getting not authoritative with some notifies - Solved

Paul A razor at meganet.net
Thu Jul 28 16:13:13 UTC 2016 

Tony,

 the zones that are giving me the not auth error are indeed off cache, as I
see the RA flag and the AA is missing.  I never really thought this was
happening because I have all zones configure the same way and some are not
getting the not auth error and have the aa flag present. I was querying the
slave directly and it never occurred to me that the info I was getting back
might be cached info, I should of looked at the flags :(. Well it turns out
I accidently commented out a huge portion of the named.conf file by mistake
with the */ /*, I didn't close the commented section correctly and it caused
some zones not to be configured. When using vi to edit/look at named.conf  I
was relying on the color and never saw the zones in blue (comment color)
that gave me not auth so I assumed the config was good, I even ran
named-checkconf which came back with no errors which makes sense.  It also
didn't click when using rndc status and the number of zones on the slave was
significant less than on the master server :(. 

I hope this stupid mistake helps someone else, thanks for all that replied. 

Now what is everyone using to make sure the zones in named.conf are still
pointing to your NS servers? I have a lot of stale DNS zones I want to
remove. 

Thanks, Paul  


-----Original Message-----
From: Tony Finch [mailto:dot at dotat.at] 
Sent: Thursday, July 28, 2016 10:45 AM
To: Casey Deccio <casey at deccio.net>
Cc: Paul A <razor at meganet.net>; bind-users at isc.org
Subject: Re: getting not authoritative with some notifies

Casey Deccio <casey at deccio.net> wrote:
> On Thu, Jul 28, 2016 at 10:34 AM, Paul A <razor at meganet.net> wrote:
>
> > Yes on both server and the slave and primary are listed on the NS RR.
> > I'm really at a loss here, the zone updates on the slave but I keep 
> > getting that message.
>
> There's a difference between a server being listed in the NS RRset and 
> a server being authoritative for the zone.  Is there a "zone" 
> statement for that zone in your named.conf?

When you query the slave for a problem zone, look at the flags in the
header, e.g.

this answer comes from a recursive query - "ra" is present and "aa" is
missing

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

this answer comes from an authoritative zone - "aa" is present

;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

Tony.
--
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
South Thames, Dover: Southwesterly 5 or 6. Slight or moderate. Rain or
showers. Good, occasionally poor.

More information about the bind-users mailing list