problem with ORIGIN definition.

Barry Margolin barmar at alum.mit.edu
Thu Feb 28 04:18:19 UTC 2008


In article <fq449b$u1m$1 at sf1.isc.org>, <vincent.blondel at ing.be> wrote:

> Hello,
> 
> Just this mail to ask you about a problem I just dicovered with my dns
> infra. I get a dns zone running on a local bind 9.2.3 with a definition
> like this
> 
> $ORIGIN mydomain.be.
> $TTL 3600
> @ IN SOA ns.mydomain.be. dnsmaster.mydomain.be. (
>                 1 ; serial
>                 21600      ; refresh (6 hours)
>                 3600       ; retry (1 hour)
>                 691200     ; expire (1 week 1 day)
>                 7200       ; minimum (2 hours)
>                 )
> 
>         IN NS   ns1.mydomain.be.
>         IN NS   ns2.mydomain.be.
> 
> ...
> ...
> ...
> 
> $ORIGIN example.mydomain.be.
> @ IN NS ns1.mydomain.be.
> @ IN NS ns2.mydomain.be.
> 
> $ORIGIN docpay.mydomain.be.
> @ IN NS ns1.adomain.nl.
> @ IN NS ns2.adomain.nl.
> 
> This server is in fact the local master for our public dns area and is
> syncing with another bind running 9.4.1-P1 in dmz area. This last server
> is really connected on the internet. Synchronization is done simply with
> a NOTIFY from internal to dmz server.
> 
> This is runnig well execpt I discovered a strange behaviour this
> afternoon. 
> 
> When I query from local server NS records for docpay.mydomain.be I do
> not get any answer but well for example.mydomain.be :
> 
>  dig @localhost docpay.mydomain.be in ns
>  dig @localhost example.mydomain.be in ns
> 
> But when I run these same queries to my dmz server directly from the
> internet I do not get any problems. So I receive ns1.adomain.nl and
> ns2.adomain.nl as NS records for docpay.mydomain.be. On the other side
> when I query NS records for example.mydomain.be I well receive
> ns1.mydomain.be and ns2.mydomain.be.
> 
> My question is : why do I not get any answer for docpay.mydomain.be when
> I query from internal server .. Is this relative to a bug corrected a
> long time ago or is this simply due to another behaviour I do not think
> about it ??

Does it work if you do:

dig @localhost docpay.mydomain.be ns +norec

If so, I think your firewall is preventing your local machine from 
querying on the Internet.  Your server wants to get the authoritative NS 
records from the server on the Internet, not the delegation records in 
the parent zone.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***


More information about the bind-users mailing list