named-checkzone with multiple $ORIGIN

Tony Finch dot at dotat.at
Mon Jun 5 13:18:47 UTC 2017 

Bernard Fay <bernard.fay at gmail.com> wrote:
>
> I took control of a DNS based on Bind 9.9.  One of the zone files have
> multiple $ORIGIN for example:

The key thing to understand is that $ORIGIN just controls how unqualified
domain names are expanded into fully-qualified domain names. In
particular, $ORIGIN is completely independent of zone boundaries.

So in the master file you sketched out,

> $ORIGIN example.com
> ...
> $ORIGIN sub1.example.com
> ...
> $ORIGIN sub2.example.com
> ...
> $ORIGIN sub3.example.com
> ...

The person who wrote the file is using $ORIGIN in order to abbreviate
unqualified names in subdomains, but the subdomains are all part of the
same zone.

The other thing to be aware of is that it is possible to write a zone file
without any fuly-qualified names, which is why you have to specify the
zone name when loading the file. (This feature is useful for empty zones,
for example, but it's usually not a good idea for normal zones.) The zone
name is used to set the default $ORIGIN and for the zone sanity checks.

So, this works...

> While checking the zone file with:
> named-checkzone example.com example.com.zone
> named-checkzone returns ok for the first $ORIGIN.

...because the zone name you specified on the command line matches the
contents of the master file.

However,

> named-checkzone sub1.example.com example.com.zone
> named-checkzone sub2.example.com example.com.zone
> named-checkzone sub3.example.com example.com.zone
> named-checkzone reports many "ignoring out-of-zone data (....example.com)"

this doesn't make sense. The master file is one single whole complete
zone. The subdomains are not separate zones, and you can't load or check
part of the file.

So the error message is saying that the SOA record and the apex NS records
at example.com and loads of other records are not subdomains of the zone
name that you gave on the commamnd line. I usually encounter this error
when I have accidentally got my zone name and master file name muddled
up, and once you get used to the error message it's a useful consistency
check.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Fitzroy: Southwesterly, veering northwesterly, 6 to gale 8, decreasing 5 later
in southwest. Moderate or rough. Rain at first. Moderate or good.

More information about the bind-users mailing list