Query denied errors on PTR records for delegated zone

Tue Feb 23 09:18:56 UTC 2010

On 22.02.10 16:26, Geoff Sweet wrote:
> I have an on-going problem that has totally stumped me.  I have a CentOS
> 5.3 server that I am using the builtin Bind (9.3) to serve our zones.  Our
> ISP has provisioned us a block of IP's and has delegated our name servers
> as authoritative for the reverse zone info for that block.  Name
> resolution for A records works perfect.  What has me totally baffled at
> this point is that I can not get PTR records to work. All queries to my
> reverse zone are answered with denied errors:
> 
> Feb 22 04:10:14 ns1 named[19789]: client 72.247.123.69#52683: query (cache) '14.173.150.66.in-addr.arpa/PTR/IN' denied
> Feb 22 05:15:26 ns1 named[19789]: client 72.247.123.69#61264: query (cache) '50.173.150.66.in-addr.arpa/PTR/IN' denied
> Feb 22 10:12:03 ns1 named[19789]: client 72.246.192.167#52219: query (cache) '39.173.150.66.in-addr.arpa/PTR/IN' denied
> Feb 22 11:05:11 ns1 named[19789]: client 96.17.73.207#61038: query (cache) '24.173.150.66.in-addr.arpa/PTR/IN' denied
> Feb 22 11:33:23 ns1 named[19789]: client 72.247.123.69#61049: query (cache) '55.173.150.66.in-addr.arpa/PTR/IN' denied
> Feb 22 13:41:45 ns1 named[19789]: client 96.17.166.181#60054: query (cache) '31.173.150.66.in-addr.arpa/PTR/IN' denied

> zone "0-59.173.150.66.in-addr.arpa" {

they are not asking for your zone. They are asking for zone
"173.150.66.in-addr.arpa" which I don't see on your nameserver.

All those IPs are from akamai and they should not even go to your server, if
you are watching at ns1.wemadeusa.com. or ns2.wemadeusa.com.

either akamai has broken dns clients, or someone (you?) has been asking them
to query your servers directly for reverse zone you don't provide.

> And here is the 0-59.173.150.66.in-addr.arpa.zone file (I have deleted some of the name information for security):
> 
> 
> $TTL 3600
> @                       IN      SOA     ns1.wemadeusa.com.      hostmaster.wemadeusa.com. (
>                                         2010021501 ; serial
>                                         600             ; refresh after 10 minutes
>                                         3600            ; retry after 1 hour
>                                         604800          ; expire after 1 week
>                                         86400 )         ; minimum TTL of 1 day
> 
>                         IN      NS      ns1.wemadeusa.com
>                         IN      NS      ns2.wemadeusa.com

You are missing trailing dots here. Note that without them the current
$ORIGIN is appended, which results in:

0-59.173.150.66.in-addr.arpa. 3600 IN   NS      ns2.wemadeusa.com.0-59.173.150.66.in-addr.arpa.
0-59.173.150.66.in-addr.arpa. 3600 IN   NS      ns1.wemadeusa.com.0-59.173.150.66.in-addr.arpa.

Try fixing this first, maybe this is your real problem.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...