Does BIND 9.3.2 have problems related to forwarding?
Eivind Olsen
eivind at aminor.no
Wed May 24 09:11:14 UTC 2006
Hello.
Does anyone know if BIND 9.3.2 has any bugs/issues related to forwarding?
I have a DNS server where some zones are deliberately "hijacked" and
told to query another server through the use of a pr. zone forwarder.
This is done by declaring the zone to be of type forward, like this:
zone "some.zone" {
type forward;
forwarders { 192.168.1.10; };
};
There is no forwarder-configuration set in the generic options-section,
only on specific zones (pretty much like the example on p269 in "DNS and
BIND, 4th edition" (Chapter 10, Forwarding).
The options section looks like this:
options {
directory "/opt/named";
pid-file "named.pid";
allow-query { any; };
allow-transfer { my_net; trusted_parties; };
allow-recursion { my_net; };
query-source address 213.187.177.3;
tcp-clients 200;
recursive-clients 2000;
version "Semi-secret";
};
(the named.conf file begins by defining some ACLs, then TSIG-key +
controls statement, then this options section, followed by definition
for zone "." and "0.0.127.in-addr.arpa", and finally it uses INCLUDE to
get the list of the zones which should be forwarded.
So, to sum it up, the server is a recursive server doing normal DNS
lookups on behalf of DNS clients, and on some zones it forwards the
request to another server which gives a distinct answer back.
Now, on to the problem. I've seen that some queries have been given
incorrect replies - a zone which is NOT defined in the configuration has
ended up with a reply as if it has been forwarded, which it should not.
It just happens to some queries, but once it has happened, that
information is cached.
Has anyone seen any problems like this? Any suggestions on what the
problem might be? I've given this a lot of thought and can't see where
it could go wrong, except if there are bugs in BIND related to this. But
I would very much like to be proven wrong on that.
Oh, another thing. I've looked on the changes-file for BIND 9.4.0a5 and
searched for forward-related things. I see the following entry, but
I'm not really sure what the entry is about or if it could be related.
Could someone perhaps shed some light on what this entry is about?
"1961. [bug] Check the port and address of responses
forwarded to dispatch. [RT #15474]"
--
Regards / Hilsen
Eivind Olsen
<eivind at aminor.no>
More information about the bind-users
mailing list