bind resolver zone delegation

Mark Andrews marka at isc.org
Wed May 15 14:08:46 UTC 2019 

The servers for vpn.smiths.com are misconfigured. The zone vpn.smiths.com
is delegated to them but they are configured to serve smiths.com.  Just
because Google ignores the delegation error, it doesn’t make the configuration
correct.

Mark

smiths.com.		172800	IN	NS	ns-east.cerf.net.
smiths.com.		172800	IN	NS	ns-west.cerf.net.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190519044441 20190512033441 3800 com. UJTuCBjwehBYdQKMgLo6SxdAh/FU4WTYNgzupGJmnQsZGe7py+NRotht wgTN9V0A8RqzUBsgdxvK6h4R+e+K7ISgBK/Bb65N07BnnSyFQxowIXi2 lnhEEpDiIDDx/Ca1aA9kVK+2Tn51tR7ZVZeMtkIesqZTOANCfmec9wea V9s=
L9MECSI4V5NQE1C3N2DNCJ6USFQA1C4H.com. 86400 IN NSEC3 1 1 0 - L9MGE0KHV110F24LIONHR6F2508ITI97 NS DS RRSIG
L9MECSI4V5NQE1C3N2DNCJ6USFQA1C4H.com. 86400 IN RRSIG NSEC3 8 2 86400 20190521045234 20190514034234 3800 com. fWfPYqFE88diYC8Pil3ZDm38TaCS7i4o7qLXRZ6dLUF8daWX3cfjm7iq ueuIW4b1k4jtjfwpLCxvWRHcVrheFDtw9ED7g2tIbmj9Fxdq1bML1YYS D+yZceUk/JYN7wv5M3CCeroKfwS0/1LjldXVUvvjG95vczoRVDYOrE8F 8Pg=
;; Received 580 bytes from 192.5.6.30#53(a.gtld-servers.net) in 13 ms

vpn.smiths.com.		86400	IN	NS	resolve02.sslra.com.
vpn.smiths.com.		86400	IN	NS	resolve01.sslra.com.
;; Received 97 bytes from 2001:1890:1ff:9f1:99:99:99:136#53(ns-east.cerf.net) in 320 ms

smiths.com.		60	IN	SOA	resolve01.sslvpndemo.com. hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60
;; Received 111 bytes from 216.132.83.124#53(resolve01.sslra.com) in 174 ms


> On 15 May 2019, at 11:27 pm, Frank Patzig <fp at mdlink.de> wrote:
> 
> Hi,
> 
> my bind is 9.14-1.
> 
> I check the zone
> 
> dig @NS-EAST.CERF.NET any  vpn.smiths.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @NS-EAST.CERF.NET any
> vpn.smiths.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47937
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      ANY
> 
> ;; AUTHORITY SECTION:
> vpn.smiths.com.         86400   IN      NS      resolve01.sslra.com.
> vpn.smiths.com.         86400   IN      NS      resolve02.sslra.com.
> 
> ;; Query time: 119 msec
> ;; SERVER: 2001:1890:1ff:9f1:99:99:99:136#53(2001:1890:1ff:9f1:99:99:99:136)
> ;; WHEN: Mi Mai 15 13:42:26 CEST 2019
> ;; MSG SIZE  rcvd: 97
> 
> this is fine
> 
> 
> dig @resolve01.sslra.com any  vpn.smiths.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @resolve01.sslra.com any
> vpn.smiths.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22398
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      ANY
> 
> ;; ANSWER SECTION:
> vpn.smiths.com.         30      IN      A       194.105.113.242
> 
> ;; AUTHORITY SECTION:
> smiths.com.             500     IN      NS      resolve01.sslvpndemo.com.
> 
> ;; Query time: 171 msec
> ;; SERVER: 216.132.83.124#53(216.132.83.124)
> ;; WHEN: Mi Mai 15 13:43:04 CEST 2019
> ;; MSG SIZE  rcvd: 94
> 
> OK
> 
> dig @resolve01.sslra.com MX  vpn.smiths.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @resolve01.sslra.com MX
> vpn.smiths.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21258
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      MX
> 
> ;; AUTHORITY SECTION:
> smiths.com.             60      IN      SOA     resolve01.sslvpndemo.com.
> hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60
> 
> ;; Query time: 169 msec
> ;; SERVER: 216.132.83.124#53(216.132.83.124)
> ;; WHEN: Mi Mai 15 13:44:04 CEST 2019
> ;; MSG SIZE  rcvd: 111
> 
> -----------------------------------------------------------------------
> 
> 
> I check my bind:
> 
> dig @localhost  any  vpn.smiths.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @localhost any vpn.smiths.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27551
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      ANY
> 
> ;; ANSWER SECTION:
> vpn.smiths.com.         30      IN      A       194.105.113.242
> vpn.smiths.com.         1583    IN      NS      resolve01.sslra.com.
> vpn.smiths.com.         1583    IN      NS      resolve02.sslra.com.
> 
> ;; AUTHORITY SECTION:
> vpn.smiths.com.         1583    IN      NS      resolve01.sslra.com.
> vpn.smiths.com.         1583    IN      NS      resolve02.sslra.com.
> 
> ;; ADDITIONAL SECTION:
> resolve01.sslra.com.    506     IN      A       216.132.83.124
> resolve02.sslra.com.    258     IN      A       64.7.11.138
> 
> ;; Query time: 172 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Mi Mai 15 13:44:38 CEST 2019
> ;; MSG SIZE  rcvd: 173
> 
> 
> dig @localhost  MX  vpn.smiths.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @localhost MX vpn.smiths.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8396
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      MX
> 
> ;; Query time: 272 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Mi Mai 15 13:45:34 CEST 2019
> ;; MSG SIZE  rcvd: 43
> 
> 
> In status is SERVFAIL
> 
> In my log
> 
> DNS format error from 64.7.11.138#53 resolving vpn.smiths.com/MX for client 127.0.0.1#47512: Name smiths.com (SOA) not subdomain of zone vpn.smiths.com -- invalid response
> 
> What is the problem.
> 
> 
> Test with Google is OK:
> 
> dig @8.8.8.8  MX  vpn.smiths.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @8.8.8.8 MX vpn.smiths.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21066
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      MX
> 
> ;; AUTHORITY SECTION:
> smiths.com.             59      IN      SOA resolve01.sslvpndemo.com. hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60
> 
> ;; Query time: 180 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Mi Mai 15 15:26:28 CEST 2019
> ;; MSG SIZE  rcvd: 111
> 
> 
> Can i help you.
> 
> Regards
> -- 
> Frank
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list