How good is BIND?

Brad Knowles brad.knowles at skynet.be
Mon Jun 11 15:14:13 UTC 2001


At 10:05 AM -0400 6/11/01, Von Alt, William wrote:

>  Delegating a new domain to be called gjo.doe.gov.  The organization's
>  current domain is doegjpo.com, and they wish to gradually move to the new
>  one.  Their nameservers are ernest.doegjpo.com and eagle.doegjpo.com, and
>  mine are fulcrum.doe.gov and foxbat.doe.gov.

	On a lark, I ran these two domains through "doc -d", to see if 
there were any delegation problems:

% doc -d doegjpo.com
Doc-2.2.2: doc -d doegjpo.com
Doc-2.2.2: Starting test of doegjpo.com.   parent is com.
Doc-2.2.2: Test date - Mon Jun 11 10:56:20 EDT 2001
DEBUG: digging @a.gtld-servers.net. for soa of com.
soa @a.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @b.gtld-servers.net. for soa of com.
soa @b.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @c.gtld-servers.net. for soa of com.
soa @c.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @d.gtld-servers.net. for soa of com.
soa @d.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @e.gtld-servers.net. for soa of com.
soa @e.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @f.gtld-servers.net. for soa of com.
soa @f.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @g.gtld-servers.net. for soa of com.
soa @g.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @i.gtld-servers.net. for soa of com.
soa @i.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @j.gtld-servers.net. for soa of com.
soa @j.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @k.gtld-servers.net. for soa of com.
soa @k.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @l.gtld-servers.net. for soa of com.
soa @l.gtld-servers.net. for com. has serial: 2001061001
DEBUG: digging @m.gtld-servers.net. for soa of com.
soa @m.gtld-servers.net. for com. has serial: 2001061001
SOA serial #'s agree for com. domain
Found 3 NS and 3 glue records for doegjpo.com. @a.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @b.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @c.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @d.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @e.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @f.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @g.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @i.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @j.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @k.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @l.gtld-servers.net. (non-AUTH)
Found 3 NS and 3 glue records for doegjpo.com. @m.gtld-servers.net. (non-AUTH)
DNServers for com.
    === 0 were also authoritatve for doegjpo.com.
    === 12 were non-authoritative for doegjpo.com.
Servers for com. (not also authoritative for doegjpo.com.)
    === agree on NS records for doegjpo.com.
DEBUG: domserv = dca-ans-01.inet.qwest.net. eagle.doegjpo.com. 
ernest.doegjpo.com.
NS list summary for doegjpo.com. from parent (com.) servers
   == dca-ans-01.inet.qwest.net. eagle.doegjpo.com. ernest.doegjpo.com.
digging @dca-ans-01.inet.qwest.net. for soa of doegjpo.com.
soa @dca-ans-01.inet.qwest.net. for doegjpo.com. serial: 2001033002
digging @eagle.doegjpo.com. for soa of doegjpo.com.
soa @eagle.doegjpo.com. for doegjpo.com. serial: 2001033002
digging @ernest.doegjpo.com. for soa of doegjpo.com.
soa @ernest.doegjpo.com. for doegjpo.com. serial: 2001033002
SOA serial #'s agree for doegjpo.com.
Authoritative domain (doegjpo.com.) servers agree on NS for doegjpo.com.
ERROR: NS list from doegjpo.com. authoritative servers does not
   === match NS list from parent (com.) servers
NS list summary for doegjpo.com. from authoritative servers
   == doegjpo.com. eagle.doegjpo.com. ernest.doegjpo.com.
ERROR: dca-ans-01.inet.qwest.net. claims to be authoritative, but 
does not appear in
NS list from authoritative servers
Checking 2 potential addresses for hosts at doegjpo.com.
   == 192.149.55.37 199.117.220.9
in-addr PTR record found for 192.149.55.37
in-addr PTR record found for 199.117.220.9
Summary:
    ERRORS found for doegjpo.com. (count: 2)
Done testing doegjpo.com.  Mon Jun 11 10:56:26 EDT 2001

	According to the .com gTLD servers, the three authoritative 
servers for the doegjpo.com zone are supposed to be 
dca-ans-01.inet.qwest.net, eagle.doegjpo.com, and ernest.doegjpo.com. 
However, when you ask these machines themselves, they say that the 
authoritative nameservers are supposed to be doegjpo.com, 
eagle.doegjpo.com, and ernest.doegjpo.com.  In this case, the server 
with the IP address 199.117.220.9 (with the three names 
"gjpomail.gjo.doe.gov", "gjpomail.doegjpo.com", and "doegjpo.com") is 
what I like to call an "orphan" delegation, while the server on 
dca-ans-01.inet.qwest.net is a classic lame delegation.  Now, this 
domain may be going away soon, but this is an indicator of future 
problems that you are likely to have.

	Also note that you have a single IP address (199.117.220.9) with 
three PTR records.  This is not likely to work well, as most 
applications do not properly handle more than one name for a PTR 
record.  You should decide what the "canonical" (or official) name of 
this machine is, and make the others either aliases (using CNAME 
records), or resolve to the same IP address but do not add entries 
for them as PTR records.


% doc -d doe.gov
Doc-2.2.2: doc -d doe.gov
Doc-2.2.2: Starting test of doe.gov.   parent is gov.
Doc-2.2.2: Test date - Mon Jun 11 10:57:03 EDT 2001
DEBUG: digging @a.root-servers.net. for soa of gov.
soa @a.root-servers.net. for gov. has serial: 2001060700
DEBUG: digging @b.root-servers.net. for soa of gov.
soa @b.root-servers.net. for gov. has serial: 2001060700
DEBUG: digging @c.root-servers.net. for soa of gov.
soa @c.root-servers.net. for gov. has serial:
WARNING: no SOA record for gov. from c.root-servers.net.
DEBUG: digging @d.root-servers.net. for soa of gov.
soa @d.root-servers.net. for gov. has serial: 2001060700
DEBUG: digging @e.root-servers.net. for soa of gov.
soa @e.root-servers.net. for gov. has serial: 2001060700
DEBUG: digging @f.root-servers.net. for soa of gov.
soa @f.root-servers.net. for gov. has serial: 2001060700
DEBUG: digging @g.root-servers.net. for soa of gov.
soa @g.root-servers.net. for gov. has serial: 2001060700
DEBUG: digging @h.root-servers.net. for soa of gov.
soa @h.root-servers.net. for gov. has serial: 2001060700
DEBUG: digging @i.root-servers.net. for soa of gov.
soa @i.root-servers.net. for gov. has serial: 2001060700
SOA serial #'s agree for gov. domain
Found 2 NS and 2 glue records for doe.gov. @a.root-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for doe.gov. @b.root-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for doe.gov. @d.root-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for doe.gov. @e.root-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for doe.gov. @f.root-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for doe.gov. @g.root-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for doe.gov. @h.root-servers.net. (non-AUTH)
Found 2 NS and 2 glue records for doe.gov. @i.root-servers.net. (non-AUTH)
DNServers for gov.
    === 0 were also authoritatve for doe.gov.
    === 8 were non-authoritative for doe.gov.
Servers for gov. (not also authoritative for doe.gov.)
    === agree on NS records for doe.gov.
DEBUG: domserv = foxbat.doe.gov. fulcrum.doe.gov.
NS list summary for doe.gov. from parent (gov.) servers
   == foxbat.doe.gov. fulcrum.doe.gov.
digging @foxbat.doe.gov. for soa of doe.gov.
soa @foxbat.doe.gov. for doe.gov. serial: 19990310
digging @fulcrum.doe.gov. for soa of doe.gov.
soa @fulcrum.doe.gov. for doe.gov. serial: 19990310
SOA serial #'s agree for doe.gov.
Authoritative domain (doe.gov.) servers agree on NS for doe.gov.
ERROR: NS list from doe.gov. authoritative servers does not
   === match NS list from parent (gov.) servers
NS list summary for doe.gov. from authoritative servers
   == foxbat.doe.gov. fulcrum.doe.gov. ns1.es.net.
Checking 2 potential addresses for hosts at doe.gov.
   == 205.254.144.110 205.254.143.110
in-addr PTR record found for 205.254.144.110
in-addr PTR record found for 205.254.143.110
Summary:
    ERRORS found for doe.gov. (count: 1)
    WARNINGS issued for doe.gov. (count: 1)
Done testing doe.gov.  Mon Jun 11 10:57:22 EDT 2001

	According to the .gov gTLD servers, the nameservers for the 
doe.gov zone are supposed to be foxbat.doe.gov and fulcrum.doe.gov. 
However, when you ask these servers themselves, they come back with 
foxbat.doe.gov, fulcrum.doe.gov, and ns1.es.net.  Again, ns1.es.net 
is an "orphan" delegation.

>  On my nameservers, if I delegate the gjo.doe.gov domain to the two
>  doegjpo.com nameservers, everything works fine, but it's not the config. I
>  want.  If I delegate the domain to the two gjo.doe.gov nameservers (same
>  machines, just different A records), my config. doesn't work.  [nslookup and
>  dig "hangs" when queried for anything about the domain, e.g. SOA records for
>  gjo.doe.gov]

	I just checked this child zone:

doc -d gjo.doe.gov
Doc-2.2.2: doc -d gjo.doe.gov
Doc-2.2.2: Starting test of gjo.doe.gov.   parent is doe.gov.
Doc-2.2.2: Test date - Mon Jun 11 11:04:50 EDT 2001
DEBUG: digging @foxbat.doe.gov. for soa of doe.gov.
soa @foxbat.doe.gov. for doe.gov. has serial: 19990310
DEBUG: digging @fulcrum.doe.gov. for soa of doe.gov.
soa @fulcrum.doe.gov. for doe.gov. has serial: 19990310
DEBUG: digging @ns1.es.net. for soa of doe.gov.
soa @ns1.es.net. for doe.gov. has serial: 19990310
SOA serial #'s agree for doe.gov. domain
Found 2 NS and 1 glue records for gjo.doe.gov. @foxbat.doe.gov. (non-AUTH)
Found 2 NS and 2 glue records for gjo.doe.gov. @fulcrum.doe.gov. (non-AUTH)
Found 2 NS and 2 glue records for gjo.doe.gov. @ns1.es.net. (non-AUTH)
DNServers for doe.gov.
    === 0 were also authoritatve for gjo.doe.gov.
    === 3 were non-authoritative for gjo.doe.gov.
Servers for doe.gov. (not also authoritative for gjo.doe.gov.)
    === agree on NS records for gjo.doe.gov.
DEBUG: domserv = eagle.doegjpo.com. ernest.doegjpo.com.
NS list summary for gjo.doe.gov. from parent (doe.gov.) servers
   == eagle.doegjpo.com. ernest.doegjpo.com.
digging @eagle.doegjpo.com. for soa of gjo.doe.gov.
soa @eagle.doegjpo.com. for gjo.doe.gov. serial: 2001052306
digging @ernest.doegjpo.com. for soa of gjo.doe.gov.
soa @ernest.doegjpo.com. for gjo.doe.gov. serial: 2001052306
SOA serial #'s agree for gjo.doe.gov.
Authoritative domain (gjo.doe.gov.) servers agree on NS for gjo.doe.gov.
ERROR: NS list from gjo.doe.gov. authoritative servers does not
   === match NS list from parent (doe.gov.) servers
NS list summary for gjo.doe.gov. from authoritative servers
   == eagle.gjo.doe.gov. ernest.gjo.doe.gov.
ERROR: eagle.doegjpo.com. claims to be authoritative, but does not appear in
NS list from authoritative servers
ERROR: ernest.doegjpo.com. claims to be authoritative, but does not appear in
NS list from authoritative servers
Checking 1 potential addresses for hosts at gjo.doe.gov.
   == 192.149.55.37
in-addr PTR record found for 192.149.55.37
Summary:
    ERRORS found for gjo.doe.gov. (count: 3)
Done testing gjo.doe.gov.  Mon Jun 11 11:04:51 EDT 2001

	Again, you've got delegation problems.  Here, the parent servers 
for the .doe.gov zone have said that the authoritative servers for 
this child zone are
eagle.doegjpo.com and ernest.doegjpo.com, however when you ask them 
directly, you are told that the servers are instead eagle.gjo.doe.gov 
and ernest.gjo.doe.gov.  Even if the IP addresses are the same, this 
mis-match in the fully qualified domain name (FQDN) of the 
authoritative servers is likely to cause serious problems.

>  I can't figure out what the difference is between using the doegjpo.com and
>  the gjo.doe.gov domains if the IPs are the same in their files.  Any hints
>  on what I'm missing?  Thanks in advance!

	You need to get your delegation problems fixed.  If you want the 
latest version of doc (so that you can do your own debugging), see 
<ftp://ftp.shub-internet.org/pub/shub/brad/dns/> and grab the 2.2 
tarball (for BIND 9).  You may also want to look at doing some 
additional DNS debugging using the "dnswalk" tool (see 
<http://www.sourceforge.net/projects/dnswalk/>).

	I note that you appear to be running BIND 9.1.0 on 
foxbat.doe.gov, and BIND 9.1.1 on fulcrum.doe.gov.  If you are 
actually running these old versions, I would strongly suggest that 
you upgrade to the latest 9.1.2-REL or 9.1.3-rc versions, because of 
bugs that have since been fixed.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'


More information about the bind-users mailing list