Bind 9.2.4 slaving problem [bind 9.2.1 and bind 8.3.3]

Kevin Darcy kcd at daimlerchrysler.com
Tue Oct 4 22:23:31 UTC 2005 

Jeff Wark wrote:

>Greetings.
>
>I have a master name server running BIND 9.2.1 [Debian Woody - server not available on the
>Internet] and a slave server running bind 9.2.4 [Debian Sarge - not currently
>available on  the Internet] and two others running bind 8.3.3 [Debian Woody - on the
>Internet].
>
>The 9.2.1 is a master for all the others to slave from.  I have an entry in a zone
>defined  on the master as the following:
>  
>
>>$ORIGIN example.com.
>>spamhaus-datafeed      IN   NS   local-rbl-a
>>spamhaus-datafeed      IN   NS   local-rbl-b
>>    
>>
>
>When I issue the following command:
>#> host -t nx spamhaus-datafeed.example.com 127.0.0.1
>on the master server OR the BIND 8.3.3 servers I get an answer pointing me in the
>right  direction.  On the Sarge 9.2.4 however I get a:
>"Host spamhaus-datafeed.example.com not found: 2(SERVFAIL)"
>error.
>
>I can see the records in the local db file on all machines.  The 8.3.3 machines are a
>little  more verbose in that they list the TTL for each record, the 'IN' record
>qualifier and a  fully qualified hostname at the end of the record [ex.
>local-rbl-a.example.com.].  The 9.2.4  machine simply lists a record without the TTL,
>without the 'IN' qualifier, and without the  $ORIGIN on the hostname at the end of
>the record [ex. local-rbl-a].
>
>I have looked through the DNS and BIND book from O'Reilly but it has not led me to
>anything  helpful.  The closest I've come to finding something referring to this
>issue is the 'Top 9  gotchas' for Bind 9.  The sixth gotcha refers to the following:
>  
>
>>6.  BIND 9 strictly enforces zone boundaries.
>>Older BIND name servers would let you get away with configurations like this:
>>
>>subdomain     IN     NS      ns1
>>subdomain     IN     TXT     "Delegated subdomain"
>>
>>Technically, that TXT record belongs in the zone data file for subdomain, not in
>>the >parent zone. Older versions of BIND, however, would allow it. Not BIND 9,
>>though; it >ignores the TXT record as "out-of-zone data."
>>    
>>
>
>I am only listing NS records in the 'example.com' domain and no others so this
>doesn't  really seem to apply.
>
I think you're getting hung up on irrelevant details of the zonefile 
format, and missing the fact that your NS query is getting a SERVFAIL 
from local-rbl-a.example.com and/or local-rbl-b.example.com, *not* from 
the example.com nameserver. If you do a non-recursive query (-r in 
"host") from the example.com nameserver, I expect you'll see the 
delegation records just fine. And if you point your query at 
local-rbl-a.example.com and/or local-rbl-b.example.com, I expect you'll 
see them answer with SERVFAIL. Your nameserver is just passing that 
SERVFAIL through.

BIND 8 handled zone cuts a little differently (with less integrity between zones), so it "covers up" the problem. BIND 9 exposes it to you.

										- Kevin

More information about the bind-users mailing list