Trouble create slave zones

Tue Apr 1 13:21:28 UTC 2008

Thanks Mark.

I tried a dig soa command and got the following output.  I am hoping that 
someone can help me determine what is missing.  The one thing I noticed is 
that I don't have the "AUTHORITY" section.  Could that be triggering the 
problem?  If so, any ideas how can I ensure that it is present?  What do I 
need to make sure is in my Master conf file to have that appear?

# dig soa mydomain.biz @198.20.1.1 +norec

; <<>> DiG 9.2.4 <<>> soa mydomain.biz @198.20.1.1 +norec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42824
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.biz.                     IN      SOA

;; ANSWER SECTION:
mydomain.biz.              3600    IN      SOA     ns1.mydomain.com. 
administrator.mydomain.com. 610 3600 600 86400 3600

;; ADDITIONAL SECTION:
ns1.mydomain.com.          3600    IN      A       198.20.1.1

;; Query time: 20 msec
;; SERVER: 198.20.1.1#53(198.20.1.1)
;; WHEN: Tue Apr  1 09:17:40 2008
;; MSG SIZE  rcvd: 106

Thanks!

Eric

"Mark Andrews" <Mark_Andrews at isc.org> wrote in message 
news:200803312114.m2VLExtZ065992 at drugs.dv.isc.org...
>
>
> A refresh query is equivalent to "dig soa <zone> @<server> +norec".
>
> You should get only the SOA record for the zone in the
> answer section and "aa" should be set in the flags field.
> If you don't then there is a error on the master.
>
> Mark
>
> e.g.
>
> ; <<>> DiG 9.3.4-P1 <<>> soa +norec dv.isc.org @::1
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18464
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
>
> ;; QUESTION SECTION:
> ;dv.isc.org. IN SOA
>
> ;; ANSWER SECTION:
> dv.isc.org. 3600 IN SOA bsdi.dv.isc.org. marka.isc.org. 2007103051 86400 
> 21600 2419200 86400
>
> ;; AUTHORITY SECTION:
> dv.isc.org. 86400 IN NS drugs.dv.isc.org.
> dv.isc.org. 86400 IN NS bsdi1.dv.isc.org.
>
> ;; ADDITIONAL SECTION:
> bsdi1.dv.isc.org. 86400 IN A 192.168.191.233
> drugs.dv.isc.org. 86400 IN A 192.168.191.236
> drugs.dv.isc.org. 86400 IN AAAA 2001:470:1f00:820:214:22ff:fed9:fbdc
> drugs.dv.isc.org. 86400 IN AAAA fd92:7065:b8e:0:214:22ff:fed9:fbdc
> drugs.dv.isc.org. 86400 IN AAAA fe80::214:22ff:fed9:fbdc
>
> ;; Query time: 29 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Tue Apr  1 08:13:01 2008
> ;; MSG SIZE  rcvd: 231
>
>> Sorry - good point.  Yes, the slave is also being the firewall.
>>
>> If I set the master addres to 192.168.1.1, I get the same result.  If I
>> check my master logs, I do see that my Master dns server is being queried
>> for the records and responding to bind's requests.
>>
>> Is there a way I can have bind log more detailed info to try to 
>> understand
>> why it thinks the response is non-authoritative?
>>
>> Thanks!
>>
>> Eric
>>
>> "Chris Buxton" <cbuxton at menandmice.com> wrote in message
>> news:B93F8A8D-F72E-47AF-8074-BCBEF1132075 at menandmice.com...
>> You didn't say whether the slave server is also behind the firewall.
>> If it is, I would guess that the non-authoritative answer is coming
>> from the firewall, not from the actual master server. What happens if
>> you set the master server address in your zone statement to 192.168.1.1?
>>
>> Chris Buxton
>> Professional Services
>> Men & Mice
>>
>> On Mar 31, 2008, at 9:57 AM, Eric B. wrote:
>> > Hi,
>> >
>> > I'm trying to set up bind 9.2.4 to create slave zones on my machine
>> > for a
>> > bunch of dns zones.  The master is a Win2K Server running it's built-
>> > in DNS
>> > (not Active Directory).
>> >
>> > My named.conf file lists the following:
>> > options {
>> >        directory "/var/named";
>> >        dump-file "/var/named/data/cache_dump.db";
>> >        statistics-file "/var/named/data/named_stats.txt";
>> >        zone-statistics yes;
>> >        notify yes; // notify the above IP's when a zone is updated
>> >        pid-file "/var/run/named/named.pid";
>> >        transfer-format many-answers; // Generates more efficient zone
>> > transfers
>> >        listen-on { any; };
>> > };
>> >
>> > include "/etc/rndc.key";
>> >
>> > zone "mydomain.biz.dns" IN { type slave; file "slaves/
>> > mydomain.biz.dns";
>> > masters { 198.20.1.1; }; };
>> >
>> >
>> > // Include logging config file
>> > include "/var/named/conf/logging.conf";
>> >
>> >
>> >
>> > However, if I look at /var/log/named/general.log, I see the
>> > following error
>> > messages:
>> > Mar 31 12:26:25.902 zone mydomain.biz.dns/IN: refresh: non-
>> > authoritative
>> > answer from master 198.20.1.1#53
>> >
>> > This is confusing me extremely.  If I check the configuration on the
>> > master
>> > server, the zone is configured as the primary server.  If it is of
>> > any help,
>> > I can also post the actual dns conf file for the zone on the W2K
>> > server.
>> >
>> > The only thing I can think of is that my zone's NS records point to
>> > my DNS
>> > server's public address, even though my DNS server is actually
>> > behind a
>> > firewall and has an internal address:
>> >
>> > ;    Zone NS recors
>> > @                             NS    ns1.mydomain.biz
>> > ns1.mydomain.biz.    A        198.20.1.1
>> >
>> > But my primary server's address is actually 192.168.1.1 (and mapped to
>> > 198.20.1.1 through my firewall rules).
>> >
>> >
>> > Is this a configuration problem of bind, the Win2K server, or the
>> > actual
>> > zone information within the DNS server?
>> >
>> > Any help, ideas, suggestions would be greatly appreciated.
>> >
>> > Thanks,
>> >
>> > Eric
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
>>
>>
>>
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>
> 