bind 9 problem with delegation

bsfinkel at anl.gov bsfinkel at anl.gov
Fri Jul 24 16:17:04 UTC 2009


gui <gcoine at gmail.com> wrote:

>hello,
>
>i have s strange probleme with my bind server, and i hope someone
>could point out the problem, here is the description,
>
>i have two bind servers (replication, multi-master), bind 9.3.4, same
>version, same configuration (normally).
>I tried to do some PTR delegation, so for example, i have a 104.10.in-
>addr.arpa zone, the master of the zone is my bind server, in this zone
>file i have this :
>
>0.104.10.in-addr.arpa.    IN    NS         otherDNSserver.fqdn
>
>on the first server, when i check with dig :
> i get nothing :
>
>dig 0.104.10.in-addr.arpa :
>
>; <<>> DiG 9.3.4-P1.1 <<>> 0.104.10.in-addr.arpa
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60811
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;0.104.10.in-addr.arpa.         IN      A
>
>;; Query time: 108 msec
>;; SERVER: 10.x.x.x#53(10.x.x.x)
>;; WHEN: Fri Jul 10 17:17:52 2009
>;; MSG SIZE  rcvd: 39
>
>
>on the other one, it works :
>
>
>; <<>> DiG 9.3.4-P1.1 <<>> 0.104.10.in-addr.arpa
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58295
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;0.104.10.in-addr.arpa.         IN      A
>
>;; AUTHORITY SECTION:
>0.104.10.in-addr.arpa.  3600    IN      SOA     myotherdnsserver.fqdn.
>hostmaster.myotherserver.fqdn. 310 900 600 86400 3600
>
>;; Query time: 4005 msec
>;; SERVER: 10.2.129.9#53(10.2.129.9)
>;; WHEN: Thu Jul 23 09:03:51 2009
>;; MSG SIZE  rcvd: 113
>
>
>and i can't find what to do to make this work correctly on the first
>server....
>
>hope you'll have more ideas than me :-))
>
>thank you !

The first query does not produce "nothing"; it tells you via these lines:

     ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60811
     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

     ;; QUESTION SECTION:
     ;0.104.10.in-addr.arpa.         IN      A

The return code is NXDOMAIN.  There is no "aa" in the flags, so the
response is not authoritative.  The server knows nothing about this
domain.  Note that you are querying for the address of a class-c
subnet, and that subnet has no address.

The second query "works"; it gives you more information than the first
query:

     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58295
     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

     ;; QUESTION SECTION:
     ;0.104.10.in-addr.arpa.         IN      A

     ;; AUTHORITY SECTION:
     0.104.10.in-addr.arpa.  3600    IN      SOA     myotherdnsserver.fqdn.

The return code is NOERROR.  There are 0 answer sections in the
response.  The response is not authoritative.  But the server knows
(and gives) the SOA for the zone.  I am assuming that this server had
the SOA record in its cache.

As to why these two DNS servers do not know about the zone, I cannot
tell.  This is a 10-subnet, so we would not be able to query it.
We would have to see the config files from the two servers to see
how they define the zone.

Here is a query I made for the address of one of our Class-B subnets:

solaris% dig 139.146.in-addr.arpa

; <<>> DiG 8.3 <<>> 139.146.in-addr.arpa 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      139.146.in-addr.arpa, type = A, class = IN

;; AUTHORITY SECTION:
139.146.in-addr.arpa.   2H IN SOA       dns0.anl.gov. hostmaster.anl.gov. (
                                        2009072402      ; serial
                                        2H              ; refresh
                                        1H              ; retry
                                        2W              ; expiry
                                        2H )            ; minimum
...
solaris%

Note that the answer has NOERROR, aa, and 0 answer sections.
The response is authoritative, as the server I queried is a slave for
this zone.  The query was for an "A" record that does not exist.
A query for NS records might give you the NS record set for the zone,
depending upon your BIND configuration.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994



More information about the bind-users mailing list