Lame Delegation woes

Kevin Darcy kcd at daimlerchrysler.com
Mon Apr 23 23:47:23 UTC 2001 

Your ISP is full of it: a nameserver which is configured as master or slave
for a zone should *always* answer authoritatively for the zone unless
something is broken. Authoritative data is logically distinct from cached
data.

Chances are, there is an error in the master zone file which is preventing
the zone from loading properly. And the error has probably been there long
enough that the zone has expired on the slave as well, which would explain
why it is answering non-authoritatively. You should look in the master's
logs at load time to see if there is an error reported. If you're still
having problems, post the named.conf and fisita.com zonefile, and we can see
if there are any obvious errors.


- Kevin


Andrew Green wrote:

> Hi all,
>
> For the past week or so, I've been trying to resolve a lame delegation
> problem affecting a domain I administer: fisita.com.  The domain runs on
> a dedicated server, running the nameserver ns.fisita.com.  However:
>
>    $ nslookup -q=any fisita.com. NS.fisita.com
>    Server:  ns.fisita.com
>    Address:  212.67.198.149
>
>    Non-authoritative answer:
>    fisita.com      internet address = 212.67.198.149
>    fisita.com      preference = 5, mail exchanger = mail.fisita.com
>    fisita.com      nameserver = ns.fisita.com
>    fisita.com      nameserver = ns2.fisita.com
>    fisita.com
>            origin = ns.fisita.com
>            mail addr = hostmaster.fisita.com
>            serial = 10803
>            refresh = 10800 (3 hours)
>            retry   = 3600 (1 hour)
>            expire  = 604800 (7 days)
>            minimum ttl = 86400 (1 day)
>
>    Authoritative answers can be found from:
>    mail.fisita.com internet address = 212.67.198.149
>    ns.fisita.com   internet address = 212.67.198.149
>    ns2.fisita.com  internet address = 212.67.198.150
>
> ns.fisita.com seems to be responding non-authoritatively, but is pointing
> people back to itself for the authoritative answer!
>
> I've been talking with the helpdesk at the ISP which supplied the
> dedicated server to try to get some clues as to why this might be
> happening -- the config files appear to be correct to me, but I'm new at
> this and am evidently missing something.  They have responded to the
> effect that I'm getting the non-authoritative answer merely because "the
> domain is already in your [ns.fisita.com's] cache".
>
> This strikes me as fudging the issue, but I'd be happy to concede that
> I'm wrong, and that DNS for the domain is actually OK.  Any help from the
> good folk on this newsgroup to establish what the situation really is
> would be greatly appreciated (especially any tips on how to fix it if it
> is indeed lame).
>
> I'd be happy to post named.conf, named.fisita.com and named.212.67.198 to
> the newsgroup if they'd help identify the problem (and wouldn't open up
> gaping security holes for me).
>
> Many thanks,
> Andrew.
>
> --
> Andrew Green
> Article Seven: Automatic Internet
> andrew at article7.co.uk -- http://www.article7.co.uk/

More information about the bind-users mailing list