> Does it matter?<br><br>Not really, I was just being too picky - wasn't expecting bind to look for authority for forward zones and then got into a red herring with root NS' cached on just two servers when all four are heavily utilised (but turns out our mail servers are only using the first two).<br>
<br>Thanks anyway :-)<br><br> - Paul<br><br><br><br><div class="gmail_quote">On Mon, Jun 15, 2009 at 9:01 PM, Kevin Darcy <span dir="ltr"><<a href="mailto:kcd@chrysler.com">kcd@chrysler.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Does it matter? Two of the servers happened to have root NS records cached. You could verify this with rndc dumpdb -cache. The other two servers, apparently, had no root NS records cached.<br>
<br>
But if the client is just a stub resolver, or set up to forward, it doesn't care about the NS records in the Authority Section. It only cares about the Answer, which is the same in both cases.<br>
<br>
- Kevin<br>
<br>
Paul Sherratt wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">
<br>
I have 4 bind cache servers running with config close to what is listed at the bottom of this post.<br>
<br>
All 4 servers have identical bind configuration, running same bind version (9.5.1-P1), almost identical system layouts.<br>
<br>
The issue is that on two of the four servers, requests for records in the 'dnsbl' zone return root hints if the forwarded request comes back positive! If the forwarded request returns NXDOMAIN there are no root hints returned, expected as it is configured 'forward only'.<br>
<br>
<br>
Am I missing something obvious or anyone have an idea what might be going on? Again, the configs _are_ the same, I don't have any other options like minimal-responses etc set on the two servers that are working as expected!<br>
<br>
<br>
Regards,<br>
<br>
Paul<br>
<br>
<br>
<br>
*$ dig 2.0.0.127.sbl.dnsbl @dns[12]*<br>
<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31470<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2<br>
<br>
;; QUESTION SECTION:<br>
;2.0.0.127.sbl.dnsbl. IN A<br>
<br>
;; ANSWER SECTION:<br>
2.0.0.127.sbl.dnsbl. 300 IN A 127.0.0.2<br>
<br>
;; AUTHORITY SECTION:<br></div>
. 516796 IN NS <a href="http://J.ROOT-SERVERS.NET" target="_blank">J.ROOT-SERVERS.NET</a> <<a href="http://J.ROOT-SERVERS.NET" target="_blank">http://J.ROOT-SERVERS.NET</a>>.<br>
. 516796 IN NS <a href="http://K.ROOT-SERVERS.NET" target="_blank">K.ROOT-SERVERS.NET</a> <<a href="http://K.ROOT-SERVERS.NET" target="_blank">http://K.ROOT-SERVERS.NET</a>>.<br>
...<br>
<br>
;; ADDITIONAL SECTION:<br>
<a href="http://J.ROOT-SERVERS.NET" target="_blank">J.ROOT-SERVERS.NET</a> <<a href="http://J.ROOT-SERVERS.NET" target="_blank">http://J.ROOT-SERVERS.NET</a>>. 603196 IN A 192.58.128.30<br>
<a href="http://J.ROOT-SERVERS.NET" target="_blank">J.ROOT-SERVERS.NET</a> <<a href="http://J.ROOT-SERVERS.NET" target="_blank">http://J.ROOT-SERVERS.NET</a>>. 603196 IN AAAA 2001:503:c27::2:30<div class="im">
<br>
<br>
;; Query time: 8 msec<br>
;; SERVER: x.x.x.x#53(x.x.x.x)<br>
;; WHEN: Mon Jun 15 20:05:44 2009<br>
;; MSG SIZE rcvd: 308<br>
<br>
<br>
<br>
*$ dig 2.0.0.127.sbl.dnsbl @dns[34]*<br>
<br>
; <<>> DiG 9.4.2 <<>> 2.0.0.127.sbl.dnsbl @tch-cache1.dns<br>
;; global options: printcmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41117<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0<br>
<br>
;; QUESTION SECTION:<br>
;2.0.0.127.sbl.dnsbl. IN A<br>
<br>
;; ANSWER SECTION:<br>
2.0.0.127.sbl.dnsbl. 300 IN A 127.0.0.2<br>
<br>
;; Query time: 8 msec<br>
;; SERVER: x.x.x.x#53(x.x.x.x)<br>
;; WHEN: Mon Jun 15 20:06:56 2009<br>
;; MSG SIZE rcvd: 53<br>
<br>
<br>
<br>
--8<----------------<br>
<br></div>
acl good-mx-nets { <a href="http://1.1.2.16/29" target="_blank">1.1.2.16/29</a> <<a href="http://1.1.2.16/29" target="_blank">http://1.1.2.16/29</a>>; ... };<br>
acl good-nets { <a href="http://1.1.1.0/19" target="_blank">1.1.1.0/19</a> <<a href="http://1.1.1.0/19" target="_blank">http://1.1.1.0/19</a>>; ... };<div class="im"><br>
<br>
view good-mx-view {<br>
match-clients { good-mail-servers; };<br>
zone "dnsbl" { type forward; forward only; forwarders { 1.1.1.10; }; };<br>
};<br>
<br>
view good {<br>
match-clients { good-nets; };<br>
allow-recursion { good-nets; };<br>
<br>
zone "." { type hint; file "/etc/bind/db.root"; };<br>
zone "com" { type delegation-only; };<br>
zone "net" { type delegation-only; };<br>
<br>
// RFC 1912 zones<br>
zone "localhost" { type master; file "/etc/bind/db.local"; };<br>
zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; };<br>
zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; };<br>
zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };<br>
};<br></div>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote>
<br>
_______________________________________________<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div><br>