proving a server doesn't have a zone

Matthew Pounsett matt at conundrum.com
Mon Jun 1 19:48:54 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 01-Jun-2009, at 15:42, Todd Snyder wrote:

> I'm sure I'm just having a dumb moment, and that the return codes from
> dig can give me what I need, but I can't figure it out.

Indeed, dig can help you here.  Send the server a non-recursive query  
for something in the zone in question (doesn't matter if what you  
query for actually exists or not).  The server will either respond  
with the AA bit set, or not, and that's how you know.

Note the absence of an 'aa' entry in the flags field, on the 6th line  
of the output, below.

% dig +norec @a.gtld-servers.net foo.rim.com

; <<>> DiG 9.4.3-P1 <<>> +norec @a.gtld-servers.net foo.rim.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44151
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;foo.rim.com.			IN	A

;; AUTHORITY SECTION:
rim.com.		172800	IN	NS	xns01lhr.rim.net.
rim.com.		172800	IN	NS	xns01ykf.rim.net.

;; ADDITIONAL SECTION:
xns01lhr.rim.net.	172800	IN	A	193.109.81.21
xns01ykf.rim.net.	172800	IN	A	206.51.26.10

;; Query time: 80 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Mon Jun  1 15:46:55 2009
;; MSG SIZE  rcvd: 114


In this second example, the server is authoritative for rim.com, and  
answers with the aa bit set:

% dig +norec @xns01lhr.rim.net foo.rim.com

; <<>> DiG 9.4.3-P1 <<>> +norec @xns01lhr.rim.net foo.rim.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51004
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.rim.com.			IN	A

;; AUTHORITY SECTION:
rim.com.		600	IN	SOA	xns01ykf.rim.net. dnsadmin.rim.net. 2009052301  
7200 3600 1209600 600

;; Query time: 138 msec
;; SERVER: 193.109.81.21#53(193.109.81.21)
;; WHEN: Mon Jun  1 15:48:17 2009
;; MSG SIZE  rcvd: 90



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)

iEYEARECAAYFAkokMKkACgkQmFeRJ0tjIxEf3gCfVHPc6VKX7xScMYeQXlsXI5Hu
3T4An3H6++LcSn0wW1D2hr4P25i3RO5H
=sI+e
-----END PGP SIGNATURE-----



More information about the bind-users mailing list