Bind 9.1.3 classless delegation problems?

Simon Waters Simon at wretched.demon.co.uk
Wed Mar 20 22:47:09 UTC 2002


Thomas Kiblin wrote:
> 
> That customer is having problems while running his irc bots and servers,
> with A records not being found.
> 
> Talking to our upstream, they seem to think that a problem exist with bind
> doing classless delegation.

Well if BIND can't do it... ;)
 
> If they query our servers, everything is fine.  If they query outside
> servers, errors about no A records being found is very high.

More description of the problem would help, i.e. which servers
can't query this?

IP addresses and queries tried please.....

Copy of error messages?

> One of the example IP's is 205.177.13.231, or .129-254.

Okay the basics seem to be in place fine.... some minor stuff.

Why 900 sec's for leenoox.org default TTL? Seems a tad short,
but should work okay.

The servers (I'm assuming leenox.org is yours or your customers)
allow zone transfer from anywhere. 

I assume "just.hacked.your.leenoox.org" is a joke? If not this
could indicate a problem ;)

The servers allow recursion, which shouldn't be a problem, but
shouldn't be needed, and can make troubleshooting harder.

All your name servers appear to be on the same subnet, so 15
minutes of routing glitch and every zone is toast......


Okay (even more) serious stuff....

CNAMEs - defering to Barry's comment in another thread, if
CNAMEs are not evil as such, you can certainly use them to make
a mess of a zone. Whilst they have their place in delegating
subnets smaller than a class C, you probably don't want the ones
in the forward zone for leenoox.org....

ftp.leenoox.org.        900     IN      CNAME   leenoox.org.
mail.leenoox.org.       900     IN      CNAME   leenoox.org.
ns1.leenoox.org.        900     IN      CNAME   leenoox.org.
www.leenoox.org.        900     IN      CNAME  
leenoox.org.                 

In particular...

leenoox.org.            900     IN      NS     
ns1.leenoox.org.                
leenoox.org.            900     IN      MX      10
mail.leenoox.org.            

...break the rules by using a CNAME on the right hand side. I
think the dire warnings Cricket gives about doing this for MX's
and sendmail, are less of a problem these days, but it is easier
to turn ns1.leenoox.org and mail.leenoox.org into A records than
figure out if you are getting all the e-mail you expect, or if
you are breaking old versions of BIND.

Nothing I found seems to perturb BIND 9, other name servers
might baulk at some of these issues.

I'm slightly surprised you managed to persuade BIND 9 to load
this zone, and get a working secondary, BIND 9 is obviously more
mellow than I thought.


More information about the bind-users mailing list