Anyway to disable dns_zone_nscheck in 9.8.0?
Mark Andrews
marka at isc.org
Fri Apr 8 15:13:12 UTC 2011
In message <BANLkTimic+nDBnj_roVNHQwZAs130bvOmw at mail.gmail.com>, Rodney Hives w
rites:
>
> On Fri, Apr 8, 2011 at 1:49 AM, Mark Andrews <marka at isc.org> wrote:
>
> > Please explain the operating conditions under which when you think
> > this is a sensible thing to do?
> >
> > A nameserver without address records is pointless.
> > A nameserver pointing to a CNAME/DNAME causes resolution problems.
>
> Here is an example that works in BIND 9.6x:
> $ORIGIN .
> $TTL 86400 ; 1 day
> mydomain.com.au IN SOA ns0.mydomain.com.au. admin.mydomain.com.au. (
> 2011010104 ; serial
> 43200 ; refresh (12 hours)
> 7200 ; retry (2 hours)
> 1209600 ; expire (2 weeks)
> 1800 ; minimum (30 minutes)
> )
> $TTL 1800 ; 30 minutes
> NS ns0.mydomain.com.au.
> NS ns1.mydomain.com.au.
> NS ns2.mydomain.com.au.
> A 1.1.1.1
> MX 10 mail.mydomain.com.au.
> $ORIGIN mydomain.com.au.
> ftp A 1.1.1.1
> mail A 2.2.2.2
> pop CNAME mail
> smtp CNAME mail
> ssh A 1.1.1.1
> www CNAME mydomain.com.au.
>
> Is this domain 100% valid?... no... but it still works. The A records for
> the name servers are actually still resolving since the regsitrar will
> return them in glue.
Do you realise how increadibly fragile that configuration is? The
moment the recursive server asks for the addresses of the nameservers
it will fall over. Yes the recursive nameserver can get into a
state where it will make that request as part of resolving some
other name in the zone. You don't need a external query for the
nameserver names.
> But understandably... this domain is not 100% valid.
>
> But to force the domain offline is just preventing many shared hosting
> environments to move to newer versions of BIND (or switch off of BIND since
> they do not understand the problem).
Nobody is preventing you fixing the zones.
> Give a warning... that is fine... But to prevent the domain from loading is
> just too harsh and an immediate drastic measure during an upgrade. It would
> be nice if it was a configuration option just like all of the other checks.
People ignore warnings. We have 2 decades of experience of people
ignoring warnings. The code was put in because we were sick and
tired of having to contact people with misconfigured zones like
this that were causing resolution failures. We made it a warning
initially. It was made a fatal error a couple of releases later.
The version you upgraded from warned about this. BIND 9.4 warned
about this. named-checkzone from BIND 9.4 produces the following
on your zone. It calls exactly the same code named uses.
zone mydomain.com.au/IN: NS 'ns0.mydomain.com.au' has no address records (A or AAAA)
zone mydomain.com.au/IN: NS 'ns1.mydomain.com.au' has no address records (A or AAAA)
zone mydomain.com.au/IN: NS 'ns2.mydomain.com.au' has no address records (A or AAAA)
zone mydomain.com.au/IN: loaded serial 2011010104
OK
Your logs would have been full of complaints.
You could have run "named-checkconf -z" and seen all the errors
before you started named.
> This same function seems also to be called in "update.c"...... also causing
> problems. I would just like this function to never be called but I have not
> been able to determine if it does other things necessary.
It prevents the zone getting into a state where it won't load on a
restart from this test.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list