Justin Shore wrote: > I wasn't going to post all of this to the full list but I'm hurting for > a solution right now so I will. > > Unfortunately I can't hand it out unmodified. I don't want the acls > known for one thing. Here's what I'm using on the master. The slave is > a near mirror copy only it includes files that loads slave versions of > the config for each zone. > > // > // named.conf for Red Hat caching-nameserver > // > > options { > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > pid-file "/var/run/named/named.pid"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named.memstats"; > zone-statistics yes; > > allow-transfer { > // The hosts in the "xfer" ACL are permitted to perform zone > transfers > xfer; > }; > > allow-query { > // This change prevents non-SKT IPs from making recursibe queries. > // Queries from our zones are permitted in the views below. > skt; > }; > > blackhole { > none; > }; > > version "SKT DNS"; > > notify no; > transfer-format many-answers; > max-transfer-time-in 60; > interface-interval 0; > > /* > * If there is a firewall between you and nameservers you want > * to talk to, you might need to uncomment the query-source > * directive below. Previous versions of BIND always asked > * questions using port 53, but BIND 8.1 uses an unprivileged > * port by default. > */ > // query-source address * port 53; > }; > > // ### ACLs ### > acl "xfer" { > // "xfer" contains the hosts that are allowed to do zone transfers > // Must be in full CIDR notation. > 127.0.0.1/32; > //MUNGED > }; > > acl "skt" { > // "skt" contains all public and private hosts that may make > DNS queries > 127.0.0.1/32; > //MUNGED > }; > > acl "skt-ns" { > // "skt-ns" contains the IPs of the name servers allowed to > request zone transfers > 127.0.0.1/32; > //MUNGED > }; > > // > // a caching only nameserver config > // > controls { > inet 127.0.0.1 allow { localhost; } keys { rndckey; }; > }; > > include "/etc/named/rndc.key"; > > logging { > category lame-servers { null; }; > category edns-disabled { null; }; > }; > > > > // ### VIEWS ### > // BEGIN "trusted" view > view "trusted" in { > // Our internal (trusted) view. We permit the internal networks > // to freely access this view. We perform recursion for our > // internal hosts, and retrieve data from the cache for them. > > match-clients { skt; }; > recursion yes; > additional-from-auth yes; > additional-from-cache yes; > provide-ixfr yes; > allow-transfer { skt-ns; }; > > ixfr-from-differences yes; > notify yes; > > // Provide root hints > zone "." IN { > type hint; > file "named.ca"; > }; > > // default-zones.conf contains all default zones with transfers > // and updates disabled and queries enabled from "any". > include "/etc/named/default-zones.conf"; > > include "/etc/named/skt-forward-master.conf"; > include "/etc/named/skt-reverse-master.conf"; > > include "/etc/named/customer-forward-master.conf"; > > }; > // END "trusted" view > > // BEGIN "non-trusted" view > view "non-trusted" in { > // Our internal (non-trusted) view. We permit the internal networks > // to freely access this view. We perform recursion for our > // internal hosts, and retrieve data from the cache for them. > > match-clients { any; }; > recursion no; > additional-from-auth no; > additional-from-cache no; > > allow-query { any; }; > allow-transfer { skt-ns; }; > ixfr-from-differences yes; > provide-ixfr yes; > > // Provide root hints > zone "." IN { > type hint; > file "named.ca"; > }; > > // default-zones.conf contains all default zones with transfers > // and updates disabled and queries enabled from "any". > //include "/etc/named/default-zones.conf"; > > include "/etc/named/skt-forward-master.conf"; > include "/etc/named/skt-reverse-master.conf"; > > include "/etc/named/customer-forward-master.conf"; > > //include "/etc/named/spyware-domains.conf"; > }; > // END "non-trusted" view > > // BEGIN "non-trusted-chaos" view > view "non-trusted-chaos" chaos { > // Our internal (non-trusted-chaos) view. We permit the > internal networks > // to freely access this view. We perform recursion for our > // internal hosts, and retrieve data from the cache for them. > > match-clients { any; }; > recursion no; > > // Provide root hints > zone "." { > type hint; > file "/dev/null"; > }; > > zone "bind" { > type master; > file "db.bind"; > > allow-query { skt; }; > allow-transfer { none; }; > }; > > // include "/etc/named/skt-forward-master.conf"; > // include "/etc/named/skt-reverse-master.conf"; > > // include "/etc/named/customer-forward-master.conf"; > > }; > // END "non-trusted-chaos" view > > > > > I include a number of additional conf files in the config. > default-zones.conf has localhost, localdomains, 127/8 in-addr.arpa, etc. > skt-forward-master.conf has the forward lookup zones and reverse has > the rDNS zones. Here's a snapshot of the forward (which appears to be > working ok at this time): > > zone "brdadsl.sktc.net" { > type master; > allow-transfer { skt-ns; }; > file "skt/skt-zones/brdadsl.sktc.net.master"; > }; > > zone "brdcable.sktc.net" { > type master; > allow-transfer { skt-ns; }; > file "skt/skt-zones/brdcable.sktc.net.master"; > }; > > > It's just a long list of zones being loaded like that. Here's a small > snapshot of the rDNS zones' config: > > zone "64.71.96" { > type master; > allow-transfer { skt-ns; }; > file "skt/skt-zones/in-addr.arpa/64.71.96.master"; > }; > > zone "64.71.97" { > type master; > allow-transfer { skt-ns; }; > file "skt/skt-zones/in-addr.arpa/64.71.97.master"; > }; > > zone "64.71.98" { > type master; > allow-transfer { skt-ns; }; > file "skt/skt-zones/in-addr.arpa/64.71.98.master"; > }; > > It's basically the same too. I don't see any glaring mistakes in my > in-addr.arpa zones either. I found and fixed a few typos this morning > but nothing severe enough to keep bind from loading. Here's the zone > that contains the servers I'm doing the testing from: > > > ; @(#)97.rev 5.1 (Berkeley) 6/30/90 > $TTL 6h > @ IN SOA ns3.sktc.net. ip-admin.sktice.com. ( > > 2008110702 ; Serial > 7200 ; Refresh (2 hours) > 300 ; Retry (5 minutes) > 360000 ; Expire (100 hours) > 900 ) ; Minumum (15 minutes) > > > ;;97.71.64.in-addr.arpa. IN NS ns1.sktc.net. > ;; IN NS ns2.sktc.net. > > IN NS ns3.sktc.net. > IN NS ns4.sktc.net. > > 1 IN PTR 3750-1.clr.sktc.net. > > 6 IN PTR ns3.sktc.net. > > ;;12 IN PTR maple.sktc.net. > 10 IN PTR maple.sktc.net. > 12 IN PTR oak1.sktc.net. > 13 IN PTR oak2.sktc.net. > 14 IN PTR oak-old.sktc.net. > ;15 IN PTR spruce.sktc.net. > 15 IN PTR smtpout1.sktc.net. > 16 IN PTR poplar.sktc.net. > 17 IN PTR oak-1.sktc.net. > 18 IN PTR noc.sktc.net. > > 22 IN PTR server1.daxolomix.com. > > 25 IN PTR smtpout1.sktc.net. > 26 IN PTR smtpout1.sktc.net. > 27 IN PTR smtpout1.sktc.net. > 28 IN PTR smtpout1.sktc.net. > > 50 IN PTR 7206-1.clr.sktc.net. > 51 IN PTR 3660-1.clr.sktc.net. > > 66 IN PTR 7206-2.clr.sktc.net. > ;67 IN PTR 3660-2.clr.sktc.net. > > 68 IN PTR 5300-1.clr.sktc.net. > 69 IN PTR 5300-2.clr.sktc.net. > > > Pretty basic stuff. The MTA in question is a Barracuda spam filter so I > don't have much of any details on it (other than that it's a POS). It's > not a Cuda problem though. That Nagios SMTP check on the Cuda was just > the thing that clued me in that there was a problem. rDNS is affecting > everything, not just this one box. We have a Hosted Exchange > environment that is affected plus all our customer-run MTAs. If it > wouldn't take so long to process I'd have ARIN switch the records back. > I didn't anticipate a problem with rDNS since all the forward lookups > were working so well for all these months on the same servers. rDNS > never appeared be having any problems. > > I also gathered some debugging info. Here's the pertinent output of a > query from the NS itself to the NS for 64.71.97.18: > > 07-Nov-2008 08:58:18.547 client 127.0.0.1#33324: UDP request > 07-Nov-2008 08:58:18.547 client 127.0.0.1#33324: view trusted: using > view 'trusted' > 07-Nov-2008 08:58:18.547 client 127.0.0.1#33324: view trusted: request > is not signed > 07-Nov-2008 08:58:18.547 client 127.0.0.1#33324: view trusted: recursion > available > 07-Nov-2008 08:58:18.547 client 127.0.0.1#33324: view trusted: query > 07-Nov-2008 08:58:18.547 client 127.0.0.1#33324: view trusted: query > (cache) '18.97.71.64.in-addr.arpa/PTR/IN' approved > 07-Nov-2008 08:58:18.547 client 127.0.0.1#33324: view trusted: replace > 07-Nov-2008 08:58:18.547 clientmgr @0xb7f5a1e0: createclients > 07-Nov-2008 08:58:18.547 clientmgr @0xb7f5a1e0: recycle > 07-Nov-2008 08:58:18.547 createfetch: 18.97.71.64.in-addr.arpa PTR > 07-Nov-2008 08:58:18.547 client @0xb5644008: udprecv > 07-Nov-2008 08:58:18.547 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > create > 07-Nov-2008 08:58:18.547 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > join > 07-Nov-2008 08:58:18.547 fetch 0xb4d18000 (fctx > 0xb4c42008(18.97.71.64.in-addr.arpa/PTR)): created > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > start > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): try > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > cancelqueries > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > getaddresses > 07-Nov-2008 08:58:18.548 dns_adb_destroyfind on find 0xb546a6f0 > 07-Nov-2008 08:58:18.548 dns_adb_destroyfind on find 0xb546a6f0 > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > no addresses > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > done > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > stopeverything > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > cancelqueries > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > sendevents > 07-Nov-2008 08:58:18.548 fetch 0xb4d18000 (fctx > 0xb4c42008(18.97.71.64.in-addr.arpa/PTR)): destroyfetch > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > shutdown > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > doshutdown > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > stopeverything > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > cancelqueries > 07-Nov-2008 08:58:18.548 client 127.0.0.1#33324: view trusted: error > 07-Nov-2008 08:58:18.548 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > destroy > 07-Nov-2008 08:58:18.548 client 127.0.0.1#33324: view trusted: send > 07-Nov-2008 08:58:18.548 client 127.0.0.1#33324: view trusted: sendto > 07-Nov-2008 08:58:18.549 client 127.0.0.1#33324: view trusted: senddone > 07-Nov-2008 08:58:18.549 client 127.0.0.1#33324: view trusted: next > 07-Nov-2008 08:58:18.549 client 127.0.0.1#33324: view trusted: endrequest > 07-Nov-2008 08:58:18.549 client 127.0.0.1#33324: UDP request > 07-Nov-2008 08:58:18.549 client 127.0.0.1#33324: view trusted: using > view 'trusted' > 07-Nov-2008 08:58:18.549 client 127.0.0.1#33324: view trusted: request > is not signed > 07-Nov-2008 08:58:18.549 client 127.0.0.1#33324: view trusted: recursion > available > 07-Nov-2008 08:58:18.549 client 127.0.0.1#33324: view trusted: query > 07-Nov-2008 08:58:18.549 client 127.0.0.1#33324: view trusted: query > (cache) '18.97.71.64.in-addr.arpa/PTR/IN' approved > 07-Nov-2008 08:58:18.550 client 127.0.0.1#33324: view trusted: replace > 07-Nov-2008 08:58:18.550 clientmgr @0xb7f5a1e0: createclients > 07-Nov-2008 08:58:18.550 clientmgr @0xb7f5a1e0: recycle > 07-Nov-2008 08:58:18.550 createfetch: 18.97.71.64.in-addr.arpa PTR > 07-Nov-2008 08:58:18.550 client @0xb429b008: udprecv > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > create > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > join > 07-Nov-2008 08:58:18.550 fetch 0xb4d18000 (fctx > 0xb4c42008(18.97.71.64.in-addr.arpa/PTR)): created > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > start > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): try > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > cancelqueries > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > getaddresses > 07-Nov-2008 08:58:18.550 dns_adb_destroyfind on find 0xb546a6f0 > 07-Nov-2008 08:58:18.550 dns_adb_destroyfind on find 0xb546a6f0 > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > no addresses > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > done > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > stopeverything > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > cancelqueries > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > sendevents > 07-Nov-2008 08:58:18.550 fetch 0xb4d18000 (fctx > 0xb4c42008(18.97.71.64.in-addr.arpa/PTR)): destroyfetch > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > shutdown > 07-Nov-2008 08:58:18.550 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > doshutdown > 07-Nov-2008 08:58:18.551 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > stopeverything > 07-Nov-2008 08:58:18.551 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > cancelqueries > 07-Nov-2008 08:58:18.551 fctx 0xb4c42008(18.97.71.64.in-addr.arpa/PTR'): > destroy > 07-Nov-2008 08:58:18.551 client 127.0.0.1#33324: view trusted: error > 07-Nov-2008 08:58:18.551 client 127.0.0.1#33324: view trusted: send > 07-Nov-2008 08:58:18.551 client 127.0.0.1#33324: view trusted: sendto > 07-Nov-2008 08:58:18.551 client 127.0.0.1#33324: view trusted: senddone > 07-Nov-2008 08:58:18.551 client 127.0.0.1#33324: view trusted: next > 07-Nov-2008 08:58:18.551 client 127.0.0.1#33324: view trusted: endrequest > > To be honest I'm not exactly sure what most of this means. I'm not > familiar with the innards of bind. > > > Any ideas? I can't find anything wrong in my zone files or my config. > I must be missing something though. All rDNS queries result in a > SERVFAIL error. > >
You can't just load these zones with arbitrary origins, e.g."64.71.97". If the reverse lookups you want to serve are for addresses in the 64.71.97.* range, you'll need to load the reverse zone as 97.71.64.in-addr.arpa, otherwise it won't match the last 5 labels of the reverse queries you're receiving. - Kevin