Problem with forward zone and recursion
David Botham
dns at botham.net
Tue Oct 1 19:51:26 UTC 2002
You seem to have some circular delegation going on here (also, see other
inline comments on your assumptions regarding the dns resolution
process, below...):
C:\Documents and Settings\dbotham>dig ns 129.11.200.in-addr.arpa
DNS.CANTV.NET
+trace
; <<>> DiG 9.2.1 <<>> ns 129.11.200.in-addr.arpa @DNS.CANTV.NET +trace
;; global options: printcmd
. 80172 IN NS J.ROOT-SERVERS.NET.
. 80172 IN NS K.ROOT-SERVERS.NET.
. 80172 IN NS L.ROOT-SERVERS.NET.
. 80172 IN NS M.ROOT-SERVERS.NET.
. 80172 IN NS I.ROOT-SERVERS.NET.
. 80172 IN NS E.ROOT-SERVERS.NET.
. 80172 IN NS D.ROOT-SERVERS.NET.
. 80172 IN NS A.ROOT-SERVERS.NET.
. 80172 IN NS H.ROOT-SERVERS.NET.
. 80172 IN NS C.ROOT-SERVERS.NET.
. 80172 IN NS G.ROOT-SERVERS.NET.
. 80172 IN NS F.ROOT-SERVERS.NET.
. 80172 IN NS B.ROOT-SERVERS.NET.
;; Received 436 bytes from 200.44.32.11#53(DNS.CANTV.NET) in 610 ms
arpa. 518400 IN NS A.ROOT-SERVERS.NET.
arpa. 518400 IN NS H.ROOT-SERVERS.NET.
arpa. 518400 IN NS C.ROOT-SERVERS.NET.
arpa. 518400 IN NS G.ROOT-SERVERS.NET.
arpa. 518400 IN NS F.ROOT-SERVERS.NET.
arpa. 518400 IN NS B.ROOT-SERVERS.NET.
arpa. 518400 IN NS I.ROOT-SERVERS.NET.
arpa. 518400 IN NS E.ROOT-SERVERS.NET.
arpa. 518400 IN NS D.ROOT-SERVERS.NET.
;; Received 345 bytes from 198.41.0.10#53(J.ROOT-SERVERS.NET) in 180 ms
200.in-addr.arpa. 86400 IN NS ARROWROOT.ARIN.NET.
200.in-addr.arpa. 86400 IN NS BUCHU.ARIN.NET.
200.in-addr.arpa. 86400 IN NS CHIA.ARIN.NET.
200.in-addr.arpa. 86400 IN NS DILL.ARIN.NET.
200.in-addr.arpa. 86400 IN NS NS.LACNIC.ORG.
200.in-addr.arpa. 86400 IN NS NS.DNS.BR.
200.in-addr.arpa. 86400 IN NS NS2.DNS.BR.
;; Received 231 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 160 ms
129.11.200.in-addr.arpa. 86400 IN NS DNS1.TRUE.NET.
129.11.200.in-addr.arpa. 86400 IN NS DNS.TRUE.NET.
129.11.200.in-addr.arpa. 86400 IN NS DNS.CANTV.NET.
;; Received 110 bytes from 192.100.59.110#53(BUCHU.ARIN.NET) in 110 ms
200.in-addr.arpa. 80095 IN NS ARROWROOT.ARIN.NET.
200.in-addr.arpa. 80095 IN NS BUCHU.ARIN.NET.
200.in-addr.arpa. 80095 IN NS CHIA.ARIN.NET.
200.in-addr.arpa. 80095 IN NS DILL.ARIN.NET.
200.in-addr.arpa. 80095 IN NS NS.LACNIC.ORG.
200.in-addr.arpa. 80095 IN NS NS.DNS.BR.
200.in-addr.arpa. 80095 IN NS NS2.DNS.BR.
;; Received 311 bytes from 200.11.130.10#53(DNS.TRUE.NET) in 160 ms
129.11.200.in-addr.arpa. 86400 IN NS DNS1.TRUE.NET.
129.11.200.in-addr.arpa. 86400 IN NS DNS.TRUE.NET.
129.11.200.in-addr.arpa. 86400 IN NS DNS.CANTV.NET.
;; Received 110 bytes from 198.133.199.110#53(ARROWROOT.ARIN.NET) in 170
ms
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Luis Mu=F1oz
> Sent: Tuesday, October 01, 2002 3:05 PM
> To: bind-users at isc.org
> Subject: Problem with forward zone and recursion
>=20
>=20
>=20
> Hi folks:
>=20
> In my network, we're running BIND 8.2.4_REL. (I know an upgrade is
due,
> but
> this question is in part to help me decide to which version).
>=20
> I have a number of zones configured like this at the authoritative
> servers:
>=20
> zone "129.11.200.in-addr.arpa" {
> type forward;
> forward only;
> forwarders { 200.44.32.89; 200.44.32.88; };
> };
>=20
> The problem is that the answers are only found when recursion is
specified
> in the query. This obviously won't work when said query comes from a
name
> server, as in these cases the recursion would not be requested. This
is an
> example:
Wrong. Yes, name servers perform iterative queries by default, however,
they follow the referrals they receive to get the final answer.
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235
+norecurse
If 200.44.32.10 is not the authoritative name server this is not
supposed to work. In other words, if you are asking a name server to
answer a question it does not have loaded, and you are telling it not to
ask anyone else, you can't expect it to give you anything else but a
referral (which is what you got).
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.10 -x +norecurse
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58582
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 7
> ;; QUERY SECTION:
> ;; 235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; AUTHORITY SECTION:
> 200.in-addr.arpa. 2h4m40s IN NS ARROWROOT.ARIN.NET.
> 200.in-addr.arpa. 2h4m40s IN NS BUCHU.ARIN.NET.
> 200.in-addr.arpa. 2h4m40s IN NS CHIA.ARIN.NET.
> 200.in-addr.arpa. 2h4m40s IN NS DILL.ARIN.NET.
> 200.in-addr.arpa. 2h4m40s IN NS NS.LACNIC.ORG.
> 200.in-addr.arpa. 2h4m40s IN NS NS.DNS.BR.
> 200.in-addr.arpa. 2h4m40s IN NS NS2.DNS.BR.
>=20
> ;; ADDITIONAL SECTION:
> ARROWROOT.ARIN.NET. 17m46s IN A 198.133.199.110
> BUCHU.ARIN.NET. 1h16m39s IN A 192.100.59.110
> CHIA.ARIN.NET. 19m17s IN A 192.5.6.32
> DILL.ARIN.NET. 19m16s IN A 192.35.51.32
> NS.LACNIC.ORG. 14m57s IN A 200.160.0.7
> NS.DNS.BR. 14h7m24s IN A 200.160.0.5
> NS2.DNS.BR. 10h3m38s IN A 200.19.119.99
>=20
> ;; Total query time: 19 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
> ;; WHEN: Tue Oct 1 13:46:47 2002
> ;; MSG SIZE sent: 45 rcvd: 315
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235 +recurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.10 -x +recurse
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22129
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
0
> ;; QUERY SECTION:
> ;; 235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa. 1H IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; Total query time: 72 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
> ;; WHEN: Tue Oct 1 13:46:55 2002
> ;; MSG SIZE sent: 45 rcvd: 109
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.10 -x 200.11.129.235 +recurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.10 -x +recurse
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10092
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 7
> ;; QUERY SECTION:
> ;; 235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa. 59m52s IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; AUTHORITY SECTION:
> 200.in-addr.arpa. 2h4m24s IN NS ARROWROOT.ARIN.net.
> 200.in-addr.arpa. 2h4m24s IN NS BUCHU.ARIN.net.
> 200.in-addr.arpa. 2h4m24s IN NS CHIA.ARIN.net.
> 200.in-addr.arpa. 2h4m24s IN NS DILL.ARIN.net.
> 200.in-addr.arpa. 2h4m24s IN NS NS.LACNIC.ORG.
> 200.in-addr.arpa. 2h4m24s IN NS NS.DNS.BR.
> 200.in-addr.arpa. 2h4m24s IN NS NS2.DNS.BR.
>=20
> ;; ADDITIONAL SECTION:
> ARROWROOT.ARIN.net. 17m30s IN A 198.133.199.110
> BUCHU.ARIN.net. 1h16m23s IN A 192.100.59.110
> CHIA.ARIN.net. 19m1s IN A 192.5.6.32
> DILL.ARIN.net. 19M IN A 192.35.51.32
> NS.LACNIC.ORG. 14m41s IN A 200.160.0.7
> NS.DNS.BR. 14h7m8s IN A 200.160.0.5
> NS2.DNS.BR. 10h3m22s IN A 200.19.119.99
>=20
> ;; Total query time: 89 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.10
> ;; WHEN: Tue Oct 1 13:47:03 2002
> ;; MSG SIZE sent: 45 rcvd: 376
>=20
> After this point, and until the RR expires, I can get the expected
answers
> from BIND's cache even with recursion turned off.
Yes, you can. At this point, the server in question now has the answer
and will give it back to you, even without recursion, because recursion
is not necessary to find the answer (that is, the name server in
question has the answer to your question in cache). And yes, once the
ttl expires, recursion will once again be necessary.
>=20
> However, when I query the server to which the zones are forwarded, I
get
> an
> answer no mater what the recursion bit is set to:
Yes, this is also normal. If you ask the server that has the zone
loaded, it will Always have the answer and give it to you regardless of
whether you asked for recursion or not.
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.89 -x 200.11.129.235 +recurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.89 -x +recurse
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14945
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
0
> ;; QUERY SECTION:
> ;; 235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa. 1H IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; Total query time: 305 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.89
> ;; WHEN: Tue Oct 1 13:48:11 2002
> ;; MSG SIZE sent: 45 rcvd: 109
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.89 -x 200.11.129.235
+norecurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.89 -x +norecurse
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53497
> ;; flags: aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;; 235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa. 1H IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; Total query time: 260 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.89
> ;; WHEN: Tue Oct 1 13:48:14 2002
> ;; MSG SIZE sent: 45 rcvd: 109
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.88 -x 200.11.129.235 +recurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.88 -x +recurse
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62878
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
0
> ;; QUERY SECTION:
> ;; 235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa. 1H IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; Total query time: 84 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.88
> ;; WHEN: Tue Oct 1 13:48:26 2002
> ;; MSG SIZE sent: 45 rcvd: 109
>=20
> bash2.05 lem at ws157-46 ~ % dig @200.44.32.88 -x 200.11.129.235
+norecurse
>=20
> ; <<>> DiG 8.3 <<>> @200.44.32.88 -x +norecurse
> ; (1 server found)
> ;; res options: init defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35029
> ;; flags: aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;; 235.129.11.200.in-addr.arpa, type =3D ANY, class =3D IN
>=20
> ;; ANSWER SECTION:
> 235.129.11.200.in-addr.arpa. 1H IN PTR
> dC80B81EB.dslam-02-21-3-01-01-02.var.dsl.cantv.net.
>=20
> ;; Total query time: 171 msec
> ;; FROM: ws157-46.lido.int.cantv.net to SERVER: 200.44.32.88
> ;; WHEN: Tue Oct 1 13:48:29 2002
> ;; MSG SIZE sent: 45 rcvd: 109
>=20
> I would like to know if this is a bug or a feature. If it is a bug,
does
> anybody know which version of BIND fixes this?
>=20
> Thanks a lot and please excuse the lengthy post.
>=20
> Regards.
>=20
> -lem
>=20
> --
> --
> #!/usr/bin/perl -w
> use strict;
> $_[$_]=3D0 for 0..7;my$i;
> for
my$a(grep{s@^00@@}unpack'B8'x28,join'',map{chr}split/\*+/,q{61*31*28*
>
32*20*40*25*63*63*9*52*58*49*18*30*47*20*2*10*4*8*63*63*1*36*2*13*30}){$
i
> =3D0;grep{$_[$i++].=3D$_}split //,$a;length$_[0]=3D=3D8&&print =
pack'B8',$_
for at _;
> length$_[0]=3D=3D8&&grep{$_=3D0}@_;}print"\n";
More information about the bind-users
mailing list