A tale of two nameservers - resolution problems

John Miller johnmill at brandeis.edu
Tue Sep 1 13:20:12 UTC 2015


If you check pcap, logs, etc., is the server's following delegation
for 0.centos.pool.ntp.org? Where do outbound packets stop?

John

On Tue, Sep 1, 2015 at 9:09 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
> I have one nameserver running bind 9.8.2 and a new one running 9.9.4.
>
> Both can resolve www.ietf.org
>
> Only the 9.8.2 can resolve 0.centos.pool.ntp.org
>
> I literally rsynced all the of the conf and zone files from the old to the
> new, then changed all of the server name references.  I have done this
> before.  I have another box running the 9.8.2 code that I built the same way
> and it resolves both fqdns just fine.
>
> I am a lost at what is the problem.  Both have the same named.conf:
>
> //
> //
>
>     include "/etc/named/named.acl";
>
> options
> {
>     listen-on port 53 { any; };
>     listen-on-v6 port 53 { any; };
>
>     allow-query        { localhost; };
>     allow-query-cache    { localhost; };
>     recursion no;
>
>     directory     "/var/named";
>     dump-file     "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> //    dnssec-enable yes;
> //    dnssec-validation yes;
> //    dnssec-lookaside auto;
>
>     dnssec-enable no;
>     dnssec-validation no;
>
>     /* Path to ISC DLV key */
> //    bindkeys-file "/etc/named.iscdlv.key";
>
> //    managed-keys-directory "/var/named/dynamic";
>
>
> };
> logging
> {
> /*      If you want to enable debugging, eg. using the 'rndc trace' command,
>  *      named will try to write the 'named.run' file in the $directory
> (/var/named).
>  *      By default, SELinux policy does not allow named to modify the
> /var/named directory,
>  *      so put the default debug log file in data/ :
>  */
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
>
> view "internal"
> {
>
>     include "/etc/named/named.internal";
>
> };
> view    "external"
> {
>
>     include "/etc/named/named.external";
>
> };
>
> include "/etc/named/rndc.key";
>
> ==============
> and named.internal has:
>
> /* This view will contain zones you want to serve only to "internal" clients
>  * that have addresses that are not on your directly attached LAN interface
> subnets:
>  */
>     match-clients        { httnets; };
>     match-destinations    { httnets; };
>     allow-query        { httnets; };
>     allow-query-cache    { httnets; };
>     allow-recursion        { httnets; };
>     recursion yes;
>     empty-zones-enable yes;
>
> //    include "/etc/named/named.trusted.key";
>         include "/etc/named.rfc1912.zones";
>
>     zone "." IN {
>         type hint;
>         file "named.root";
>     };
>
>     // These are your "authoritative" internal zones:
>
>     zone "htt-consult.com" {
>         type master;
>         file "httin-consult.com.zone";
>     };
>
> etc.
>
>
> ==============
>
>
> Is the dnssec disabled possibly the problem?  Like required now?


More information about the bind-users mailing list