bind-users Digest V4 #245

Lisa Casey lisa at jellico.net
Mon Sep 9 13:18:14 UTC 2002



----- Original Message -----
From: "BIND Users Mailing List" <bind-users at isc.org>
To: "bind-users digest users" <ecartis at isc.org>
Sent: Friday, September 06, 2002 2:50 AM
Subject: bind-users Digest V4 #245


> bind-users Digest Thu, 05 Sep 2002 Volume: 04  Issue: 245
>
> In This Issue:
> Re: TOOL !
> Re: Large Zone transfer from Bind 8/9 - W2K
> Re: Resolver library question
> specify alternate directory for zone files?
> RE: Resolver library question
> Re: Large Zone transfer from Bind 8/9 - W2K
> Re: specify alternate directory for zone files?
> Re: Integrating BIND with Active Directory
> RE: Integrating BIND with Active Directory
> RE: Integrating BIND with Active Directory
> Local host not working
> Re: Large Zone transfer from Bind 8/9 - W2K
> Re: Delegation problems
> Should I employ Split DNS in this situation?
> Moving DNS server
> Re: TOOL !
> Re: Resolver library question
> RE: Resolver library question
> Ok,..how about $INCLUDE
> Getting more details with Bind 9.2.1 error messages
> Error fetching SOA from ... DNS returned error code 2
> DNS info disapears
> Re: Delegation problems
> Re: Moving DNS server
> Re: Ok,..how about $INCLUDE
> commercial dns vendors
> Re: Integrating BIND with Active Directory
> Re: Resolver library question
> Re: Resolver library question
> Re: Resolver library question
> Re: Resolver library question
> Re: Local host not working
> Re: Should I employ Split DNS in this situation?
> Re: DNS info disapears
>
> ----------------------------------------------------------------------
>
> From: Simon Waters <Simon at wretched.demon.co.uk>
> Subject: Re: TOOL !
> Date:  Thu, 05 Sep 2002 08:40:32 +0100
>
>
> "Lu!s Croker" wrote:
> >
> >    Hi, Im looking for a tool that let me see the time that X table or
> > domain is being cached... I mean, how many minutos/seconds Im going to
> > continue having the table cached... Is there someyhing different to dig
> > or host comamnds? Thanks...
>
> Records are cached not domains or tables.
>
> What is wrong with using "dig" for this purpose?
>
> ------------------------------
>
> From: "Stanley Liu" <stanley.liu at toyota.com.au>
> Subject: Re: Large Zone transfer from Bind 8/9 - W2K
> Date: Thu, 5 Sep 2002 17:56:27 +1000
>
>
> Danny,
>
> >
> > At 08:47 PM 9/4/02, Jeffery Jones wrote:
> > >     I have since gone back and confirmed that the large zone transfers
> > >properly from a Bind 9 master at T-1 speeds.   I am unable to upgrade
> > >the Bind 8.33 master to a Bind 9.2.0 master because it eventually
> > >stops resolving external zones under Win32.   Does the current beta
> > >release candidate BIND 9.2.2rc1 correct this problem under Win32?
> >
> > I am unaware of any problem that would cause it to stop resolving
external
> > zones under Win32.  How do you know that it isn't?  Did you run dig
> against
> > the box and get timeouts instead of a response? Did you use fully
> qualified
> > domain names? Are the authorative nameservers lame? Do you have a
> > firewall problem? Are all queries to external zones timedout or just
some
> of
> > them?
> >
> I do experience the problem Jeffery highlighted above: BIND9.2.1 for NT
> stops to resolve external zones after a while.  Sometimes it stops resolve
> even local zones.  If you look at the NT service console, the ISC BIND
> service is still running but it just times out (?) all queries.  I run dig
> against the box using fully qualified domain names (external and local)
with
> no firewall in between.  I've posted here before and couple of guys
reported
> that it was a known problem and recommended to go back to BIND8.3.3.  It
was
> very tempting but I've decided to give BIND 9.2.2rc1 a try and so far
(about
> a week) so good.
>
> Judging from your response, Danny, you don't seem to be aware of such a
> problem.  You've got me worry now (about eliminating the problem using
> BIND9.2.2rc1).
>
> Regards,
>
> Stanley Liu
> stanley.liu at toyota.com.au
>
>
> ------------------------------
>
> Date: Thu, 5 Sep 2002 07:45:07 -0400
> From: Joseph S D Yao <jsdy at center.osis.gov>
> Subject: Re: Resolver library question
>
>
> On Wed, Sep 04, 2002 at 07:23:38PM -0600, Chuck Sterling wrote:
> > On Solaris 2.6 I am running BIND 9.1.3, compiled with gcc (2.7.x I
> > think, but not sure) using the provided BIND make files. Recently CERT
> > published a vulnerability in the resolver library that Solaris uses.
> > Question: Is our BIND vulnerable, and if so, is it using the libraries
> > provided with Solaris or something that came with gcc? I'm trying to
> > understand whether or not applying the Solaris patch will fix the
> > vulnerability on my systems. And if not, exactly what I have to do to
> > fix it.
>
> The resolver libraries and your 'named' are two different parts of
> BIND.  The Sun patch will fix your resolver libraries.  It may also
> overwrite your 'named' if you installed it in Solaris' default
> location, and you just do the default patch install.  Be aware of this.
>
> --
> Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao
> OSIS Center Systems Support EMT-B
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.
>
> ------------------------------
>
> Date: Thu, 5 Sep 2002 08:27:17 -0400
> From: jeff donovan <jdonovan at dns.beth.k12.pa.us>
> Subject: specify alternate directory for zone files?
>
>
> Greetings
>
> I was wondering if it was possible to specify an alternate directory
> for my zone files
>
> eg
>
> options {
> directory "/var/namedb";
> };
>
> zone "." {
> type hint;
> file "root.cache";
> };
> zone "my.zone.com" {
> type master;
> file "zone.com.db";
> };
>
> zone "249.249.192.in-addr.arpa" {
> type master;
> file "/var/namedb/otherdir/db.192.249.249";
> };
>
> zone "253.253.192.in-addr.arpa" {
> type master;
> file "/var/namedb/somedir/db.192.253.253";
> };
>
> would this work or, do I have to keep all the files in the
> /var/namedb directory?
>
> --jeff
>
> ------------------------------
>
> From: "Cinense, Mark" <macinen at sandia.gov>
> Subject: RE: Resolver library question
> Date: Thu, 5 Sep 2002 07:15:13 -0600
>
>
> If you are running BIND 9.x.x, and did not compile the resolver libraries,
> then it is not vulenrable.  Is this correct?
>
> Mark Cinense
>
> -----Original Message-----
> From: Joseph S D Yao [mailto:jsdy at center.osis.gov]
> Sent: Thursday, September 05, 2002 5:45 AM
> To: Chuck Sterling
> Cc: comp-protocols-dns-bind at isc.org
> Subject: Re: Resolver library question
>
>
>
> On Wed, Sep 04, 2002 at 07:23:38PM -0600, Chuck Sterling wrote:
> > On Solaris 2.6 I am running BIND 9.1.3, compiled with gcc (2.7.x I
> > think, but not sure) using the provided BIND make files. Recently CERT
> > published a vulnerability in the resolver library that Solaris uses.
> > Question: Is our BIND vulnerable, and if so, is it using the libraries
> > provided with Solaris or something that came with gcc? I'm trying to
> > understand whether or not applying the Solaris patch will fix the
> > vulnerability on my systems. And if not, exactly what I have to do to
> > fix it.
>
> The resolver libraries and your 'named' are two different parts of
> BIND.  The Sun patch will fix your resolver libraries.  It may also
> overwrite your 'named' if you installed it in Solaris' default
> location, and you just do the default patch install.  Be aware of this.
>
> --
> Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao
> OSIS Center Systems Support EMT-B
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.
>
>
>
> ------------------------------
>
> Date: Thu, 05 Sep 2002 08:07:10 -0400
> From: Danny Mayer <mayer at gis.net>
> Subject: Re: Large Zone transfer from Bind 8/9 - W2K
>
>
> At 03:56 AM 9/5/02, Stanley Liu wrote:
>
> >Danny,
> >
> > >
> > > At 08:47 PM 9/4/02, Jeffery Jones wrote:
> > > >     I have since gone back and confirmed that the large zone
transfers
> > > >properly from a Bind 9 master at T-1 speeds.   I am unable to upgrade
> > > >the Bind 8.33 master to a Bind 9.2.0 master because it eventually
> > > >stops resolving external zones under Win32.   Does the current beta
> > > >release candidate BIND 9.2.2rc1 correct this problem under Win32?
> > >
> > > I am unaware of any problem that would cause it to stop resolving
external
> > > zones under Win32.  How do you know that it isn't?  Did you run dig
> >against
> > > the box and get timeouts instead of a response? Did you use fully
> >qualified
> > > domain names? Are the authorative nameservers lame? Do you have a
> > > firewall problem? Are all queries to external zones timedout or just
some
> >of
> > > them?
> > >
> >I do experience the problem Jeffery highlighted above: BIND9.2.1 for NT
> >stops to resolve external zones after a while.  Sometimes it stops
resolve
> >even local zones.  If you look at the NT service console, the ISC BIND
> >service is still running but it just times out (?) all queries.  I run
dig
> >against the box using fully qualified domain names (external and local)
with
> >no firewall in between.  I've posted here before and couple of guys
reported
> >that it was a known problem and recommended to go back to BIND8.3.3.  It
was
> >very tempting but I've decided to give BIND 9.2.2rc1 a try and so far
(about
> >a week) so good.
>
> 9.2.0 did have an occasional problem with timeouts because of a problem
> with the select loop but should only have been seen when there was no
> activity on the machine. 9.2.1 fixed that but at the expense of making the
> select timeout too short and having it become compute bound. 9.2.2rc1
> should be just right. 9.3.0 will totally eliminate these problems as it's
a
> rewrite of that piece of code. Unfortunately it's not yet available even
in a
> snapshot.
>
> >Judging from your response, Danny, you don't seem to be aware of such a
> >problem.  You've got me worry now (about eliminating the problem using
> >BIND9.2.2rc1).
>
> You need to let us know.
>
> >Regards,
> >
> >Stanley Liu
> >stanley.liu at toyota.com.au
>
> Danny
>
>
> ------------------------------
>
> From: Mark_Andrews at isc.org
> Subject: Re: specify alternate directory for zone files?
> Date: Fri, 06 Sep 2002 00:10:50 +1000
>
>
> >
> > Greetings
> >
> > I was wondering if it was possible to specify an alternate directory
> > for my zone files
>
> Yes.
>
> Mark
> -
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
>
> ------------------------------
>
> Date: Thu, 5 Sep 2002 09:14:17 -0500 (CDT)
> From: Barry Finkel <b19141 at achilles.ctd.anl.gov>
> Subject: Re: Integrating BIND with Active Directory
>
> >marion at admin.fsu.edu (Boomer) wrote (in part):
> >
> >I'm trying to do the same.  I have read this article from microsoft:
> >http://research.microsoft.com/programs/up_content/bind.doc
> >To my understanding, there need to be subdomain zones (ie
> >_msdc.domain.edu, _tcp.domain.edu, _sites.domain.edu, _udp.domain.edu)
>
> The first zone should be
>
>      _msdcs.domain.edu
>
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> Building 222, Room D209              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4828             IBMMAIL:  I1004994
>
>
> ------------------------------
>
> Date: Thu, 5 Sep 2002 09:19:56 -0500 (CDT)
> From: Barry Finkel <b19141 at achilles.ctd.anl.gov>
> Subject: RE: Integrating BIND with Active Directory
>
> Cinense, Mark" <macinen at sandia.gov> wrote (in part):
>
> >One question you might want to ask is are you going to be running MS
> >Exchange, or will need to.  If not, these scenarios have been
implemented,
> >but if you do, I have not seen or heard from anyone running these
scenarios
> >with MS Exchange.  Neither has our Highly paid MS consultant that we
brought
> >in.  That is as of yet.
>
> Mark, I do not see how MS Exchange Server has anything to do with this.
> The MS-ES obviously needs DNS services, but it does not do any DDNS
> updates.  Please explain.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> Building 222, Room D209              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4828             IBMMAIL:  I1004994
>
>
> ------------------------------
>
> From: "Cinense, Mark" <macinen at sandia.gov>
> Subject: RE: Integrating BIND with Active Directory
> Date: Thu, 5 Sep 2002 08:35:13 -0600
>
>
> Barry,
>
> That is what I am trying to find out.  I am not saying this, the MS
> conslutant is saying this.  What I am asking is there anyone out there
that
> is running DDNS on BIND with an AD environment, and MS Exchange?  Most
> companies are delegating a zone to be the forest root, and then letting
the
> AD server also run DDNS, so that the security is integrated, and there
will
> be less cost.
>
> I personally think that we can run BIND as our service, but if we do run
> BIND for our DDNS service with AD, we would probably want to have more
> backup BIND machines.  Well, with running DDNS on the directory server, it
> would not require anymore hardware.  Whereas running the BIND servers on
> UNIX boxes will.
>
> Mark Cinense
>
> -----Original Message-----
> From: Barry Finkel [mailto:b19141 at achilles.ctd.anl.gov]
> Sent: Thursday, September 05, 2002 8:20 AM
> To: bind-users at isc.org
> Cc: macinen at sandia.gov
> Subject: RE: Integrating BIND with Active Directory
>
>
> Cinense, Mark" <macinen at sandia.gov> wrote (in part):
>
> >One question you might want to ask is are you going to be running MS
> >Exchange, or will need to.  If not, these scenarios have been
implemented,
> >but if you do, I have not seen or heard from anyone running these
scenarios
> >with MS Exchange.  Neither has our Highly paid MS consultant that we
> brought
> >in.  That is as of yet.
>
> Mark, I do not see how MS Exchange Server has anything to do with this.
> The MS-ES obviously needs DNS services, but it does not do any DDNS
> updates.  Please explain.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> Building 222, Room D209              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4828             IBMMAIL:  I1004994
>
>
>
> ------------------------------
>
> Subject: Re: TOOL !
> From: Lu!s Croker <lcroker at megared.net.mx>
> Date: 05 Sep 2002 10:00:47 -0500
>
>
>
>
>     Hi...  I just put the follow options in named.conf
>
>
>         max-cache-ttl 259200;
>         max-ncache-ttl 300;
>
>     because Im having problems with some domains that have just 300
> seconds for TTL and often my DNS servers stop to resolve these
> domains... I put theses options to retain cached information more
> time...  if I use dig, I get the records from the nameserver's domain...
> (300 seconds). How can I know or see the other time (259200 seconds) ?
>
>     I dont know if I can explain very well.. I hope so, my English isn't
> good.
>
>    Greetings.
>
>
>
>
>
> On Thu, 2002-09-05 at 02:40, Simon Waters wrote:
> >
> > "Lu!s Croker" wrote:
> > >
> > >    Hi, Im looking for a tool that let me see the time that X table or
> > > domain is being cached... I mean, how many minutos/seconds Im going to
> > > continue having the table cached... Is there someyhing different to
dig
> > > or host comamnds? Thanks...
> >
> > Records are cached not domains or tables.
> >
> > What is wrong with using "dig" for this purpose?
> --
> # Forza Ferrari, Forza... che siamo tre volte Campioni del Mondo !
>
>
> ------------------------------
>
> From: syvehc at yahoo.com (Thomas)
> Subject: Local host not working
> Date: 5 Sep 2002 05:09:50 -0700
>
>
>
> I am having a problem with DNS.  I am using bind 9.2 on redhat 7.3.
> Everything is working but I can't resolve local addresses.  Are there
> any ideas of what to check?  I looked in the resolv.conf to make sure
> the 127.0.0.1 was in there.  My named.conf looks ok.  I just can't
> understand why only the local addresses is not found.  I have them in
> the named.local and it is referenced in the named.conf. If you have
> any tips they will be greatly appreciated.
>
> Thanks
> Tom
>
> ------------------------------
>
> From: Jeffery Jones <jefferjones at altavista.net>
> Subject: Re: Large Zone transfer from Bind 8/9 - W2K
> Date: Thu, 05 Sep 2002 08:13:47 -0400
>
>
>
> On 5 Sep 2002 02:06:14 -0000, Danny Mayer <mayer at gis.net> wrote:
>
> >
> >At 08:47 PM 9/4/02, Jeffery Jones wrote:
> >> I am unable to upgrade
> >>the Bind 8.33 master to a Bind 9.2.0 master because it eventually
> >>stops resolving external zones under Win32.   Does the current beta
> >>release candidate BIND 9.2.2rc1 correct this problem under Win32?
> >
> >I am unaware of any problem that would cause it to stop resolving
external
> >zones under Win32.  How do you know that it isn't?  Did you run dig
against
> >the box and get timeouts instead of a response? Did you use fully
qualified
> >domain names? Are the authorative nameservers lame? Do you have a
> >firewall problem? Are all queries to external zones timedout or just some
of
> >them?
>
>
>   The following threads have more info along with at least one other
person who has
> seen a similar problem.
>
>
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=agcl6i%2
45nvv%241%40isrv4.isc.org&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8
%26oe%3DUTF-8%26q%3D%2522jeffery%2Bjones%2522%2Bbind%2Brecursive%26btnG%3DGo
ogle%2BSearch
>
>
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=agf518%2
479b7%241%40isrv4.isc.org&rnum=2&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8
%26oe%3DUTF-8%26q%3D%2522jeffery%2Bjones%2522%2Bbind%2Brecursive%26btnG%3DGo
ogle%2BSearch
>
>
>   The "No more recursive clients"error is suspicious since Bind 8.33 never
misses a beat
> in the same environment.    Increasing the recursive-clients settings
caused it to eventually
> just stop resolving external domain names without even logging an error.
>
>  I  was using NSLookup at the time, and it got an immediate reply
> for all external domain names that indicated failure.    I'll set it up
again with 9.22 so that I'm paged next
> time it fails and get better diagnostics with DIG, and dump the cache to
see if some names are
> present in cache but not returned.
>
>
> ------------------------------
>
> From: darren at birkett.com (Darren Birkett)
> Subject: Re: Delegation problems
> Date: 5 Sep 2002 06:20:53 -0700
>
>
>
> Kevin Darcy <kcd at daimlerchrysler.com> wrote in message
news:<al6bhs$bbnf$1 at isrv4.isc.org>...
> > Darren Birkett wrote:
> >
> > > I've got a couple of DNS servers that are authoritative for two zones,
> > > abc.cheese.com and xyz.cheese.com
> > > I've just been told that there is another subdomain to the
> > > xyz.cheese.com that is called sub.xyz.cheese.com  This is
> > > where all the Win2k servers and hosts sit, and this domain itself is
> > > served
> > > by two Win2k active directory DNS servers.  I am trying to delegate
> > > authority
> > > for this zone in my zone file for xyz.cheese.com by adding the
> > > following lines:
> > >
> >
> --------------------------------------------------------------------------
> > > ;Delegation records for sub.xyz.cheese.com
> > > sub.xyz.cheese.com.  IN      NS            ad01.sub.xyz.cheese.com.
> > > sub.xyz.cheese.com.  IN      NS            ad02.sub.xyz.cheese.com.
> > >
> > > ;Glue records for nameservers in sub.xyz.cheese.com
> > > ad01.sub.xyz.cheese.com.   IN      A       42.149.30.46
> > > ad02.sub.xyz.cheese.com.   IN      A       42.149.30.47
> >
> --------------------------------------------------------------------------
--
> > >
> > > The DNS servers in the sub sub-domain are quite happily forwarding
> > > requests on up to my DNS servers, but delegation isn't working.  When
> > > I do
> > > an nslookup for a host in the crmwin subdomain from my DNS servers, I
> > > get: the following:
> > >
> >
> --------------------------------------------------------------------------
--
> > > [c06u1dns01:root:/etc/nameserver:] nslookup
> > > Default Server:  localhost
> > > Address:  127.0.0.1
> > >
> > > > c06p1doc01
> > > Server:  localhost
> > > Address:  127.0.0.1
> > >
> > > *** localhost can't find c06p1doc01:Non-existent host/domain
> >
> --------------------------------------------------------------------------
--
> > >
> > > The same is true if I use the FQDN.  I'm just wondering if there is
> > > anything
> > > I am missing to allow delegation to work?  I have looked at the
> > > named.run
> > > file after doing the above nslookup and there appears to be no attempt
> > > to
> > > contact the sub DNS servers at all.
> > > Any ideas here?
> >
> > Do you have "global" forwarding enabled, i.e. defined in your "options"
clause,
> > as opposed to in a zone definition? If so, then what's probably
happening is
> > that these queries, being outside of your authoritative zones, are being
> > forwarded instead of sent to the delegated nameservers. Global
forwarding
> > applies to *all* queries outside your authoritative zones, regardless of
> > whether the containing zone is "above", "below" or at the same level as
an
> > authoritative zone. You can disable forwarding for a whole branch of the
> > namespace by specifying "forwarders { }" in the corresponding zone
definition,
> > even if it's a master, slave or stub zone (sometimes folks set up a stub
zone
> > solely for the purposes of "hanging" a "forwarders { }" statement from
it and
> > thus inhibiting forwarding for that part of the namespace). So, in your
case,
> > maybe you want "forwarders { }" in the xyz.cheese.com zone definition,
to
> > prevent sub.xyz.cheese.com queries being forwarded.
> >
> > Alternatively, you could "fix" this the old-fashioned way: just make
yourself a
> > slave for the sub.xyz.cheese.com zone. Of course, if any subzones of
> > sub.xyz.cheese.com were created, you'd have to deal with those too. The
> > old-fashioned way doesn't exactly scale well...
> >
> >
> > - Kevin
>
> I'm using bind4 at the moment.  I know I should be using bind 8 or 9
> but there were reasons...
> So how do I change the global forwarding option in the named4
> named.boot file to ensure that lookups for hosts in the
> sub.xyz.cheese.com are not forwarded and instead passed to the
> nameservers responsible for that zone?
>
> ------------------------------
>
> From: Ron Creamer <ron at pageworks.com>
> Subject: Should I employ Split DNS in this situation?
> Date: Thu, 05 Sep 2002 10:08:26 -0400
>
>
>
> Hi,
>
> I am designing a firewall router along with trying to determine a new
> network layout to go along with a new T1 for a company who will soon be
> retiring their old T1.
>
> Some Background:
> o We are assigned a full class C 68.100.15.0/24
> o We are not concerned about conserving address space (plenty of IPs)
> o We'd like to split the Class C into two subnets:
> oo 68.100.15.0/25 (for the Perim/dmz net)
> oo 68.100.15.128/25 (for the company's machines Internal net)
> o We want to expose certain services on hosts on the dmz subnet
> oo smtp: Exim running maps before routing appproved mail to internal
> mail svrs
> oo anon ftp
> oo web
> oo dns
> o They'd also like a VPN, most likely Freeswan, but we're not yet sure
> where to put it
>
> The proposed layout is below.
>
> We will not be NAT'ing the internal net because we have plenty of IPs
> and I have read that if you have the IPs, the small security benefit of
> NAT'ing does not outweigh the pain in administration.
>
> My Question is does it still make sense to use split DNS as outlined in
> DNS & Bind 4th Edition? Is there still a security benefit there by only
> exposing a very limited number of hosts to the public?
>
> Thanks,
>
> -Ron
>
>
>
>
>                                 The Internet
>                                      |
>                                      |
>                           ISP's Router 65.243.31.1
>                                      |
>                                      |
>                        Firwall's Frame Relay Card 65.243.31.2
>                                      |
>     eth1(68.100.15.1)-------Linux Box Router/FW---------eth0
> (68.100.15.129)
>            |                                                       |
> Perimeter net 68.100.15.0/25                     Internal net
> 68.100.15.129/25
>            |                                                       |
>            |                                                       |
> Perimeter net hub/switch                           local/priv net
> hub/switch
> |                  |
> |                     |
> bast-1(.2)   bast-n(.126)                     priv-1(.130)
> priv2-n(.254)
>
>
> ------------------------------
>
> From: jl_678 at yahoo.com (JayL)
> Subject: Moving DNS server
> Date: 5 Sep 2002 07:21:26 -0700
>
>
>
> Hi,
>   I am running Bind on a Linux box on my home LAN.  I am using a DSL
> account with 2 fixed IPs.  I am serving as the primary DNS server for
> my multiple domains and secondary.com is serving as secondary.
> Everything is running perfectly.  The problem is that I will be moving
> sometime soon.  This means that I will lose Internet connectivity for
> a bit and thus am trying to figure out to deal with DNS.  I have a
> second Linux box ready to go to take over primary DNS, but
> unfortunately none of my friends broadband accounts have fixed IPs
> thus making DNS hosting impossible.
>
>   One idea is that I could just take down my DNS and let Secondary.com
> handle the load until I am back up.  Is this a reasonable idea?  The
> other idea I have is to move DNS hosting to a web based provider such
> as ZoneEdit or Granite Canyon and just use those guys as primary
> temporarily while I move.  I am certain that this is a better idea,
> but it looks to be a bit of a pain and to be honest, I don't really
> trust any of these services.  Has anyone used any of them and had good
> luck?  (At a reasonable price)  Finally, the ideal solution is to use
> my secondary Linux box to run DNS.  The problem remains about not
> having a fixed IP.  Anyone have any thoughts or suggestions about how
> to make this work?  Are there any other clear options that I have not
> thought of?
>
> TIA
>
> JL
>
> ------------------------------
>
> From: phn at icke-reklam.ipsec.nu
> Subject: Re: TOOL !
> Date: 5 Sep 2002 15:33:24 GMT
>
>
> Lu!s Croker <lcroker at megared.net.mx> wrote:
>
>
>
> >    Hi, Im looking for a tool that let me see the time that X table or
> > domain is being cached... I mean, how many minutos/seconds Im going to
> > continue having the table cached... Is there someyhing different to dig
> > or host comamnds? Thanks...
>
> nameservers don't cache "tables" they cache "rows" ( or Resource Records).
>
> And they may have differing TTL.
>
> Retreiving one record will have it's remaining TTL as TTL.
>
>
> > --
> > # Forza Ferrari, Forza... che siamo tre volte Campioni del Mondo !
>
>
>
> --
> Peter Håkanson
>         IPSec  Sverige      ( At Gothenburg Riverside )
>            Sorry about my e-mail address, but i'm trying to keep spam out,
>    remove "icke-reklam" if you feel for mailing me. Thanx.
>
> ------------------------------
>
> Date: Thu, 5 Sep 2002 11:42:56 -0400
> From: Joseph S D Yao <jsdy at center.osis.gov>
> Subject: Re: Resolver library question
>
>
> On Thu, Sep 05, 2002 at 07:15:13AM -0600, Cinense, Mark wrote:
> > If you are running BIND 9.x.x, and did not compile the resolver
libraries,
> > then it is not vulenrable.  Is this correct?
>
> I guess I did assume that the original questioner had installed the
> 'named', but not the resolver libraries, since that has in the past
> often been the case for people who did the default install.  If this
> has changed for BIND 9, I may have missed that.
>
> --
> Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao
> OSIS Center Systems Support EMT-B
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.
>
> ------------------------------
>
> From: "Cinense, Mark" <macinen at sandia.gov>
> Subject: RE: Resolver library question
> Date: Thu, 5 Sep 2002 09:55:41 -0600
>
>
> I thougt that I read that somewhere that BIND 9 does not have libbind
> configured by default...
>
> here...
>
> http://www.isc.org/products/BIND/bind-security.html
>
> under "libbind buffer overflow"
>
> (Disabled by default in BIND 9, enabled if you added --enable-libbind to
the
> configure statement)
>
> Mark Cinense
>
>
> -----Original Message-----
> From: Joseph S D Yao [mailto:jsdy at center.osis.gov]
> Sent: Thursday, September 05, 2002 9:43 AM
> To: Cinense, Mark
> Cc: Chuck Sterling; comp-protocols-dns-bind at isc.org
> Subject: Re: Resolver library question
>
>
> On Thu, Sep 05, 2002 at 07:15:13AM -0600, Cinense, Mark wrote:
> > If you are running BIND 9.x.x, and did not compile the resolver
libraries,
> > then it is not vulenrable.  Is this correct?
>
> I guess I did assume that the original questioner had installed the
> 'named', but not the resolver libraries, since that has in the past
> often been the case for people who did the default install.  If this
> has changed for BIND 9, I may have missed that.
>
> --
> Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao
> OSIS Center Systems Support EMT-B
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.
>
>
> ------------------------------
>
> Date: Thu, 5 Sep 2002 12:02:04 -0400
> From: jeff donovan <jdonovan at dns.beth.k12.pa.us>
> Subject: Ok,..how about $INCLUDE
>
>
> question,
>
> you had said that the zones can be indifferent directories, what
> about include statements?
>
> eg
>
> $INCLUDE this.db
> $INCLUDE /var/named/somedir/that.db
>
> i tried this and it didn't work the way i wanted it to. Are there any
> special options to allow this?
>
> TIA
>
> --j
>
> ------------------------------
>
> From: Steph L <Stephane.Lentz at ansf.alcatel.fr>
> Subject: Getting more details with Bind 9.2.1 error messages
> Date: 5 Sep 2002 17:56:19 GMT
> Keywords: Bind9, queries, log
>
> I'm testing some Bind 9.2.1 version and trying to configure it
> in a secure way so that queries are filtered (through acls) and recursion
> gets disabled (through acls too).
> I'm finding Bind 9.x error messages less detailed than Bind 8.x ones :
>
> For instance when using allow-recursion ACL, I get :
> Sep 05 19:16:09.632 client 80.14.93.91#3516: recursion available: denied
> Sep 05 19:16:09.736 client 80.14.93.91#3517: recursion available: denied
> Sep 05 19:16:10.122 client 80.14.93.91#1057: recursion available: denied
>
> I can't see which queries 80.14.93.91 sent (which name was asked to
> be resolved).
>
> Any way to get this information through the logging options ?
> If not will future Bind 9.x offer this feature ?
>
> Same thing  when using allow-query ACL  & getting some DNS update attempts
:
>
> Sep  2 00:58:44 ns0 named[15064]: client 62.20.216.7#43818: query (cache)
denied
> Sep  2 00:58:44 ns0 named[15064]: client 65.216.72.15#43818: query (cache)
denied
> Sep  2 00:58:44 ns0 named[15064]: client 65.216.72.11#43818: query (cache)
denied
>
> Sep  2 01:02:46 ns0 named[15064]: client 217.167.140.188#40224: update
> 'mydomain.com/IN' denied
>
>
> It's usefull on a security point of view to know which query were sent and
> which exact DNS definition someone attempted to update (by default only
the
> zone name is loggued for DNS updates).
>
> Is this covered in the latest DNS & Bind edition (I don't have the 4th
> edition) ?
>
> If it's not configurable in Bind, does someone has written some libcap
> (tcpdump,ngrep,...) filter to get these infos ?
>
> Regards,
>
> SL/
> ---
> Stephane Lentz / Alcanet International
>
> ------------------------------
>
> From: sergaobr at yahoo.com (Sergio Pires)
> Subject: Error fetching SOA from ... DNS returned error code 2
> Date: 5 Sep 2002 11:24:33 -0700
>
>
>
> Can someone help me about that? When I try to lookup my DNS the
> checkdns returns
>
>  Error fetching SOA from COLSVR.horizontetextil.com.br
> [200.216.240.209], DNS returned error code 2
> Regards,
>
> ------------------------------
>
> From: baffoon68 at hotmail.com (David J)
> Subject: DNS info disapears
> Date: 3 Sep 2002 23:30:33 -0700
>
>
>
> Hi,
>
> I have a weird and annoying problem that I need help on.
>
> >From my name server I (its bind 8.3.3) I lookup a domain name
>
> with a host -a
>
> # host -a shopcanberra.com
> Trying "shopcanberra.com"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40594
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;shopcanberra.com.              IN      ANY
>
> ;; ANSWER SECTION:
> shopcanberra.com.       172799  IN      NS      NS1.shopcanberra.com.
> shopcanberra.com.       172799  IN      NS      NS2.shopcanberra.com.
>
> ;; AUTHORITY SECTION:
> shopcanberra.com.       172799  IN      NS      NS1.shopcanberra.com.
> shopcanberra.com.       172799  IN      NS      NS2.shopcanberra.com.
>
> ;; ADDITIONAL SECTION:
> NS1.shopcanberra.com.   172799  IN      A       66.250.88.98
> NS2.shopcanberra.com.   172799  IN      A       66.250.88.99
>
>
> But on the 3rd lookup and everyone after that, the IP information goes
> missing,
>
> # host -a shopcanberra.com
> Trying "shopcanberra.com"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61644
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;shopcanberra.com.              IN      ANY
>
> ;; ANSWER SECTION:
> shopcanberra.com.       172798  IN      NS      NS1.shopcanberra.com.
> shopcanberra.com.       172798  IN      NS      NS2.shopcanberra.com.
> shopcanberra.com.       14400   IN      SOA     ns1.dnsroyal.com.
> server.dnsroyal.com. 1029804702 28800 7200 3600000 86400
>
> ;; AUTHORITY SECTION:
> shopcanberra.com.       172798  IN      NS      NS1.shopcanberra.com.
> shopcanberra.com.       172798  IN      NS      NS2.shopcanberra.com.
>
>
> Same thing happens when say I ping NS1.shopcanberra.com
>
> it resolves the first 2 times, and then no longer resolves.
>
> OnceI restart named, it just happens again with the same thing. I
> query man other name servers they dont have the problem I am having.
>
> Does anyone have any ideas why this happens and a solution for it ?
>
> Thanks so much.
>
> ------------------------------
>
> From: Mark_Andrews at isc.org
> Subject: Re: Delegation problems
> Date: Fri, 06 Sep 2002 06:53:41 +1000
>
>
> > I'm using bind4 at the moment.  I know I should be using bind 8 or 9
> > but there were reasons...
> > So how do I change the global forwarding option in the named4
> > named.boot file to ensure that lookups for hosts in the
> > sub.xyz.cheese.com are not forwarded and instead passed to the
> > nameservers responsible for that zone?
> >
> You can't.
>
> Mark
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
>
> ------------------------------
>
> From: Mark_Andrews at isc.org
> Subject: Re: Moving DNS server
> Date: Fri, 06 Sep 2002 06:59:23 +1000
>
>
> >
> > Hi,
> >   I am running Bind on a Linux box on my home LAN.  I am using a DSL
> > account with 2 fixed IPs.  I am serving as the primary DNS server for
> > my multiple domains and secondary.com is serving as secondary.
> > Everything is running perfectly.  The problem is that I will be moving
> > sometime soon.  This means that I will lose Internet connectivity for
> > a bit and thus am trying to figure out to deal with DNS.  I have a
> > second Linux box ready to go to take over primary DNS, but
> > unfortunately none of my friends broadband accounts have fixed IPs
> > thus making DNS hosting impossible.
> >
> >   One idea is that I could just take down my DNS and let Secondary.com
> > handle the load until I am back up.  Is this a reasonable idea?  The
> > other idea I have is to move DNS hosting to a web based provider such
> > as ZoneEdit or Granite Canyon and just use those guys as primary
> > temporarily while I move.  I am certain that this is a better idea,
> > but it looks to be a bit of a pain and to be honest, I don't really
> > trust any of these services.  Has anyone used any of them and had good
> > luck?  (At a reasonable price)  Finally, the ideal solution is to use
> > my secondary Linux box to run DNS.  The problem remains about not
> > having a fixed IP.  Anyone have any thoughts or suggestions about how
> > to make this work?  Are there any other clear options that I have not
> > thought of?
> >
> > TIA
> >
> > JL
> >
> Just set your expire, refresh and retry fields to a large values and
> let the secondaries keep the zone alive.
>
> refesh/expire 1 day so the the secondaries don't waste resources
> refreshing.
> expire to several months.
>
> Mark
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
>
> ------------------------------
>
> From: Mark_Andrews at isc.org
> Subject: Re: Ok,..how about $INCLUDE
> Date: Fri, 06 Sep 2002 07:11:21 +1000
>
>
> >
> > question,
> >
> > you had said that the zones can be indifferent directories, what
> > about include statements?
>
> Yes.
>
> > eg
> >
> > $INCLUDE this.db
> > $INCLUDE /var/named/somedir/that.db
> >
> > i tried this and it didn't work the way i wanted it to. Are there any
> > special options to allow this?
>
> No it works.   Don't forget that files are relative to the
> directory option in named.conf/named.boot.  If you are running
> under chroot then that applies to master files as well.
>
> Mark
>
> > TIA
> >
> > --j
> >
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
>
> ------------------------------
>
> Date: Thu, 5 Sep 2002 16:44:32 -0600 (MDT)
> From: Farid Hamjavar <hamjavar at unm.edu>
> Subject: commercial dns vendors
>
>
>
> Does anyone know of a compiled list of pros/cons
> about major commercial DNS hardware appliance vendors.
>
> Any opinions particularly  about infoblox ?
>
> Thanks,
> Farid
> UNM
>
>
>
> ------------------------------
>
> From: jmccaig at cobaltgroup.com (John McCaig)
> Subject: Re: Integrating BIND with Active Directory
> Date: 5 Sep 2002 15:57:10 -0700
>
>
>
> Kevin Darcy <kcd at daimlerchrysler.com> wrote in message
news:<al3lln$9mil$1 at isrv4.isc.org>...
> > Marion Bogdanov wrote:
> >
> > > Anyone,
> > > If you have successfully integrated BIND 9.2 with Windows 2000 AD
please
> > > respond to this post.  I like to talk to you more about it.
> >
> > Well, there's basically two types of BIND/AD integration:
> >
> > 1) give (via delegation) AD a part or parts of your namespace and let it
do
> > whatever it wants,
> >
> > or
> >
> > 2) put the SRV records, etc. that AD requires into your existing
namespace
> >
> > There are a couple different variations on #2:
> >
> > 2a) Collect the DNS data from the domain controllers and shove it into
your
> > zone(s),
> >
> > or
> >
> > 2b) Open up your zone(s) to Dynamic Update and let them write their own
> > records.
> >
> > I've implemented (2b). I understand that others in this forum have
> > implemented (1).
> >
> >
> > - Kevin
>
> i have done 1. i recommend it.  AD tramples and spits out all sorts of
> nastyness.. its best to give it its own subdomain to rule.. AD will be
> happy, bind will be happy, you'll be happy, NT admins will be happy,
> unix admin will be happy.. its what i suggest.  its only namespace..
> who cares what computers are called anymore ;)
>
> ------------------------------
>
> Date: Thu, 05 Sep 2002 19:08:18 -0600
> From: Chuck Sterling <csterlin at zianet.com>
> Subject: Re: Resolver library question
>
>
>
> Mark_Andrews at isc.org wrote:
>
> > >
> > > On Solaris 2.6 I am running BIND 9.1.3, compiled with gcc (2.7.x I
> > > think, but not sure) using the provided BIND make files. Recently CERT
> > > published a vulnerability in the resolver library that Solaris uses.
> > > Question: Is our BIND vulnerable, and if so, is it using the libraries
> > > provided with Solaris or something that came with gcc? I'm trying to
> > > understand whether or not applying the Solaris patch will fix the
> > > vulnerability on my systems. And if not, exactly what I have to do to
> > > fix it.
> > >
> > > Thanks,
> > > Chuck Sterling
> >
> >         Did you bother to read the advisary?  It answers your questions.
> >
> >         Mark
>
> Yes, of course I did. I did not understand all the ramifications and was
> asking for clarification.
> I think I now do understand what I need to do. Thanks for the help.
>
> Chuck
>
>
>
> ------------------------------
>
> Date: Thu, 05 Sep 2002 19:12:05 -0600
> From: Chuck Sterling <csterlin at zianet.com>
> Subject: Re: Resolver library question
>
>
>
> "Cinense, Mark" wrote:
>
> > If you are running BIND 9.x.x, and did not compile the resolver
libraries,
> > then it is not vulenrable.  Is this correct?
> >
> > Mark Cinense
>
> I have another message that says the same thing, and I did not make any
> changes to the make files other than the install directory.
>
> > <snip>
> > The resolver libraries and your 'named' are two different parts of
> > BIND.  The Sun patch will fix your resolver libraries.  It may also
> > overwrite your 'named' if you installed it in Solaris' default
> > location, and you just do the default patch install.  Be aware of this.
> >
>
> The BIND is installed in a different location, with the original in.named
> renamed and replaced with a soft link to the 9.1.3 version. Just what I
> needed.
>
> Thanks,
> Chuck
>
>
>
> ------------------------------
>
> Date: Thu, 05 Sep 2002 19:15:41 -0600
> From: Chuck Sterling <csterlin at zianet.com>
> Subject: Re: Resolver library question
>
>
>
> Joseph S D Yao wrote:
>
> > On Wed, Sep 04, 2002 at 07:23:38PM -0600, Chuck Sterling wrote:
> > > On Solaris 2.6 I am running BIND 9.1.3, compiled with gcc (2.7.x I
> > > think, but not sure) using the provided BIND make files. Recently CERT
> > > published a vulnerability in the resolver library that Solaris uses.
> > > Question: Is our BIND vulnerable, and if so, is it using the libraries
> > > provided with Solaris or something that came with gcc? I'm trying to
> > > understand whether or not applying the Solaris patch will fix the
> > > vulnerability on my systems. And if not, exactly what I have to do to
> > > fix it.
> >
> > The resolver libraries and your 'named' are two different parts of
> > BIND.  The Sun patch will fix your resolver libraries.  It may also
> > overwrite your 'named' if you installed it in Solaris' default
> > location, and you just do the default patch install.  Be aware of this.
>
> I'll look over the patch before I install it, and will test it offline to
be
> sure I'm on the right page.
> In my case, even if it overwrites the current in.named it should not
matter
> since the original has been renamed and replaced by a soft link to the
9.1.3
> version. Not a problem to do that again...
>
> Thanks,
> Chuck
>
>
> ------------------------------
>
> Date: Thu, 05 Sep 2002 19:16:29 -0600
> From: Chuck Sterling <csterlin at zianet.com>
> Subject: Re: Resolver library question
>
>
>
> Chuck Sterling wrote:
>
> > On Solaris 2.6 I am running BIND 9.1.3, compiled with gcc (2.7.x I
> > think, but not sure) using the provided BIND make files. Recently CERT
> > published a vulnerability in the resolver library that Solaris uses.
> > Question: Is our BIND vulnerable, and if so, is it using the libraries
> > provided with Solaris or something that came with gcc? I'm trying to
> > understand whether or not applying the Solaris patch will fix the
> > vulnerability on my systems. And if not, exactly what I have to do to
> > fix it.
> >
> > Thanks,
> > Chuck Sterling
>
> Thanks to everyone that replied; just what I needed to get this behind me.
>
> Chuck
>
>
>
> ------------------------------
>
> From: "ªü¸R" <paul at sharetech.com.tw>
> Subject: Re: Local host not working
> Date: Fri, 6 Sep 2002 10:36:08 +0800
>
> you can check your named service is work ?
> use :service named --status
>
> "Thomas" <syvehc at yahoo.com> ¼¶¼g©ó¶l¥ó·s»D:al8qv0$c66c$1 at isrv4.isc.org...
> >
> > I am having a problem with DNS.  I am using bind 9.2 on redhat 7.3.
> > Everything is working but I can't resolve local addresses.  Are there
> > any ideas of what to check?  I looked in the resolv.conf to make sure
> > the 127.0.0.1 was in there.  My named.conf looks ok.  I just can't
> > understand why only the local addresses is not found.  I have them in
> > the named.local and it is referenced in the named.conf. If you have
> > any tips they will be greatly appreciated.
> >
> > Thanks
> > Tom
> >
>
>
>
> ------------------------------
>
> From: "N/A" <reply_in at newsgroup.only>
> Subject: Re: Should I employ Split DNS in this situation?
> Date: Fri, 06 Sep 2002 02:38:45 GMT
>
> Hi  Paul,
>
> Do you mean your actual internal IPs will be visible to people on the
> Internet? You definitely should NAT on the firewall to prevent this. What
> administration hassle is there? We just turned on "hide NAT" with Check
> Point. Or do your people all run through a proxy server so the only IP
that
> is seen is the proxy itself?
>
> If you don't run a split DNS, you risk someone on the outside hacking your
> DNS servers and screwing with or screwing up your internal operations. At
a
> bare minimum, do not allow zone transfers from outside people unless it is
> limited to your secondaries even if you do run a split DNS.
>
> We run split using four Linux/BIND boxes, two internal and two external.
The
> external zones change very rarely and are non-recursive. The two internal
> ones change frequently and also are non-recursive. Everyone points to some
> Windows NT server for their caching DNS server and the same NT boxes are
> secondaries to the two Linux/BIND internal authoritative DNS servers.
These
> two only accept lookups from the NT secondaries. The Linux boxes are also
> running iptables as an application firewall to protect themselves.
>
> We are running these four servers on Pentium I 200 MHz desktops and use
> Drive Image Pro v4 from Powerquest for disaster recovery. Once the servers
> are configured we take an image. If one croaks, hardware or software, we
> just restore the image and we're back up in less than thirty minutes. By
> keeping the Linux boxes as non-recursive, we can take them down at our
> leisure and not have to worry about anyone losing name resolution.
>
> FWIW,
>
> Ray
>
> > We will not be NAT'ing the internal net because we have plenty of IPs
> > and I have read that if you have the IPs, the small security benefit of
> > NAT'ing does not outweigh the pain in administration.
> >
> > My Question is does it still make sense to use split DNS as outlined in
> > DNS & Bind 4th Edition? Is there still a security benefit there by only
> > exposing a very limited number of hosts to the public?
> >
> > Thanks,
> >
> > -Ron
> >
> >
> >
> >
> >                                 The Internet
> >                                      |
> >                                      |
> >                           ISP's Router 65.243.31.1
> >                                      |
> >                                      |
> >                        Firwall's Frame Relay Card 65.243.31.2
> >                                      |
> >     eth1(68.100.15.1)-------Linux Box Router/FW---------eth0
> > (68.100.15.129)
> >            |                                                       |
> > Perimeter net 68.100.15.0/25                     Internal net
> > 68.100.15.129/25
> >            |                                                       |
> >            |                                                       |
> > Perimeter net hub/switch                           local/priv net
> > hub/switch
> > |                  |
> > |                     |
> > bast-1(.2)   bast-n(.126)                     priv-1(.130)
> > priv2-n(.254)
> >
> >
> >
>
>
> ------------------------------
>
> From: Andris Kalnozols <andris at hpl.hp.com>
> Subject: Re: DNS info disapears
> Date: Thu, 05 Sep 2002 23:41:15 PDT
>
> > Hi,
> >
> > I have a weird and annoying problem that I need help on.
> >
> > >From my name server I (its bind 8.3.3) I lookup a domain name
> >
> > with a host -a
> >
> > # host -a shopcanberra.com
> > Trying "shopcanberra.com"
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40594
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
> >
> > ;; QUESTION SECTION:
> > ;shopcanberra.com.              IN      ANY
> >
> > ;; ANSWER SECTION:
> > shopcanberra.com.       172799  IN      NS      NS1.shopcanberra.com.
> > shopcanberra.com.       172799  IN      NS      NS2.shopcanberra.com.
> >
> > ;; AUTHORITY SECTION:
> > shopcanberra.com.       172799  IN      NS      NS1.shopcanberra.com.
> > shopcanberra.com.       172799  IN      NS      NS2.shopcanberra.com.
> >
> > ;; ADDITIONAL SECTION:
> > NS1.shopcanberra.com.   172799  IN      A       66.250.88.98
> > NS2.shopcanberra.com.   172799  IN      A       66.250.88.99
> >
> >
> > But on the 3rd lookup and everyone after that, the IP information goes
> > missing,
> >
> > # host -a shopcanberra.com
> > Trying "shopcanberra.com"
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61644
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;shopcanberra.com.              IN      ANY
> >
> > ;; ANSWER SECTION:
> > shopcanberra.com.       172798  IN      NS      NS1.shopcanberra.com.
> > shopcanberra.com.       172798  IN      NS      NS2.shopcanberra.com.
> > shopcanberra.com.       14400   IN      SOA     ns1.dnsroyal.com.
> > server.dnsroyal.com. 1029804702 28800 7200 3600000 86400
> >
> > ;; AUTHORITY SECTION:
> > shopcanberra.com.       172798  IN      NS      NS1.shopcanberra.com.
> > shopcanberra.com.       172798  IN      NS      NS2.shopcanberra.com.
> >
> >
> > Same thing happens when say I ping NS1.shopcanberra.com
> >
> > it resolves the first 2 times, and then no longer resolves.
> >
> > OnceI restart named, it just happens again with the same thing. I
> > query man other name servers they dont have the problem I am having.
> >
> > Does anyone have any ideas why this happens and a solution for it ?
> >
> > Thanks so much.
>
> I see two problems here.  One is with the delegation records for the
> `shopcanberra.com' zone while the other is that the problem you are
> seeing happens only when making recursive queries to a name server
> which is running BIND 8.3.2 or 8.3.3.
>
> As for the delegation problem, RFC-1034 requires that the NS records
> be consistent on both sides of the zone cut.  The parent zone (com.)
> reports:
>
>   ; <<>> DiG 8.3 <<>> shopcanberra.com ns +norec @f.gtld-servers.net
>   ; (1 server found)
>   ;; res options: init defnam dnsrch
>   ;; got answer:
>   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54712
>   ;; flags: qr; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>   ;; QUERY SECTION:
>   ;;      shopcanberra.com, type = NS, class = IN
>
>   ;; ANSWER SECTION:
>   shopcanberra.com.       2D IN NS        NS1.shopcanberra.com.
>   shopcanberra.com.       2D IN NS        NS2.shopcanberra.com.
>
>   ;; ADDITIONAL SECTION:
>   NS1.shopcanberra.com.   2D IN A         66.250.88.98
>   NS2.shopcanberra.com.   2D IN A         66.250.88.99
>
> The child zone, however, reports the following NS RRset:
>
>   ; <<>> DiG 8.3 <<>> shopcanberra.com ns +norec @66.250.88.98
>   ; (1 server found)
>   ;; res options: init defnam dnsrch
>   ;; got answer:
>   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48923
>   ;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>   ;; QUERY SECTION:
>   ;;      shopcanberra.com, type = NS, class = IN
>
>   ;; ANSWER SECTION:
>   shopcanberra.com.       4H IN NS        ns1.dnsroyal.com.
>   shopcanberra.com.       4H IN NS        ns2.dnsroyal.com.
>
>   ;; ADDITIONAL SECTION:
>   ns1.dnsroyal.com.       4H IN A         66.250.88.99
>   ns2.dnsroyal.com.       4H IN A         66.250.88.98
>
> Either the zone data should be changed to agree with the parent
> or the domain's registrar needs to be contacted to update their
> delegation information.
>
> I am able to reproduce your resolution problems with BIND 8.3.2
> and 8.3.3.  Prior versions of BIND 8 and BIND 9.2.1 do not pull
> the rug out from under you after two queries.  What seems to be
> happening is this:
>
>   1. With no cached data, the name server resolves the domain
>      name from the GTLD servers:
>
>        ; <<>> DiG 8.3 <<>> NS1.shopcanberra.com
>        ;; res options: init recurs defnam dnsrch
>        ;; got answer:
>        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2
>        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL:
2
>        ;; QUERY SECTION:
>        ;;      NS1.shopcanberra.com, type = A, class = IN
>
>        ;; ANSWER SECTION:
>        NS1.shopcanberra.com.   2D IN A  66.250.88.98
>
>        ;; AUTHORITY SECTION:
>        shopcanberra.com.       2D IN NS  NS1.shopcanberra.com.
>        shopcanberra.com.       2D IN NS  NS2.shopcanberra.com.
>
>        ;; ADDITIONAL SECTION:
>        NS1.shopcanberra.com.   2D IN A  66.250.88.98
>        NS2.shopcanberra.com.   2D IN A  66.250.88.99
>
>      This is non-authoritative data with a TTL of two days.  Unless a
>      subsequent query returns an authoritative answer with a different
>      TTL value, name servers other than 8.3.2 and 8.3.3 will still be
>      able to resolve above domain name for two days.
>
>   2. A second query for the NS1.shopcanberra.com returns the same
>      answer except that the TTL is now shorter by the elapsed time
>      between the two queries.
>
>   3. A third query, however, all of the sudden reports NXDOMAIN:
>
>      ; <<>> DiG 8.3 <<>> NS1.shopcanberra.com
>      ;; res options: init recurs defnam dnsrch
>      ;; got answer:
>      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2
>      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>      ;; QUERY SECTION:
>      ;;      NS1.shopcanberra.com, type = A, class = IN
>
>      ;; AUTHORITY SECTION:
>      shopcanberra.com.  2h59m58s IN SOA  ns1.dnsroyal.com.
server.dnsroyal.com.
>      (
>                                         1029804702      ; serial
>                                         8H              ; refresh
>                                         2H              ; retry
>                                         5w6d16h         ; expiry
>                                         1D )            ; minimum
>
> Perhaps Mark Andrews, the acknowledged BIND expert, could offer his
> expertise with the following questions regarding 8.3.2 and 8.3.3:
>
>   1.  The default value of the `auth-nxdomain' option seems to have
>       changed from "yes" to "no".  Only when I explicity configure
>       "auth-nxdomain yes" will the AA bit appear in query #3.
>
>   2.  There seems to be some bad TTL arithmetic going on.  If a query
>       for the SOA record is made directly to an authoritative name
>       server, the TTL shows up as 4 hours.  In this case, the answer to
>       the recursive query is reporting a TTL that is short by one hour.
>
>   3.  The glue records (NS[12].shopcanberra.com) do not exist as
>       authoritative data.  Are the new rules in the credibility
>       pecking order such that an authoritative NXDOMAIN will
>       displace non-authoritative glue?
>
>   4.  A month ago, I posted another observed anomaly with BIND
>       8.3.3 and 8.3.2 (Expect NOERROR/NODATA, get SERVFAIL)
>
>         http://marc.theaimsgroup.com/?l=bind-users&m=102860974705016&w=2
>
>       but saw no response.  Perhaps these observed glitches are
>       related?
>
> Andris
>
>
> ------------------------------
>
> End of bind-users Digest V4 #245
> ********************************
>



More information about the bind-users mailing list