dig +trace = Bad Referral orBad Horizontal referral

Matthew Pounsett matt at conundrum.com
Tue Sep 20 18:05:53 UTC 2016 

On 20 September 2016 at 12:50, project722 <project722 at gmail.com> wrote:

> I've reverted my configuration back to before we started using views. But,
> if this was a delegation issue, wouldn't we expect to see it regardless of
> using views or not? Works fine without views.
>

It's entirely possible you introduced some error in your zone structure
when you changed configurations for views.  Again, it's impossible to tell
since you've (poorly) substituted all of the zone names and file name in
your configuration.   If you want help from someone in the list, you're
going to have to share details of your configuration.


>
> On Tue, Sep 20, 2016 at 8:58 AM, Matthew Pounsett <matt at conundrum.com>
> wrote:
>
>>
>>
>> On 16 September 2016 at 11:12, project722 <project722 at gmail.com> wrote:
>>
>>> I have an interesting problem. I started noticing that when I do a dig
>>> +trace against one of the domains we are authoritative for, we get errors
>>> from our nameservers for "Bad Referral" and you can see where it forwarded
>>> the request back up the namespace tree instead of giving the answer.
>>> Unfortunately I am unable to reproduce this problem at the moment. However
>>> I can reproduce the Bad (HORIZONTAL) referral. Basically once the query is
>>> referred to our name server I see this:
>>>
>>> ;; BAD (HORIZONTAL) REFERRAL
>>> ;; Received 187 bytes from x.x.x.x#53(ns.example.com in 2 ms
>>>
>>
>> A horizontal referral is when one authoritative zone (the parent)
>> delegates a subdomain to a server that responds out of the same parent
>> zone, rather than a subzone.  The DNS is an inverted tree structure, and
>> delegations are always supposed to be "down" the tree toward the leaves.
>> If a delegation ends up being across, then you get a horizontal referral
>> error.
>>
>> Since you obfuscated your configuration nobody is going to be able to
>> provide you with specific advice on where the problem is.  If you can find
>> the error in your authoritative data (or share which zone is giving you
>> problems so that someone here can point it out) that should clear up your
>> issue.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160920/74ebfd9c/attachment.html>

More information about the bind-users mailing list