nxdomain
Nick Edwards
nick.z.edwards at gmail.com
Wed Aug 28 23:43:21 UTC 2013
Mark,
On 8/29/13, Mark Andrews <marka at isc.org> wrote:
>
> In message
> <CAMD-=VKA_dftLRqtJMs=EGMEPZHU82q06+p_J8RmbgzXvVGjGg at mail.gmail.com>
> , Nick Edwards writes:
>> The typos was more of how I came about my request, forget the typo as
>> such, it the actual answer, to use a more common well known name, if
>> I type
>>
>> ~$ host www.undernet.org ns1
>> Using domain server:
>> Name: ns1
>>
>> Host www.undernet.org not found: 3(NXDOMAIN)
>>
>> Above should be, and I'm darn sure used to be, REFUSED - not NXDOMAIN
>>
>> perhaps I should also include my options in my original post, that was
>> remiss of me
>>
>> acl trust contains localhost and the servers actual IP addresses,
>> nowhere does it permit the IP range I tried from
>>
>> options {
>> directory "/var/named";
>> allow-query { trust; };
>> allow-transfer { localhost; };
>> blackhole { bogon; };
>> recursive-clients 2000;
>> clients-per-query 40;
>> tcp-clients 100;
>> recursion no;
>> additional-from-cache no;
>> transfer-format many-answers;
>> masterfile-format text;
>> interface-interval 0;
>> dnssec-enable yes;
>> dnssec-validation yes;
>> };
>
> Given www.undernet.org exists on the Internet (so you wouldn't be
> getting NXDOMAIN if it was recursing to the Internet) and you havn't
> shown the entire configuration we can't tell if it is a lack of
> understanding about your configuration or a bug.
>
The only other components to our pure authoratitive only server
configuration are
The bogon acl from team cymru
include "/var/named/root_trusted_key";
logging {
category lame-servers { null; };
category edns-disabled { null; };
category client { null; };
};
zone "." {
type hint;
file "root.hints";
};
zone "127.in-addr.arpa" {
type master;
file "localhost.rev";
notify no;
};
zone "localhost" {
type master;
file "localhost.zone";
notify no;
};
zone "somedomain.org" {
type master;
allow-transfer { slave.ip; };
file "somedomain.org.signed";
allow-query { any; };
allow-update { none; };
};
zone "xxxx.in-addr.arpa" {
type master;
allow-transfer { sec.IP; };
file "00v4.zone";
allow-query { any; };
allow-update { none; };
}
zone "xxxxxxx.ip6.arpa" {
type master;
allow-transfer { sec.IP; };
file "00v6.zone";
allow-query { any; };
allow-update { none; };
};
zone "xxxx" {
type slave;
masters { x.x.x.x; };
file "xxxxxx.signed";
allow-query { any; };
};
there are 27 more master/slave zones, but they all are in identical
format as above and
we certainly do not host undernet :-)
and with no customer IP ranges included in any ACL since these are
not caching servers), and, having friends trying from different ISP's,
we get NXDOMAIN, be it undernet, or google Host www.google.com not
found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it
does respond correctly to domains it is supposed too
in the end because of this config, I expect to see REFUSED here, like
we have in the past, not sure when this changed.
Both our ns1 ans ns2 respond in same
More information about the bind-users
mailing list