Problem resolving some domains

Mark_Andrews at isc.org Mark_Andrews at isc.org
Thu Oct 18 01:32:09 UTC 2001


> 
> <9qk4ri$qp4 at pub3.rc.vix.com> divulged:
> 
> >> | root at alvarez:/# skill -v /usr/sbin/named
> >> | > sent #23882 a TERM (named executing /usr/sbin/named)
> >> | root at alvarez:/# su - named -c /usr/sbin/named
> >
> >	You really expect us to believe that named started and
> >	bound itself to a reserved port when running as the user
> >	named.
> >
> >	This is a well known limitation of BIND 4 and BIND 8 (<8.3).
> 
> cut and paste error.  the `su - named -c' actually preceded the `skill',
> named was run with ``env - /usr/sbin/named''.
> 
> since i have nothing to gain by claiming it functional in (my) 4.9.8 and
> you are being, umm, terse, i'll go find why it worked myself.  (there are
> no forwarders configured.  i have altered the code to setreuid between
> named and root, and to exclude the version responding code.  i doubt that
> my code, horrible as it might be, could have changed the way resolution
> happens; it's just after the fork, and in getnetconf and opensocket, though
> that's from memory, i'll have to go check the patch file to be sure there
> aren't other spots.)
> 
> -- 
> okay, have a sig then
> 

	Show version.

drugs# what named/named
named/named:
        named 4.9.8-REL Thu Oct 18 10:54:01 EST 2001 marka at drugs.dv.isc.org:/usr/home/marka/cvs/cur/bind4/named
        db_dump.c       4.33 (Berkeley) 3/3/91
        db_load.c       4.38 (Berkeley) 3/2/91
        db_lookup.c     4.18 (Berkeley) 3/21/91
        db_reload.c     4.22 (Berkeley) 3/21/91
        db_save.c       4.16 (Berkeley) 3/21/91
        db_update.c     4.28 (Berkeley) 3/21/91
        db_glue.c       4.4 (Berkeley) 6/1/90
        ns_forw.c       4.32 (Berkeley) 3/3/91
        ns_init.c       4.38 (Berkeley) 3/21/91
        ns_main.c       4.55 (Berkeley) 7/1/91
         Copyright (c) 1986, 1989, 1990 The Regents of the University of California.
        ns_maint.c      4.39 (Berkeley) 3/2/91
        ns_req.c        4.47 (Berkeley) 7/1/91
        ns_resp.c       4.65 (Berkeley) 3/3/91
        ns_sort.c       4.10 (Berkeley) 3/3/91
        ns_stats.c      4.10 (Berkeley) 6/27/90

	Show configuration.

drugs# cat /etc/named.boot
directory /var/named
cache . /var/named/master/rootservers

	Prove named is not running.

drugs# dig www.passau.de @localhost

; <<>> DiG 8.3 <<>> www.passau.de @localhost 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server localhost  127.0.0.1: Connection refused

	Start named.

drugs# named/named

	Demonstrate failure.  ns_resp.c will drop any additional records
	that are returned from the de servers as part of the anti-cache
	poisioning rules.  The nameserver will then attempt to lookup
	up the addresses ns.nameserver121.com and ns2.nameserver121.com
	which intern require looking up the address of NS2.ONE-2-ONE.DE
	and NS.ONE-2-ONE.NET, this lookup is blocked to prevent infinite
	looping.

drugs# dig www.passau.de @localhost

; <<>> DiG 8.3 <<>> www.passau.de @localhost 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server localhost  127.0.0.1: Operation timed out

	Show that we have the NS record for passau.de and the above
	description was not BS.

drugs# dig www.passau.de @localhost +norec

; <<>> DiG 8.3 <<>> www.passau.de @localhost +norec 
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48080
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUERY SECTION:
;;      www.passau.de, type = A, class = IN

;; AUTHORITY SECTION:
passau.de.              23h59m47s IN NS  ns.nameserver121.com.
passau.de.              23h59m47s IN NS  ns2.nameserver121.com.

;; Total query time: 1 msec
;; FROM: drugs.dv.isc.org to SERVER: localhost  127.0.0.1
;; WHEN: Thu Oct 18 11:01:59 2001
;; MSG SIZE  sent: 31  rcvd: 92

	Demonstate that it still fail.

drugs# dig www.passau.de @localhost

; <<>> DiG 8.3 <<>> www.passau.de @localhost 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server localhost  127.0.0.1: Operation timed out

drugs# dig www.passau.de @localhost +norec

; <<>> DiG 8.3 <<>> www.passau.de @localhost +norec 
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25001
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUERY SECTION:
;;      www.passau.de, type = A, class = IN

;; AUTHORITY SECTION:
passau.de.              23h59m13s IN NS  ns.nameserver121.com.
passau.de.              23h59m13s IN NS  ns2.nameserver121.com.

;; Total query time: 0 msec
;; FROM: drugs.dv.isc.org to SERVER: localhost  127.0.0.1
;; WHEN: Thu Oct 18 11:03:31 2001
;; MSG SIZE  sent: 31  rcvd: 92

	Look up the ns records for nameserver121.com which triggers
	additional fetching.  This succeeds which in turn allow the
	lookup of www.passau.de to succeed..

drugs# dig ns nameserver121.com @localhost

; <<>> DiG 8.3 <<>> ns nameserver121.com @localhost 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      nameserver121.com, type = NS, class = IN

;; ANSWER SECTION:
nameserver121.com.      1d21h34m IN NS  NS2.ONE-2-ONE.DE.
nameserver121.com.      1d21h34m IN NS  NS.ONE-2-ONE.NET.

;; Total query time: 0 msec
;; FROM: drugs.dv.isc.org to SERVER: localhost  127.0.0.1
;; WHEN: Thu Oct 18 11:03:51 2001
;; MSG SIZE  sent: 35  rcvd: 95

drugs# dig www.passau.de @localhost

; <<>> DiG 8.3 <<>> www.passau.de @localhost 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;      www.passau.de, type = A, class = IN

;; ANSWER SECTION:
www.passau.de.          1D IN A         195.243.207.132

;; AUTHORITY SECTION:
passau.de.              1D IN NS        ns.nameserver121.com.
passau.de.              1D IN NS        ns2.nameserver121.com.

;; ADDITIONAL SECTION:
ns.nameserver121.com.   1D IN A         195.94.80.1
ns2.nameserver121.com.  1D IN A         195.94.83.15

;; Total query time: 5405 msec
;; FROM: drugs.dv.isc.org to SERVER: localhost  127.0.0.1
;; WHEN: Thu Oct 18 11:04:05 2001
;; MSG SIZE  sent: 31  rcvd: 131

drugs# ps ax | grep named
17013  ??  Is     0:00.04 named/named
drugs# kill 17013
drugs# 

--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org


More information about the bind-users mailing list