nxdomain
Mark Andrews
marka at isc.org
Thu Aug 29 00:20:16 UTC 2013
In message <CAMD-=VK7MtwDoUv8uRTL5WR=1ouMHbmzKMPp=uK5pqEVO10Hgg at mail.gmail.com>
, Nick Edwards writes:
> Mark,
>
> On 8/29/13, Mark Andrews <marka at isc.org> wrote:
> >
> > In message
> > <CAMD-=VKA_dftLRqtJMs=EGMEPZHU82q06+p_J8RmbgzXvVGjGg at mail.gmail.com>
> > , Nick Edwards writes:
> >> The typos was more of how I came about my request, forget the typo as
> >> such, it the actual answer, to use a more common well known name, if
> >> I type
> >>
> >> ~$ host www.undernet.org ns1
> >> Using domain server:
> >> Name: ns1
> >>
> >> Host www.undernet.org not found: 3(NXDOMAIN)
> >>
> >> Above should be, and I'm darn sure used to be, REFUSED - not NXDOMAIN
> >>
> >> perhaps I should also include my options in my original post, that was
> >> remiss of me
> >>
> >> acl trust contains localhost and the servers actual IP addresses,
> >> nowhere does it permit the IP range I tried from
> >>
> >> options {
> >> directory "/var/named";
> >> allow-query { trust; };
> >> allow-transfer { localhost; };
> >> blackhole { bogon; };
> >> recursive-clients 2000;
> >> clients-per-query 40;
> >> tcp-clients 100;
> >> recursion no;
> >> additional-from-cache no;
> >> transfer-format many-answers;
> >> masterfile-format text;
> >> interface-interval 0;
> >> dnssec-enable yes;
> >> dnssec-validation yes;
> >> };
> >
> > Given www.undernet.org exists on the Internet (so you wouldn't be
> > getting NXDOMAIN if it was recursing to the Internet) and you havn't
> > shown the entire configuration we can't tell if it is a lack of
> > understanding about your configuration or a bug.
> >
>
> The only other components to our pure authoratitive only server
> configuration are
>
> The bogon acl from team cymru
>
> include "/var/named/root_trusted_key";
>
> logging {
> category lame-servers { null; };
> category edns-disabled { null; };
> category client { null; };
> };
>
> zone "." {
> type hint;
> file "root.hints";
> };
>
>
> zone "127.in-addr.arpa" {
> type master;
> file "localhost.rev";
> notify no;
> };
>
> zone "localhost" {
> type master;
> file "localhost.zone";
> notify no;
> };
>
> zone "somedomain.org" {
> type master;
> allow-transfer { slave.ip; };
> file "somedomain.org.signed";
> allow-query { any; };
> allow-update { none; };
> };
>
>
> zone "xxxx.in-addr.arpa" {
> type master;
> allow-transfer { sec.IP; };
> file "00v4.zone";
> allow-query { any; };
> allow-update { none; };
> }
>
> zone "xxxxxxx.ip6.arpa" {
> type master;
> allow-transfer { sec.IP; };
> file "00v6.zone";
> allow-query { any; };
> allow-update { none; };
> };
>
> zone "xxxx" {
> type slave;
> masters { x.x.x.x; };
> file "xxxxxx.signed";
> allow-query { any; };
> };
>
>
> there are 27 more master/slave zones, but they all are in identical
> format as above and
> we certainly do not host undernet :-)
>
> and with no customer IP ranges included in any ACL since these are
> not caching servers), and, having friends trying from different ISP's,
> we get NXDOMAIN, be it undernet, or google Host www.google.com not
> found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it
> does respond correctly to domains it is supposed too
>
> in the end because of this config, I expect to see REFUSED here, like
> we have in the past, not sure when this changed.
>
> Both our ns1 ans ns2 respond in same
You still havn't provided enough information to workout whether
there is a bug or not.
Why don't you post the complete response to the dig request unaltered.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list