Strange Behavior

Kevin Darcy kcd at chrysler.com
Mon Oct 26 19:53:43 UTC 2009 

Lawrence MacIntyre wrote:
> Hi:
>
> I have a name server running named on a closed network. The root 
> servers name my node and another node (running DNS on a sidewinder 
> firewall) as authoritative for our domain as well as several 
> subdomains. Two of the subdomains have their own servers, and we 
> configured our (allegedly authoritative) servers as slaves to the 
> subdomain servers. This worked well for several years. Now, these 
> subdomains have decided (for "security" reasons) that they are going 
> to disallow zone transfers to us. So we set our servers to forward 
> requests to the subdomain nameservers. The sidewinder does this, but 
> our server doesn't. It simply reports that it has no information about 
> any node in the subdomain. Remote users report that when they use dig 
> +trace @ourserver node.in.subdomain, they see referrals to the 
> Internet root servers. Our hints file has the correct root servers, 
> and we don't even have a file listing the Internet root servers. I 
> cannot verify their claims, as it doesn't do that when queried from 
> our site, and I have no access to an account on any remote site.
>
> What does named do when it is listed as authoritative for a domain by 
> the root servers, but is configured to forward requests for addresses 
> in that domain? Does anyone know how the remote users could see 
> referrals to the Internet root servers even though we have the correct 
> root servers set in our nameserver?
I started a long tirade about clueless admins who take the mantra "zone 
transfers are insecure" way too far, but I think the more terse and 
level-headed response is
a) BIND will never recurse a non-recursive query, and non-recursive 
queries is what it gets when arbitrary resolvers query yours as a result 
of following the resolution of the query down the delegation chain (e.g. 
what one sees in dig +trace)
b) if you want to recurse a query that wasn't recursive to begin with, I 
think this falls under the generic heading of "proxying DNS". BIND 
doesn't support that, but I'm presuming that's what the Sidewinder is doing,
c) in architectural terms, you simply *cannot* be "authoritative" for a 
zone if you don't replicate the full contents of the zone, either 
in-protocol (AXFR/IXFR) or via some "out-of-band" mechanism (e.g. rsync),
d) are these subdomains being hosted on BIND or something that supports 
TSIG? Perhaps offering to TSIG-authenticate your zone transfers might 
satisfy their security requirements...

- Kevin

More information about the bind-users mailing list