Trouble With One Domain

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Jun 26 21:13:35 UTC 2009


On Fri, Jun 26, 2009 at 01:16:32PM -0500,
 bsfinkel at anl.gov <bsfinkel at anl.gov> wrote 
 a message of 32 lines which said:

> If the zonecheck code is able to determine what the reason is, then
> it should give the reason. 

If you give only the domain name (not the name servers names and
addresses), Zonecheck depends on the local resolver to find out the
name servers. If the resolver returns SERVFAIL, Zonecheck cannot do
anything.

If you run Zonechek on a machine where the resolver is Unbound, it
works:

% zonecheck IllinoisAcceleratorInstitute.org
ZONE  : illinoisacceleratorinstitute.org.
NS <= : t1dns2.anl.gov. [130.202.101.37]
NS    : t1dns2.aps.anl.gov. [164.54.56.140]
NS    : ns-lvk.es.net. [198.129.252.34, 2001:400:910:1::2]
NS    : ns-aoa.es.net. [198.124.252.22, 2001:400:6000::22]
NS    : t1dns1.aps.anl.gov. [164.54.56.139]
NS    : nsx.lbl.gov. [131.243.64.3]
NS    : t1dns1.anl.gov. [130.202.101.6]
NS    : ns1.es.net. [198.128.2.10, 2001:400:14:2::10]

       _______________
     ,---------------.|
~~~~ |    warning    || ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     `---------------'
w> The format of the serial number is not YYYYMMDDnn
 | Ref: RFC1912 (p.3)
 |   The recommended syntax is YYYYMMDDnn (YYYY=year, MM=month, DD=day,
 | nn=revision number).
 `----- -- -- - -  -
 :   The serial 1001 doesn't seem to be in the YYYYMMDDnn format.
...


If you run it on a machine where the resolver is BIND, it fails (and
rightly so):

% zonecheck IllinoisAcceleratorInstitute.org
ERROR: Unable to find primary nameserver (SOA)

A workaround is to specify explicitely the name and addresses of the
name servers.



More information about the bind-users mailing list