Question about some oddities in the logs

Torinthiel torinthiel at data.pl
Tue Feb 22 07:59:51 UTC 2011 

On 02/22/11 01:41, Eivind Olsen wrote:
> Hello. I've recently put into production a new recursive nameserver, and
> decided to take a look in the logfiles (the old servers didn't have
> logging enabled so I can't really compare the current logs with whatever
> the old ones would have been).
> I understand most of the entries in the logs + statistics, but there's a
> couple of things I'm not sure about - my hope is that someone here can
> shed some light on these, and perhaps also tell me if it's expected to see
> these in the wild.
> 
> The nameserver is running BIND 9.7.2-P3 btw, and yes I know 9.7.3 is out -
> it will be upgraded soon.
> 
> We're not talking about query logging btw, only a fairly simple logging
> channel:
> 
> channel default_debug {
>     file "logs/named.run" versions 20 size 500m;
>     print-time yes;
>     print-category yes;
>     print-severity yes;
>     severity dynamic;
> };
> 
> Now, to the log entries (I've removed timestamps + IP-addresses):
> 
> 1) notify: notice: client x.x.x.x#n: notify question section contains no 
SOA
> Should I be seeing these normally? They only seem to make up a small part
> of the full logfiles, still seeing a couple of thousand of these in just a
> few days time.

Hmm, looks to me as the box listed as client sends some strange notify
messages. Notify normally should contain SOA, so that receiving NS can
tell if it has outdated zone or no. These don't. What (regarding DNS of
course) is on those machines?


> 2) security: info: client x.x.x.x#n: query (cache) './A/CH' denied
> Not many of these either, but they still seemed a bit weird. Could they be
> caused somehow by me running a slave of the root "." defined as:
> zone "." IN {
>     type slave;
>     file "slave/root.zone";
>     masters {
>         ...a couple of the root-servers.net servers
>     };
>     notify no;
> };
> I wouldn't expect that to be the cause though, as it's defined as class IN
> and not CH.

asking for CH TXT version.bind returns bind's version, unless configured
not to do so. Maybe something also asks for A, but I dunno why. Are
these addresses in your network? Then you can tracethem down probably.

Now, the more important part - why would you be running a slave of root?
AFAIK the root servers don't a) allow transfer b) send you notifies, so
you'll be in trouble as soon as anything changes, which means every week
right now, that root is signed. Why is
zone "." in { type hint; }
not enough for you?

Regards,
  Torinthiel

More information about the bind-users mailing list