoka.fi. (26)
00:15:38.935222 194.86.83.21.53 > 211.30.172.21.48599:  60775*- 5/0/0 SOA, NS ns2.kirnauskis.com., NS ns.kirnauskis.com., MX smtp.kirnauskis.com. 0, TXT v=spf1 ~all (167)


 
> dig @194.86.83.21 tri.fi ANY <- slave
> dig @194.86.83.27 tri.fi ANY <- master
> 
> I have so far figured out that changing the external view  
> configuration options 'additional-from-auth' and 'additional-from- 
> cache' both to 'yes' will cure the problem. However, I don't see the  
> logic and I take it that's not really a desirable cure either. :) My  
> BIND version is 9.4.3.
> 
> Cheers,
> 
> 
> $ORIGIN .
> $TTL 38400	; 10 hours 40 minutes
> tri.fi			IN SOA	ns.kirnauskis.com. hostmaster.kirnauski
> s.com. (
> 				1146160445 ; serial
> 				10800      ; refresh (3 hours)
> 				3600       ; retry (1 hour)
> 				604800     ; expire (1 week)
> 				38400      ; minimum (10 hours 40 minutes)
> 				)
> 			NS	ns.kirnauskis.com.
> 			NS	ns2.kirnauskis.com.
> 			MX	0 smtp.kirnauskis.com.
> 			TXT	"v=spf1 mx ip4:194.86.83.27 ip4:194.86.83.28 ip
> 4:194.86.83.30  
> ip4:194.86.83.31 ip4:194.86.83.32 -all"
> $ORIGIN tri.fi.
> www			A	194.86.83.31
> 
> $ORIGIN .
> $TTL 38400	; 10 hours 40 minutes
> ruoka.fi		IN SOA	ns.kirnauskis.com. hostmaster.kirnauskis.com. (
> 				2004090608 ; serial
> 				10800      ; refresh (3 hours)
> 				3600       ; retry (1 hour)
> 				432000     ; expire (5 days)
> 				38400      ; minimum (10 hours 40 minutes)
> 				)
> 			NS	ns.kirnauskis.com.
> 			NS	ns2.kirnauskis.com.
> 			MX	0 smtp.kirnauskis.com.
> 			TXT	"v=spf1 ~all"
> $ORIGIN ruoka.fi.
> www			A	194.86.83.32
> 
> --
> Hans Vallden
> hans at vallden.com
> skype: hans.vallden
> 
> 
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list