<div dir="ltr"><div class="gmail_extra"><div><div class="gmail_signature"><br></div></div><div class="gmail_quote">On Thu, Dec 8, 2016 at 11:09 PM, blrmaani <span dir="ltr"><<a href="mailto:blrmaani@gmail.com" target="_blank">blrmaani@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I migrated our bind resolvers to a new config (new named.conf) and I see delegation broken. How do I trouble-shoot?<br>
<br>
- The resolvers (are slaves) and are authoritative for <a href="http://zone1.example.com" rel="noreferrer" target="_blank">zone1.example.com</a> and <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
- the resolvers forward queries to our companies DNS to resolve external names like <a href="http://microsoft.com" rel="noreferrer" target="_blank">microsoft.com</a>, <a href="http://isc.com" rel="noreferrer" target="_blank">isc.com</a> etc<br>
- The resolver has views and match same destinations in both old and new config.<br>
<br>
<br>
<br>
the zone is <a href="http://zone1.example.com" rel="noreferrer" target="_blank">zone1.example.com</a> which contains a record <a href="http://name1.zone1.example.com" rel="noreferrer" target="_blank">name1.zone1.example.com</a> as below:<br>
<a href="http://name1.zone1.example.com" rel="noreferrer" target="_blank">name1.zone1.example.com</a>. NS <a href="http://othername1.example.com" rel="noreferrer" target="_blank">othername1.example.com</a>.<br>
<a href="http://othername1.example.com" rel="noreferrer" target="_blank">othername1.example.com</a>. A 1.2.3.4<br>
<br>
<br>
dig @localhost <a href="http://name1.zone1.example.com" rel="noreferrer" target="_blank">name1.zone1.example.com</a>. # this doesn't give any hint.<br>
<br>
Here are the steps I tried and still no luck:<br>
<br>
1. Compared zone transfer output of <a href="http://zone1.example.com" rel="noreferrer" target="_blank">zone1.example.com</a> before and after migration, both look similar and contains delegation entry.<br>
<br>
2. I tried this and works ok (before and after migration) in both cases indicating that the NS<br>
is still reachable and respond to DNS queries before and after migration.<br>
<br>
dig @<a href="http://othername1.example.com" rel="noreferrer" target="_blank">othername1.example.com</a>. <a href="http://name1.zone1.example.com" rel="noreferrer" target="_blank">name1.zone1.example.com</a>.<br>
## Returns 5.6.7.8 as expected ACLs broken<br>
<br>
<br>
3. Checked cache dump file (db file) - I see the following entry when it works (pre-migration):<br>
cache_dump.db:; 1.2.3.4 [srtt 0] [flags 00000000] [ttl 1797]<br>
<br>
however, the above entry is missing after I migrate to new BIND config.<br>
<br>
<br>
I compared the BIND configs before and after migration and I don't see any significant difference which might cause this issue.. wondering what am I missed?<br>
<br>
Thanks<br>
Blr<br></blockquote><div><br></div><div>Looks to me like "<a href="http://othername1.example.com/" rel="noreferrer" target="_blank">othername1.example.com</a>" is not in the zone "<a href="http://zone1.example.com/" rel="noreferrer" target="_blank">zone1.example.com</a>" and is not below that zone, so it is not proper glue, and should not be in that zone at all. The name server should ignore it. It is in zone "<a href="http://othername1.example.com/" rel="noreferrer" target="_blank">example.com</a>" and that zone should be queried to find it.</div><div><br></div><div>-- </div><div>Bob Harold</div><div><br></div></div><br></div></div>