A tale of two nameservers - resolution problems

Robert Moskowitz rgm at htt-consult.com
Tue Sep 1 13:09:58 UTC 2015 

I have one nameserver running bind 9.8.2 and a new one running 9.9.4.

Both can resolve www.ietf.org

Only the 9.8.2 can resolve 0.centos.pool.ntp.org

I literally rsynced all the of the conf and zone files from the old to 
the new, then changed all of the server name references.  I have done 
this before.  I have another box running the 9.8.2 code that I built the 
same way and it resolves both fqdns just fine.

I am a lost at what is the problem.  Both have the same named.conf:

//
//

     include "/etc/named/named.acl";

options
{
     listen-on port 53 { any; };
     listen-on-v6 port 53 { any; };

     allow-query        { localhost; };
     allow-query-cache    { localhost; };
     recursion no;

     directory     "/var/named";
     dump-file     "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";

//    dnssec-enable yes;
//    dnssec-validation yes;
//    dnssec-lookaside auto;

     dnssec-enable no;
     dnssec-validation no;

     /* Path to ISC DLV key */
//    bindkeys-file "/etc/named.iscdlv.key";

//    managed-keys-directory "/var/named/dynamic";


};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
  *      named will try to write the 'named.run' file in the $directory 
(/var/named).
  *      By default, SELinux policy does not allow named to modify the 
/var/named directory,
  *      so put the default debug log file in data/ :
  */
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
};

view "internal"
{

     include "/etc/named/named.internal";

};
view    "external"
{

     include "/etc/named/named.external";

};

include "/etc/named/rndc.key";

==============
and named.internal has:

/* This view will contain zones you want to serve only to "internal" clients
  * that have addresses that are not on your directly attached LAN 
interface subnets:
  */
     match-clients        { httnets; };
     match-destinations    { httnets; };
     allow-query        { httnets; };
     allow-query-cache    { httnets; };
     allow-recursion        { httnets; };
     recursion yes;
     empty-zones-enable yes;

//    include "/etc/named/named.trusted.key";
         include "/etc/named.rfc1912.zones";

     zone "." IN {
         type hint;
         file "named.root";
     };

     // These are your "authoritative" internal zones:

     zone "htt-consult.com" {
         type master;
         file "httin-consult.com.zone";
     };

etc.


==============


Is the dnssec disabled possibly the problem?  Like required now?

More information about the bind-users mailing list