nxdomain
Nick Edwards
nick.z.edwards at gmail.com
Thu Aug 29 12:58:48 UTC 2013
Good Morning,
Wow, all these messages, as other posters have pointed out to me, dig
shows what I wanted to see, REFUSED, only host shows NXDOMAIN and from
other posts I see why I am getting that result, so in the end its all
just a false alarm, my servers are doing the right thing, so I can
rest easy.
On 8/29/13, Mark Andrews <marka at isc.org> wrote:
>
> In message
> <CAMD-=VK7MtwDoUv8uRTL5WR=1ouMHbmzKMPp=uK5pqEVO10Hgg at mail.gmail.com>
> , Nick Edwards writes:
>> Mark,
>>
>> On 8/29/13, Mark Andrews <marka at isc.org> wrote:
>> >
>> > In message
>> > <CAMD-=VKA_dftLRqtJMs=EGMEPZHU82q06+p_J8RmbgzXvVGjGg at mail.gmail.com>
>> > , Nick Edwards writes:
>> >> The typos was more of how I came about my request, forget the typo as
>> >> such, it the actual answer, to use a more common well known name, if
>> >> I type
>> >>
>> >> ~$ host www.undernet.org ns1
>> >> Using domain server:
>> >> Name: ns1
>> >>
>> >> Host www.undernet.org not found: 3(NXDOMAIN)
>> >>
>> >> Above should be, and I'm darn sure used to be, REFUSED - not NXDOMAIN
>> >>
>> >> perhaps I should also include my options in my original post, that was
>> >> remiss of me
>> >>
>> >> acl trust contains localhost and the servers actual IP addresses,
>> >> nowhere does it permit the IP range I tried from
>> >>
>> >> options {
>> >> directory "/var/named";
>> >> allow-query { trust; };
>> >> allow-transfer { localhost; };
>> >> blackhole { bogon; };
>> >> recursive-clients 2000;
>> >> clients-per-query 40;
>> >> tcp-clients 100;
>> >> recursion no;
>> >> additional-from-cache no;
>> >> transfer-format many-answers;
>> >> masterfile-format text;
>> >> interface-interval 0;
>> >> dnssec-enable yes;
>> >> dnssec-validation yes;
>> >> };
>> >
>> > Given www.undernet.org exists on the Internet (so you wouldn't be
>> > getting NXDOMAIN if it was recursing to the Internet) and you havn't
>> > shown the entire configuration we can't tell if it is a lack of
>> > understanding about your configuration or a bug.
>> >
>>
>> The only other components to our pure authoratitive only server
>> configuration are
>>
>> The bogon acl from team cymru
>>
>> include "/var/named/root_trusted_key";
>>
>> logging {
>> category lame-servers { null; };
>> category edns-disabled { null; };
>> category client { null; };
>> };
>>
>> zone "." {
>> type hint;
>> file "root.hints";
>> };
>>
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "localhost.rev";
>> notify no;
>> };
>>
>> zone "localhost" {
>> type master;
>> file "localhost.zone";
>> notify no;
>> };
>>
>> zone "somedomain.org" {
>> type master;
>> allow-transfer { slave.ip; };
>> file "somedomain.org.signed";
>> allow-query { any; };
>> allow-update { none; };
>> };
>>
>>
>> zone "xxxx.in-addr.arpa" {
>> type master;
>> allow-transfer { sec.IP; };
>> file "00v4.zone";
>> allow-query { any; };
>> allow-update { none; };
>> }
>>
>> zone "xxxxxxx.ip6.arpa" {
>> type master;
>> allow-transfer { sec.IP; };
>> file "00v6.zone";
>> allow-query { any; };
>> allow-update { none; };
>> };
>>
>> zone "xxxx" {
>> type slave;
>> masters { x.x.x.x; };
>> file "xxxxxx.signed";
>> allow-query { any; };
>> };
>>
>>
>> there are 27 more master/slave zones, but they all are in identical
>> format as above and
>> we certainly do not host undernet :-)
>>
>> and with no customer IP ranges included in any ACL since these are
>> not caching servers), and, having friends trying from different ISP's,
>> we get NXDOMAIN, be it undernet, or google Host www.google.com not
>> found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it
>> does respond correctly to domains it is supposed too
>>
>> in the end because of this config, I expect to see REFUSED here, like
>> we have in the past, not sure when this changed.
>>
>> Both our ns1 ans ns2 respond in same
>
> You still havn't provided enough information to workout whether
> there is a bug or not.
>
> Why don't you post the complete response to the dig request unaltered.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
More information about the bind-users
mailing list