need help figuring this MX /A record query problem out

King, John (Greg) (OAO-HOU) jking at houston.oao.com
Thu May 17 12:55:01 UTC 2001


Okay first thanks for the input! 

Now to help me find the problem without messing with the production server I
built a test box this morning and installed the latest 8.2.3 bind version
now that ISC ftp site is up. Compiled it with GCC 2.95.2 for the Sparc
running Solaris 2.6 (both production and test box are running 2.6).

The configs are the same minus alot of extra zone info (just the basic info
to get it working althought the db.some.dom.ain file is an exact copy from
the production system) and the differences in IP addresses and hostnames. 

Everything compiled well and installed normally. Named is running under a
non-priv account instead of root. All data files are readable by the
non-priv'd id. No errors show up in the logs. There are no cacheing
nameservers and all DNS servers run the same build on the same OS and
hardware.


First test using dig to query hsc.com mx records:

; <<>> DiG 8.3 <<>> -t hsc.com 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4
;; QUERY SECTION:
;;      hsc.com, type = MX, class = IN

;; ANSWER SECTION:
hsc.com.                1H IN MX        10 fw-es09.HAC.com.
hsc.com.                1H IN MX        20 fw-es05.HAC.com.

;; AUTHORITY SECTION:
hsc.com.                1H IN NS        fw-es06.HAC.com.
hsc.com.                1H IN NS        fw-es10.HAC.com.

;; ADDITIONAL SECTION:
fw-es09.HAC.com.        1H IN A         128.152.1.25
fw-es05.HAC.com.        1H IN A         128.152.1.5
fw-es06.HAC.com.        1H IN A         128.152.1.6
fw-es10.HAC.com.        1H IN A         128.152.1.26

;; Total query time: 386 msec
;; FROM: testbox to SERVER: default -- 127.0.0.1
;; WHEN: Thu May 17 07:37:33 2001
;; MSG SIZE  sent: 25  rcvd: 185


Second test following first. Note that i get only 2 Additional Records
instead of 4. Why is this? I think this is where the records are going away.
If i stop and start bind i can get the first lookup everytime, any
subsequent lookups dont return all the info though.


; <<>> DiG 8.3 <<>> -t debug hsc.com 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;      hsc.com, type = MX, class = IN

;; ANSWER SECTION:
hsc.com.                53m20s IN MX    10 fw-es09.HAC.com.
hsc.com.                53m20s IN MX    20 fw-es05.HAC.com.

;; AUTHORITY SECTION:
hsc.com.                1d23h53m20s IN NS  FW-ES06.HAC.com.
hsc.com.                1d23h53m20s IN NS  FW-ES10.HAC.com.

;; ADDITIONAL SECTION:
FW-ES06.HAC.com.        1d23h53m20s IN A  128.152.1.6
FW-ES10.HAC.com.        1d23h53m20s IN A  128.152.1.26

;; Total query time: 3 msec
;; FROM: testbox to SERVER: default -- 127.0.0.1
;; WHEN: Thu May 17 07:34:41 2001
;; MSG SIZE  sent: 25  rcvd: 153


Heres the named.conf
----------------------

logging {
        channel default_log {
                file "/var/log/named/named" versions 5;
                print-time yes;
                print-category yes;
                print-severity yes;
        };
        category default { default_log; };
};
options{
        directory "path_to_dns_area";
        allow-transfer { x.x.x.x; };
        query-source address * port 53 ;
        allow-query { any; };
        statistics-interval 1440; // stats once per day is enough
        version "DNS server"; // every little bit helps
};

zone "." in {
        type hint;
        file "db.cache";
};

zone "0.0.127.in-addr.arpa" in {
        type master;
        file "db.127.0.0";
};

zone "some.dom.ain" in {
        type master;
        file "db.some.dom.ain";
        check-names ignore;
        allow-update { none; };
        allow-query { any; };
        allow-transfer { x.x.x.x; };
        notify no;
};



-----Original Message-----
From: Brad Knowles [mailto:brad.knowles at skynet.be]
Sent: Wednesday, May 16, 2001 2:42 PM
To: King, John (Greg) (OAO-HOU); 'bind-users at isc.org'
Subject: Re: need help figuring this MX /A record query problem out


At 2:14 PM -0500 5/16/01, King, John (Greg) (OAO-HOU) wrote:

>  Anyone clue me in here? Could the firewall be doing it or is it local to
>  this nameserver? If so what and how the heck do i fix it?  Thanks!

	"nslookup" is evil.  If you really want to be able to debug your 
DNS, you need to use a better tool, such as "dig".  You may also want 
to consider more advanced tools, such as "doc".

	Problems such as you mention can result from having caching 
nameservers running different versions of BIND, among other things.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'


More information about the bind-users mailing list