Problem with "authoritative answer"

Barry Margolin barmar at alum.mit.edu
Wed Sep 11 18:27:44 UTC 2013 

In article <mailman.1289.1378912783.20661.bind-users at lists.isc.org>,
 Brian Cuttler <brian at wadsworth.org> wrote:

> Cross posting to both Amanda users and bind users lists.
> 
> We have remapped some of our DNS clients to point to another
> DNS resolver, one that we do not control, but that has "forwarder"
> records in place to point our domain's address resolution requests
> back to an authoritative server in our domain.
> 
> Dig is showing authoritative answer when I query my domain's server
> for an address that I own.
> 
> Dig is NOT showing authoritative when I query the other domain's server.
> 
> I'd have thought that the forwarded request, coming from my server,
> would have resulted in an authoritative reply.

Caching servers cache responses to forwarded requests, so they don't 
forward the same request until the TTL expires.

Also, even if the caching server does need to forward, when it sends the 
response to its client, I think it clears the AA flag. IIRC, BIND 4 
would pass the entire answer back to its client, including flags like 
AA, but I think this changed in BIND 8 -- since the caching server is 
not actually authoritative, it doesn't set the AA flag in its responses.

> 
> What does this have to do with Amanda?
> 
> We have a zmanda client in our citrix cloud that has been changed
> from our domain controller to the DC of the other dept, which has
> its own DNS servers.
> 
> While we can get a DNS result on the client, zmanda is failing to
> authenticate the server. I suspect but do not know for sure that
> this is because the DNS result (as determined by # dig) is not
> authoritative.

No ordinary client application should ever require an authoritative 
answer to DNS requests, since caching servers are never expected to be 
authoritative, and you can't usually depend on pointing directly to the 
authoritative servers.

> 
> Am I right in my guess as to the zmanda client issue?
>  - if so
>     Is there a zmanda work-around or fix? Other than adding the IP
>     information to tables in the client or registering the amanda
>     server by IP?
> 
> Is there a DNS fix? Do I need to update by DNZ zone file to make the
> other domains DNS, which only has forwarder records for us, authoritative
> by adding an NS record for it?
> 
> Am I just barking up the wrong tree?

I don't know anything about Amanda (I don't even know what it is), but I 
suspect so.

-- 
Barry Margolin
Arlington, MA

More information about the bind-users mailing list