Problem with forward zone and recursion

David Botham dns at botham.net
Tue Oct 1 19:51:26 UTC 2002


You seem to have some circular delegation going on here (also, see other
inline comments on your assumptions regarding the dns resolution
process, below...):

C:\Documents and Settings\dbotham>dig ns 129.11.200.in-addr.arpa
DNS.CANTV.NET
+trace

; <<>> DiG 9.2.1 <<>> ns 129.11.200.in-addr.arpa @DNS.CANTV.NET +trace
;; global options:  printcmd
.                       80172   IN      NS      J.ROOT-SERVERS.NET.
.                       80172   IN      NS      K.ROOT-SERVERS.NET.
.                       80172   IN      NS      L.ROOT-SERVERS.NET.
.                       80172   IN      NS      M.ROOT-SERVERS.NET.
.                       80172   IN      NS      I.ROOT-SERVERS.NET.
.                       80172   IN      NS      E.ROOT-SERVERS.NET.
.                       80172   IN      NS      D.ROOT-SERVERS.NET.
.                       80172   IN      NS      A.ROOT-SERVERS.NET.
.                       80172   IN      NS      H.ROOT-SERVERS.NET.
.                       80172   IN      NS      C.ROOT-SERVERS.NET.
.                       80172   IN      NS      G.ROOT-SERVERS.NET.
.                       80172   IN      NS      F.ROOT-SERVERS.NET.
.                       80172   IN      NS      B.ROOT-SERVERS.NET.
;; Received 436 bytes from 200.44.32.11#53(DNS.CANTV.NET) in 610 ms

arpa.                   518400  IN      NS      A.ROOT-SERVERS.NET.
arpa.                   518400  IN      NS      H.ROOT-SERVERS.NET.
arpa.                   518400  IN      NS      C.ROOT-SERVERS.NET.
arpa.                   518400  IN      NS      G.ROOT-SERVERS.NET.
arpa.                   518400  IN      NS      F.ROOT-SERVERS.NET.
arpa.                   518400  IN      NS      B.ROOT-SERVERS.NET.
arpa.                   518400  IN      NS      I.ROOT-SERVERS.NET.
arpa.                   518400  IN      NS      E.ROOT-SERVERS.NET.
arpa.                   518400  IN      NS      D.ROOT-SERVERS.NET.
;; Received 345 bytes from 198.41.0.10#53(J.ROOT-SERVERS.NET) in 180 ms

200.in-addr.arpa.       86400   IN      NS      ARROWROOT.ARIN.NET.
200.in-addr.arpa.       86400   IN      NS      BUCHU.ARIN.NET.
200.in-addr.arpa.       86400   IN      NS      CHIA.ARIN.NET.
200.in-addr.arpa.       86400   IN      NS      DILL.ARIN.NET.
200.in-addr.arpa.       86400   IN      NS      NS.LACNIC.ORG.
200.in-addr.arpa.       86400   IN      NS      NS.DNS.BR.
200.in-addr.arpa.       86400   IN      NS      NS2.DNS.BR.
;; Received 231 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 160 ms

129.11.200.in-addr.arpa. 86400  IN      NS      DNS1.TRUE.NET.
129.11.200.in-addr.arpa. 86400  IN      NS      DNS.TRUE.NET.
129.11.200.in-addr.arpa. 86400  IN      NS      DNS.CANTV.NET.
;; Received 110 bytes from 192.100.59.110#53(BUCHU.ARIN.NET) in 110 ms

200.in-addr.arpa.       80095   IN      NS      ARROWROOT.ARIN.NET.
200.in-addr.arpa.       80095   IN      NS      BUCHU.ARIN.NET.
200.in-addr.arpa.       80095   IN      NS      CHIA.ARIN.NET.
200.in-addr.arpa.       80095   IN      NS      DILL.ARIN.NET.
200.in-addr.arpa.       80095   IN      NS      NS.LACNIC.ORG.
200.in-addr.arpa.       80095   IN      NS      NS.DNS.BR.
200.in-addr.arpa.       80095   IN      NS      NS2.DNS.BR.
;; Received 311 bytes from 200.11.130.10#53(DNS.TRUE.NET) in 160 ms

129.11.200.in-addr.arpa. 86400  IN      NS      DNS1.TRUE.NET.
129.11.200.in-addr.arpa. 86400  IN      NS      DNS.TRUE.NET.
129.11.200.in-addr.arpa. 86400  IN      NS      DNS.CANTV.NET.
;; Received 110 bytes from 198.133.199.110#53(ARROWROOT.ARIN.NET) in 170
ms

> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Luis Mu=F1oz
> Sent: Tuesday, October 01, 2002 3:05 PM
> To: bind-users at isc.org
> Subject: Problem with forward zone and recursion
>=20
>=20
>=20
> Hi folks:
>=20
> In my network, we're running BIND 8.2.4_REL. (I know an upgrade is
due,
> but
> this question is in part to help me decide to which version).
>=20
> I have a number of zones configured like this at the authoritative
> servers:
>=20
> zone "129.11.200.in-addr.arpa" {
>         type forward;
>         forward only;
>         forwarders { 200.44.32.89; 200.44.32.88; };
> };
>=20
> The problem is that the answers are only found when recursion is
specified
> in the query. This obviously won't work when said query comes from a
name
> server, as in these cases the recursion would not be requested. This
is an
> example:

Wrong.  Yes, name servers perform iterative queries by default, however,
they follow the referrals they receive to get the final answer.


>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235
+norecurse

If 200.44.32.10 is not the authoritative name server this is not
supposed to work. In other words, if you are asking a name server to
answer a question it does not have loaded, and you are telling it not to
ask anyone else, you can't expect it to give you anything else but a
referral (which is what you got).

>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.10 -x +norecurse
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58582
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 7
> ;; QUERY SECTION:
> ;;      235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; AUTHORITY SECTION:
> 200.in-addr.arpa.       2h4m40s IN NS   ARROWROOT.ARIN.NET.
> 200.in-addr.arpa.       2h4m40s IN NS   BUCHU.ARIN.NET.
> 200.in-addr.arpa.       2h4m40s IN NS   CHIA.ARIN.NET.
> 200.in-addr.arpa.       2h4m40s IN NS   DILL.ARIN.NET.
> 200.in-addr.arpa.       2h4m40s IN NS   NS.LACNIC.ORG.
> 200.in-addr.arpa.       2h4m40s IN NS   NS.DNS.BR.
> 200.in-addr.arpa.       2h4m40s IN NS   NS2.DNS.BR.
>=20
> ;; ADDITIONAL SECTION:
> ARROWROOT.ARIN.NET.     17m46s IN A     198.133.199.110
> BUCHU.ARIN.NET.         1h16m39s IN A   192.100.59.110
> CHIA.ARIN.NET.          19m17s IN A     192.5.6.32
> DILL.ARIN.NET.          19m16s IN A     192.35.51.32
> NS.LACNIC.ORG.          14m57s IN A     200.160.0.7
> NS.DNS.BR.              14h7m24s IN A   200.160.0.5
> NS2.DNS.BR.             10h3m38s IN A   200.19.119.99
>=20
> ;; Total query time: 19 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
> ;; WHEN: Tue Oct  1 13:46:47 2002
> ;; MSG SIZE  sent: 45  rcvd: 315
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235 +recurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.10 -x +recurse
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22129
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
0
> ;; QUERY SECTION:
> ;;      235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa.  1H IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; Total query time: 72 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
> ;; WHEN: Tue Oct  1 13:46:55 2002
> ;; MSG SIZE  sent: 45  rcvd: 109
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235 +recurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.10 -x +recurse
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10092
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 7
> ;; QUERY SECTION:
> ;;      235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa.  59m52s IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; AUTHORITY SECTION:
> 200.in-addr.arpa.       2h4m24s IN NS   ARROWROOT.ARIN.net.
> 200.in-addr.arpa.       2h4m24s IN NS   BUCHU.ARIN.net.
> 200.in-addr.arpa.       2h4m24s IN NS   CHIA.ARIN.net.
> 200.in-addr.arpa.       2h4m24s IN NS   DILL.ARIN.net.
> 200.in-addr.arpa.       2h4m24s IN NS   NS.LACNIC.ORG.
> 200.in-addr.arpa.       2h4m24s IN NS   NS.DNS.BR.
> 200.in-addr.arpa.       2h4m24s IN NS   NS2.DNS.BR.
>=20
> ;; ADDITIONAL SECTION:
> ARROWROOT.ARIN.net.     17m30s IN A     198.133.199.110
> BUCHU.ARIN.net.         1h16m23s IN A   192.100.59.110
> CHIA.ARIN.net.          19m1s IN A      192.5.6.32
> DILL.ARIN.net.          19M IN A        192.35.51.32
> NS.LACNIC.ORG.          14m41s IN A     200.160.0.7
> NS.DNS.BR.              14h7m8s IN A    200.160.0.5
> NS2.DNS.BR.             10h3m22s IN A   200.19.119.99
>=20
> ;; Total query time: 89 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
> ;; WHEN: Tue Oct  1 13:47:03 2002
> ;; MSG SIZE  sent: 45  rcvd: 376
>=20
> After this point, and until the RR expires, I can get the expected
answers
> from BIND's cache even with recursion turned off.

Yes, you can.  At this point, the server in question now has the answer
and will give it back to you, even without recursion, because recursion
is not necessary to find the answer (that is, the name server in
question has the answer to your question in cache).  And yes, once the
ttl expires, recursion will once again be necessary.


>=20
> However, when I query the server to which the zones are forwarded, I
get
> an
> answer no mater what the recursion bit is set to:

Yes, this is also normal.  If you ask the server that has the zone
loaded, it will Always have the answer and give it to you regardless of
whether you asked for recursion or not.


>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.89 -x 200.11.129.235 +recurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.89 -x +recurse
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14945
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
0
> ;; QUERY SECTION:
> ;;      235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa.  1H IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; Total query time: 305 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.89
> ;; WHEN: Tue Oct  1 13:48:11 2002
> ;; MSG SIZE  sent: 45  rcvd: 109
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.89 -x 200.11.129.235
+norecurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.89 -x +norecurse
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53497
> ;; flags: aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa.  1H IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; Total query time: 260 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.89
> ;; WHEN: Tue Oct  1 13:48:14 2002
> ;; MSG SIZE  sent: 45  rcvd: 109
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.88 -x 200.11.129.235 +recurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.88 -x +recurse
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62878
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
0
> ;; QUERY SECTION:
> ;;      235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa.  1H IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; Total query time: 84 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.88
> ;; WHEN: Tue Oct  1 13:48:26 2002
> ;; MSG SIZE  sent: 45  rcvd: 109
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.88 -x 200.11.129.235
+norecurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.88 -x +norecurse
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35029
> ;; flags: aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa.  1H IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; Total query time: 171 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.88
> ;; WHEN: Tue Oct  1 13:48:29 2002
> ;; MSG SIZE  sent: 45  rcvd: 109
>=20
> I would like to know if this is a bug or a feature. If it is a bug,
does
> anybody  know which version of BIND fixes this?
>=20
> Thanks a lot and please excuse the lengthy post.
>=20
> Regards.
>=20
> -lem
>=20
> --
>  --
> #!/usr/bin/perl -w
> use strict;
> $_[$_]=3D0 for 0..7;my$i;
> for
my$a(grep{s@^00@@}unpack'B8'x28,join'',map{chr}split/\*+/,q{61*31*28*
>
32*20*40*25*63*63*9*52*58*49*18*30*47*20*2*10*4*8*63*63*1*36*2*13*30}){$
i
> =3D0;grep{$_[$i++].=3D$_}split //,$a;length$_[0]=3D=3D8&&print =
pack'B8',$_
for at _;
> length$_[0]=3D=3D8&&grep{$_=3D0}@_;}print"\n";



More information about the bind-users mailing list