nxdomain

Noel Butler noel.butler at ausics.net
Thu Aug 29 01:52:42 UTC 2013 

Hey Mark,

Looks like it might be a bug,  *BUT* a client utils bug,  so I think his
server is likely fine, he's panicking over what's reported not what's
actually going on, I'm sure its not the intended response to display so
I've just added bug rep on it, if you disagree, you can always nuke
it :)

from here, dig answers REFUSED , but host and nslookup answer NXDOMAIN


noel at tardis:~$ dig www.undernet.org @ns1.ausics.net

; <<>> DiG 9.9.4rc1 <<>> www.undernet.org @ns1.ausics.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9347
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.undernet.org.		IN	A

;; Query time: 366 msec
;; SERVER: 62.113.243.167#53(62.113.243.167)
;; WHEN: Thu Aug 29 11:29:35 EST 2013
;; MSG SIZE  rcvd: 45



noel at tardis:~$ host www.undernet.org ns1.ausics.net
Using domain server:
Name: ns1.ausics.net
Address: 62.113.243.167#53
Aliases: 

Host www.undernet.org not found: 3(NXDOMAIN)

noel at tardis:~$ nslookup www.undernet.org ns1.ausics.net
Server:		ns1.ausics.net
Address:	62.113.243.167#53

** server can't find www.undernet.org: NXDOMAIN






On Thu, 2013-08-29 at 10:20 +1000, Mark Andrews wrote:

> In message <CAMD-=VK7MtwDoUv8uRTL5WR=1ouMHbmzKMPp=uK5pqEVO10Hgg at mail.gmail.com>
> , Nick Edwards writes:
> > Mark,
> > 
> > On 8/29/13, Mark Andrews <marka at isc.org> wrote:
> > >
> > > In message
> > > <CAMD-=VKA_dftLRqtJMs=EGMEPZHU82q06+p_J8RmbgzXvVGjGg at mail.gmail.com>
> > > , Nick Edwards writes:
> > >> The typos was more of how I came about my request, forget the typo as
> > >> such, it the actual answer,  to use a more common well known name, if
> > >> I type
> > >>
> > >> ~$ host www.undernet.org ns1
> > >> Using domain server:
> > >> Name: ns1
> > >>
> > >> Host www.undernet.org not found: 3(NXDOMAIN)
> > >>
> > >> Above should be, and I'm darn sure used to be, REFUSED -  not NXDOMAIN
> > >>
> > >> perhaps I should also include my options in my original post, that was
> > >> remiss of me
> > >>
> > >> acl trust contains localhost and the servers actual IP addresses,
> > >> nowhere does it permit the IP range I tried from
> > >>
> > >> options {
> > >>         directory "/var/named";
> > >>         allow-query { trust; };
> > >>         allow-transfer { localhost; };
> > >>         blackhole { bogon; };
> > >>         recursive-clients 2000;
> > >>         clients-per-query 40;
> > >>         tcp-clients 100;
> > >>         recursion no;
> > >>         additional-from-cache no;
> > >>         transfer-format many-answers;
> > >>         masterfile-format text;
> > >>         interface-interval 0;
> > >>         dnssec-enable yes;
> > >>         dnssec-validation yes;
> > >> };
> > >
> > > Given www.undernet.org exists on the Internet (so you wouldn't be
> > > getting NXDOMAIN if it was recursing to the Internet) and you havn't
> > > shown the entire configuration we can't tell if it is a lack of
> > > understanding about your configuration or a bug.
> > >
> > 
> > The only other components to our pure authoratitive only server
> > configuration  are
> > 
> > The bogon acl from team cymru
> > 
> > include "/var/named/root_trusted_key";
> > 
> > logging {
> >         category lame-servers { null; };
> >         category edns-disabled { null; };
> >         category client { null; };
> > };
> > 
> > zone "." {
> >         type hint;
> >         file "root.hints";
> > };
> > 
> > 
> > zone "127.in-addr.arpa" {
> >         type master;
> >         file "localhost.rev";
> >         notify no;
> > };
> > 
> > zone "localhost" {
> >         type master;
> >         file "localhost.zone";
> >         notify no;
> > };
> > 
> > zone "somedomain.org" {
> >         type master;
> >         allow-transfer { slave.ip; };
> >         file "somedomain.org.signed";
> >         allow-query { any; };
> >         allow-update { none; };
> > };
> > 
> > 
> > zone "xxxx.in-addr.arpa" {
> >         type master;
> >         allow-transfer { sec.IP; };
> >         file "00v4.zone";
> >         allow-query { any; };
> >         allow-update { none; };
> > }
> > 
> > zone "xxxxxxx.ip6.arpa" {
> >         type master;
> >         allow-transfer { sec.IP; };
> >         file "00v6.zone";
> >         allow-query { any; };
> >         allow-update { none; };
> > };
> > 
> > zone "xxxx" {
> >         type slave;
> >         masters { x.x.x.x; };
> >         file "xxxxxx.signed";
> >         allow-query { any; };
> > };
> > 
> > 
> > there are 27 more master/slave zones, but they all are in identical
> > format as above and
> > we certainly do not host undernet :-)
> > 
> > and with no customer IP ranges  included in any ACL since these are
> > not caching servers), and, having friends trying from different ISP's,
> > we get NXDOMAIN, be it undernet, or google  Host www.google.com not
> > found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it
> > does respond correctly to domains it is supposed too
> > 
> > in the end because of this config, I expect to see REFUSED here, like
> > we have in the past, not sure when this changed.
> > 
> > Both our ns1 ans ns2 respond in same
> 
> You still havn't provided enough information to workout whether
> there is a bug or not.
> 
> Why don't you post the complete response to the dig request unaltered.
> 
> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130829/baaeb6b6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: face-smile.png
Type: image/png
Size: 873 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130829/baaeb6b6/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130829/baaeb6b6/attachment-0001.bin>

More information about the bind-users mailing list