BIND 9.4.3-P2 doesn't delegate zone!
Kevin Darcy
kcd at chrysler.com
Tue Apr 5 19:27:02 UTC 2011
A. Stop using nslookup. It's a really horrible DNS troubleshooting tool.
Learn to use dig.
B. Do a zone transfer (via dig) of the united-networks.ru zone from the
primary master, to verify that the correct delegation record, and
associated glue, are contained within named's in-core database of the zone
C. The "domain.united-networks.ru" A record (between the delegation NS
record and the "srvmain" glue record) in the parent zone is completely
useless, since it's not required glue and would be "covered up" by any A
record -- or even the absence of an A record -- at the apex of the child
zone. I would delete that A record from the parent zone -- its only
function is to use up space and engender confusion.
D. Your SOA query of the child zone from its master returned no NS
records in the Authority Section, which is rather odd. How are the NS
records configured in the child zone? Do they match the delegation
record from the parent zone?
- Kevin
On 4/2/2011 1:05 PM, Яцко Эллад Геннадьевич wrote:
> Dear Phil!
>
> What did you mean saying: "Are you sure you've reloaded the zone? "
> Did you mean do I "rndc reload united-networks.ru in internal" - Yes!
> I don't remember, did I change serial every time I changed zone-file.
> But now I did all the things required. I changed serial, I reloaded
> zone, I even restarted named its own! :-) There is the following
> effect (from viewpoint of 172.16.77.11):
> C:\Program Files\Far2>nslookup srvmain.domain.united-networks.ru.
> 172.16.77.1
> ╤хЁтхЁ: srvgate-msk.runoguy.ru
> Address: 172.16.77.1
>
> ╚ь : srvmain.domain.united-networks.ru
> Address: 172.16.77.2
>
>
> C:\Program Files\Far2>
>
> NAMED knows its address itself:
> 19611.924018 172.16.77.11 -> 172.16.77.1 DNS Standard query PTR
> 1.77.16.172.in-addr.arpa
> 19611.924375 172.16.77.1 -> 172.16.77.11 DNS Standard query response
> PTR srvgate-msk.runoguy.ru
> 19611.926342 172.16.77.11 -> 172.16.77.1 DNS Standard query A
> srvmain.domain.united-networks.ru
> 19611.926516 172.16.77.1 -> 172.16.77.11 DNS Standard query response
> A 172.16.77.2
> 19611.927755 172.16.77.11 -> 172.16.77.1 DNS Standard query AAAA
> srvmain.domain.united-networks.ru
> 19611.927895 172.16.77.1 -> 172.16.77.11 DNS Standard query response
>
> But the next is courious:
> C:\Program Files\Far2>nslookup domain.united-networks.ru. 172.16.77.1
> ╤хЁтхЁ: srvgate-msk.runoguy.ru
> Address: 172.16.77.1
>
> ╚ь : domain.united-networks.ru
>
> C:\Program Files\Far2>
>
> And:
> 19664.732793 172.16.77.11 -> 172.16.77.1 DNS Standard query PTR
> 1.77.16.172.in-addr.arpa
> 19664.733079 172.16.77.1 -> 172.16.77.11 DNS Standard query response
> PTR srvgate-msk.runoguy.ru
> 19664.739041 172.16.77.11 -> 172.16.77.1 DNS Standard query A
> domain.united-networks.ru
> 19664.739441 172.16.77.1 -> 172.16.77.11 DNS Standard query response
> 19664.741088 172.16.77.11 -> 172.16.77.1 DNS Standard query AAAA
> domain.united-networks.ru
> 19664.741265 172.16.77.1 -> 172.16.77.11 DNS Standard query response
>
> Andwhen I tried to look up existing hostname from
> domain.united-networks.ru:
> C:\Program Files\Far2>nslookup main.domain.united-networks.ru.
> 172.16.77.1
> ╤хЁтхЁ: srvgate-msk.runoguy.ru
> Address: 172.16.77.1
>
> *** srvgate-msk.runoguy.ru cannot find
> main.domain.united-networks.ru.: Non-existent domain
>
> C:\Program Files\Far2>
> ↑
>
> I see in thsark's output the following:
> 19167.908192 172.16.77.11 -> 172.16.77.1 DNS Standard query PTR
> 1.77.16.172.in-addr.arpa
> 19167.908505 172.16.77.1 -> 172.16.77.11 DNS Standard query response
> PTR srvgate-msk.runoguy.ru
> 19167.910291 172.16.77.11 -> 172.16.77.1 DNS Standard query A
> main.domain.united-networks.ru
> 19167.910439 172.16.77.1 -> 172.16.77.11 DNS Standard query response,
> No such name
> 19167.911593 172.16.77.11 -> 172.16.77.1 DNS Standard query AAAA
> main.domain.united-networks.ru
> 19167.911837 172.16.77.1 -> 172.16.77.11 DNS Standard query response,
> No such name
>
> I couldn't see that 172.16.77.1 (srvgate-msk) asks for "main"
> 172.16.77.2 (srvmain - recursion allowed)
>
> Here is output of command that you requested:
> /etc/namedb> dig +norec @localhost domain.united-networks.ru. soa
>
> ; <<>> DiG 9.4.3-P2 <<>> +norec @localhost domain.united-networks.ru. soa
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7449
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;domain.united-networks.ru. IN SOA
>
> ;; AUTHORITY SECTION:
> united-networks.ru. 3600 IN SOA ns1.united-networks.ru.
> root.united-networks.ru. 2011040213 900 600 86400 3600
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Apr 2 20:32:49 2011
> ;; MSG SIZE rcvd: 88
>
> /etc/namedb>
>
> At the same time:
> /etc/namedb> dig +norec @172.16.77.2 domain.united-networks.ru. soa
>
> ; <<>> DiG 9.4.3-P2 <<>> +norec @172.16.77.2
> domain.united-networks.ru. soa
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46262
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;domain.united-networks.ru. IN SOA
>
> ;; ANSWER SECTION:
> domain.united-networks.ru. 3600 IN SOA
> srvmain.domain.united-networks.ru. hostmaster.domain.runoguy.ru. 28
> 900 600 86400 3600
>
> ;; ADDITIONAL SECTION:
> srvmain.domain.united-networks.ru. 3600 IN A 172.16.77.2
>
> ;; Query time: 1 msec
> ;; SERVER: 172.16.77.2#53(172.16.77.2)
> ;; WHEN: Sat Apr 2 20:34:12 2011
> ;; MSG SIZE rcvd: 129
>
> /etc/namedb>
>
> I simplified configuration of Bind:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> // $FreeBSD: src/etc/namedb/named.conf,v 1.21.2.1 2005/09/10 08:27:27
> dougb Exp $
> //
> // Refer to the named.conf(5) and named(8) man pages, and the
> documentation
> // in /usr/share/doc/bind9 for more details.
> //
> // If you are going to set up an authoritative server, make sure you
> // understand the hairy details of how DNS works. Even with
> // simple mistakes, you can break connectivity for affected parties,
> // or cause huge amounts of useless Internet traffic.
>
> options {
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
>
> listen-on {
> 77.37.244.22;
> 85.21.249.124;
> 127.0.0.1;
> 172.16.77.1;
> 172.17.77.1;
> 172.31.0.1;
> 192.168.0.1;
> };
>
> forwarders {
> 77.37.251.33;
> 85.21.192.3;
> };
> // query-source address * port 953;
>
> recursion yes;
> allow-recursion {0/0;};
>
> };
>
> logging {
> channel "default" {
> file "/var/log/named.log" versions 2 size 50m;
> print-time yes;
> print-category yes;
> severity debug 90;
> };
> };
>
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "master/0.0.127.in-addr.arpa";
> };
>
> zone "united-networks.ru" {
> type master;
> file "master/united-networks.ru";
> };
>
> zone "77.16.172.in-addr.arpa" {
> type slave;
> masters {
> 172.16.77.2;
> };
> file "slave/77.16.172.in-addr.arpa";
> };
>
> zone "." {
> type hint;
> file "root.hint";
> };
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I removed "views" and left only relevant zones.
>
> And:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> $TTL 3600
>
> @ IN SOA ns1.united-networks.ru.
> root.united-networks.ru. (
> 2011040213 ; Serial
> 900 ; Refresh
> 600 ; Retry
> 86400 ; Expire
> 3600 ) ; Minimum
>
> IN NS ns1.united-networks.ru.
> IN MX 10 mx
> IN A 172.16.77.1
>
> $ORIGIN domain.united-networks.ru.
> IN NS srvmain.domain.united-networks.ru.
> IN A 172.16.77.2
> srvmain IN A 172.16.77.2
>
> $ORIGIN united-networks.ru.
> ns1 IN A 172.16.77.1
> mx IN A 172.16.77.1
>
> c2960 IN A 172.16.77.21
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> I successfully ask for "c2960" for example:
> C:\Program Files\Far2>nslookup c2960.united-networks.ru. 172.16.77.1
> ╤хЁтхЁ: srvgate-msk.runoguy.ru
> Address: 172.16.77.1
>
> ╚ь : c2960.united-networks.ru
> Address: 172.16.77.21
>
> C:\Program Files\Far2>
>
> What's wrong with me (or with it) :-) It is second whole day is almost
> over while I struggle..
>
> Kind regards,
> Ellad G. Yatsko
>
>
>
>
>
>> On 04/02/2011 11:44 AM, Яцко Эллад Геннадьевич wrote:
>>
>>> $ORIGIN domain.united-networks.ru.
>>> IN NS srvmain
>>> IN A 172.16.77.2
>>> srvmain IN A 172.16.77.2
>>>
>>
>> Huh, delegation looks ok. Are you sure you've reloaded the zone?
>>
>>>
>>> I tried to nslookup from 172.16.77.11:
>>
>> Try a "dig" on the DNS server itself:
>>
>> dig +norec @localhost domain.united-networks.ru soa
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
More information about the bind-users
mailing list