Problem with recursive name server

Eduardo Bonsi beartcom at pacbell.net
Sat Jun 9 22:24:18 UTC 2012


Hello Mike;

Sorry I forgot to put the list address from my first message. Here is 
for the list to follow.

Hello Mike;

Upgrade your Bind Server to 9.9.1

Packages for the OS X Snow Leopard and others can be found here;

http://support.menandmice.com/download/bind/macosx/10.6-Snow-Leopard/

Administrating Bind thru the terminal is fun but you also can use a 
combination of webmin to admin your Bind Server.

I would divide your zones in "internal" and external and give recursion 
to the internal zones only. I am in the OSX Client and I developed 2 
Bind Servers configuration that is working without any problems. It took 
me a little a while to tune both servers and understand how make that 
work with the OSX. If you need more information, please drop me a line.


Regards;

Eduardo

======================================================================
======================================================================
Anyway I hope I can help a little since I am not in the Mac OSX Server 
and I do not configure my Server using this type of gui. I performed 
some tests using dig and here is what I found.

; <<>> term DiG <<>> ns1.hektor.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 491
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.hektor.de.			IN	A

;; ANSWER SECTION:
ns1.hektor.de.		10800	IN	A	213.191.95.4

;; AUTHORITY SECTION:
.			34434	IN	NS	f.root-servers.net.
======================================================================
So your name server is giving an A record ip address of 213.191.95.4

Performing a nslookup on your first name server returned;
======================================================================
term# nslookup ns1.hansenet.de
Server:		my server
Address:	my address#53

Non-authoritative answer:
Name:	ns1.hansenet.de
Address: 213.191.73.65

As you can see, the A record does not correspond to the reverse record 
returned by your ns1.hansenet.de nslookup. You have to fix that in your 
TTL Zone files. You should post them as well so people can comment on it 
and find any errors, if any.

term# dig mailserver.hektor.de

; <<>> term DiG <<>> mailserver.hektor.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24785
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mailserver.hektor.de.		IN	A

;; ANSWER SECTION:
mailserver.hektor.de.	10800	IN	A	213.191.95.3

;; AUTHORITY SECTION:
.			32412	IN	NS	h.root-servers.net.
.			32412	IN	NS	d.root-servers.net.
.			32412	IN	NS	j.root-servers.net.
.			32412	IN	NS	c.root-servers.net.
.			32412	IN	NS	f.root-servers.net.
.			32412	IN	NS	l.root-servers.net.
.			32412	IN	NS	b.root-servers.net.
.			32412	IN	NS	g.root-servers.net.
.			32412	IN	NS	m.root-servers.net.
.			32412	IN	NS	e.root-servers.net.
.			32412	IN	NS	a.root-servers.net.
.			32412	IN	NS	k.root-servers.net.
.			32412	IN	NS	i.root-servers.net.

;; Query time: 205 msec
;; SERVER: my server#53(my ip)
;; WHEN: Sat Jun  9 15:06:47 2012
;; MSG SIZE  rcvd: 276

term# nslookup mailserver.hektor.de
Server:		my server
Address:	my server #53

Non-authoritative answer:
Name:	mailserver.hektor.de
Address: 213.191.95.3

Your mail server is returning the correct ip address so it is reversing 
ok. One of the advises is that you should not give recursion to your 
external name server or any of your external ip addresses.
You should tell us if you configure your intranet LAN and WAN ports to 
work as internal and external zones.

I hope someone here from the list is also running a Mac OSX server and 
could help you. I can see some minor differences in your named file as:

// Default controls
     controls {
	inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
};

and

key rndc-key {
	algorithm hmac-md5;
	secret "my secret key goes here";
	};

On 6/9/12 1:28 PM, Mike Bobkiewicz wrote:
> HI all,
> first Eduardo:
> I did an upgrade with the mentioned package to 9.9.1 P1, it´s now up and running but doesn´t fix the problem.
> I have to correct one thing: It´s not a 10.6 client system it´s a 10.7.4 Server system, this is important because the client running this server does configure bind with Apple´s Admin Tools. When something doesn´t work he calls me and I log in via ssh and try to figure out what´s wrong. Telling the truth: I like vi very much...
>
> Am 08.06.2012 um 22:13 schrieb Chuck Swiger:
>
>> Hi--
>>
>> On Jun 8, 2012, at 1:08 PM, Mike Bobkiewicz wrote:
>>> we are running an authorative name server for some domains. After some time our ISP has now delegated the reverse name lookups to our server. We are running bind 9.7.3 on Mac OS X 10.6 and are not able to bring the reverse name lookups to life. The master db-file is loaded and we  to set the allow-recursive { any; }; option in the named.conf but it still doesn´t work. We are getting RFC 1912 2.1 with some mail servers which is the biggest problem. Which additional options must be set in the named.conf to make the reverse name lookups for our domains work?
>>
>> Mailservers doing a double-reverse lookup try to validate that your IP has a PTR record which returns a name that a normal forward lookup finds, and gives back the original IP.
>>
>> Give us an example of a bad hostname or IP, and we can probably tell you what aspect isn't working right...
>>
> Sorry, was late last night for me so here are some parts of the configuration:
> /etc/named.conf
> include "/etc/rndc.key";
> options {
>          directory "/var/named";
>          listen-on-v6 port 53 {
>                  "none";
>          };
>          allow-recursion {
>                  any;
One of the advises is that you should not give recursion to your 
external name server or any of your external ip addresses. Besides the 
argument for recursion is "yes" or "no" or specified ip addresses.


>          };
>          allow-transfer {
>                  none;
>          };
> };
> controls {
>          inet 127.0.0.1 port 54 allow {
>                  "any";
>          } keys {
>                  "rndc-key";
>          };
> };
> acl "com.apple.ServerAdmin.DNS.public" {
>          any;
> };
> logging {
>          channel _default_log {
>                  file "/Library/Logs/named.log";
>                  severity info;
>                  print-time yes;
>          };
>          category "default" {
>                  "_default_log";
>          };
> };
> view "com.apple.ServerAdmin.DNS.public" {
>          zone "0.0.127.in-addr.arpa" IN {
>                  type master;
>                  file "named.local";
>                  allow-update {
>                          none;
>                  };
>          };
>
> ... around 15 working master zones
>
>          zone "95.191.213.in-addr.arpa" IN {
>                  type master;
>                  file "db.95.191.213.in-addr.arpa";
>                  allow-transfer {
>                          com.apple.ServerAdmin.DNS.public;
>                  };
>                  allow-update {
>                          none;
>                  };
>          };
>          };
> };
>
> The lines of question in the db-file:
>                                        10800 IN NS       ns1.hektor.de.
>                                        10800 IN NS       ns2.hansenet.de.
> 3.95.191.213.in-addr.arpa.            10800 IN PTR      mailserver.hektor.de.
>
> The name of the server is ns1.hektor.de.
> Trying to send an email to a server trying to get the PTR record the sender receives an "Undelivered Mail..." mail with this:
> 550 inconsistent or
>     no DNS PTR record for 213.191.95.3 (see RFC 1912 2.1) (in reply to RCPT TO
>     command)
>
> Hope this helps to clear out the problem
>
> Best regards,
>
>   Mike
>
>> Regards,
>> --
>> -Chuck
>>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beartcom at pacbell.net
webmaster at beart.com



More information about the bind-users mailing list