Using an MX record from a different domain

Tue Mar 30 21:15:19 UTC 2010

On 2010/03/30, at 16:57, Lear, Karen (Evolver) wrote:

>  
> I'm adding a new domain to my existing authoritative name servers, and need to add an MX record for a device residing on existing domain.  When I run named-checkzone, I get a message about the MX record being out of zone and not having an A record.  However, at the end of my named-checkzone output, I get "OK."  Can I restart named as is without causing problems or do I need to address these messages?
>  
> [klear at dns1 conf]$ sudo named-checkzone -t /dns/chroot/conf -D usptoenews.gov db.usptoenews
> zone usptoenews.gov/IN: usptoenews.gov/MX 'smtpedge1.uspto.gov' (out of zone) has no addresses records (A or AAAA)
> zone usptoenews.gov/IN: usptoenews.gov/MX 'smtpedge2.uspto.gov' (out of zone) has no addresses records (A or AAAA)

Ah, I see.  On my previous read I mistook this for complaining that there was a uspto.gov owner name in the usptonews.gov zone.  

named-checkzone doesn't only check the internal consistency of a zone, it also tries to see that it is externally consistent.  e.g. that names referred to in other zones also exist.  If for some reason it can't resolve smtpedge1.uspto.gov and smtpedge2.uspto.gov it will give you the above errors. 

Since I can resolve those names from here, I suspect there's some problem with the resolver on the host where you're running named-checkzone.  Perhaps uspto.gov zone is only visible on a view on the outside of the network, and you're inside?  

What happens if you try to resolve those two names by hand on that server using 'host' or 'dig'?

I see this:
> host smtpedge1.uspto.gov
smtpedge1.uspto.gov has address 151.207.243.76
smtpedge1.uspto.gov mail is handled by 5 smtpedge1.uspto.gov.

> host smtpedge2.uspto.gov
smtpedge2.uspto.gov has address 151.207.247.81
smtpedge2.uspto.gov mail is handled by 5 smtpedge2.uspto.gov.

If those are the only errors you're seeing, then the zone is internally consistent, and BIND will load it.  However, it's probably worth investigating why named-checkzone can't resolve those names, so that you can make sure that anyone who needs to reach those MX servers will be able to.

Matt