Does BIND 9.3.2 have problems related to forwarding?

Eivind Olsen eivind at aminor.no
Wed May 24 09:11:14 UTC 2006


Hello.

Does anyone know if BIND 9.3.2 has any bugs/issues related to forwarding?
I have a DNS server where some zones are deliberately "hijacked" and 
told to query another server through the use of a pr. zone forwarder. 
This is done by declaring the zone to be of type forward, like this:

zone "some.zone" {
   type forward;
   forwarders { 192.168.1.10; };
};

There is no forwarder-configuration set in the generic options-section, 
only on specific zones (pretty much like the example on p269 in "DNS and 
BIND, 4th edition" (Chapter 10, Forwarding).

The options section looks like this:
options {
         directory "/opt/named";
         pid-file "named.pid";
         allow-query { any; };
         allow-transfer { my_net; trusted_parties; };
         allow-recursion { my_net; };
         query-source  address 213.187.177.3;
         tcp-clients 200;
         recursive-clients 2000;
         version "Semi-secret";
};

(the named.conf file begins by defining some ACLs, then TSIG-key + 
controls statement, then this options section, followed by definition 
for zone "." and "0.0.127.in-addr.arpa", and finally it uses INCLUDE to 
get the list of the zones which should be forwarded.

So, to sum it up, the server is a recursive server doing normal DNS 
lookups on behalf of DNS clients, and on some zones it forwards the 
request to another server which gives a distinct answer back.

Now, on to the problem. I've seen that some queries have been given 
incorrect replies - a zone which is NOT defined in the configuration has 
ended up with a reply as if it has been forwarded, which it should not.
It just happens to some queries, but once it has happened, that 
information is cached.

Has anyone seen any problems like this? Any suggestions on what the 
problem might be? I've given this a lot of thought and can't see where 
it could go wrong, except if there are bugs in BIND related to this. But 
I would very much like to be proven wrong on that.

Oh, another thing. I've looked on the changes-file for BIND 9.4.0a5 and 
   searched for forward-related things. I see the following entry, but 
I'm not really sure what the entry is about or if it could be related. 
Could someone perhaps shed some light on what this entry is about?

"1961.   [bug]           Check the port and address of responses 
forwarded to dispatch. [RT #15474]"

-- 
Regards / Hilsen
Eivind Olsen
<eivind at aminor.no>



More information about the bind-users mailing list