In message <CAMD-=VK7MtwDoUv8uRTL5WR=1ouMHbmzKMPp=uk5pqevo10...@mail.gmail.com> , Nick Edwards writes: > Mark, > > On 8/29/13, Mark Andrews <ma...@isc.org> wrote: > > > > In message > > <CAMD-=VKA_dftLRqtJMs=egmepzhu82q06+p_j8rmbgzxvvg...@mail.gmail.com> > > , Nick Edwards writes: > >> The typos was more of how I came about my request, forget the typo as > >> such, it the actual answer, to use a more common well known name, if > >> I type > >> > >> ~$ host www.undernet.org ns1 > >> Using domain server: > >> Name: ns1 > >> > >> Host www.undernet.org not found: 3(NXDOMAIN) > >> > >> Above should be, and I'm darn sure used to be, REFUSED - not NXDOMAIN > >> > >> perhaps I should also include my options in my original post, that was > >> remiss of me > >> > >> acl trust contains localhost and the servers actual IP addresses, > >> nowhere does it permit the IP range I tried from > >> > >> options { > >> directory "/var/named"; > >> allow-query { trust; }; > >> allow-transfer { localhost; }; > >> blackhole { bogon; }; > >> recursive-clients 2000; > >> clients-per-query 40; > >> tcp-clients 100; > >> recursion no; > >> additional-from-cache no; > >> transfer-format many-answers; > >> masterfile-format text; > >> interface-interval 0; > >> dnssec-enable yes; > >> dnssec-validation yes; > >> }; > > > > Given www.undernet.org exists on the Internet (so you wouldn't be > > getting NXDOMAIN if it was recursing to the Internet) and you havn't > > shown the entire configuration we can't tell if it is a lack of > > understanding about your configuration or a bug. > > > > The only other components to our pure authoratitive only server > configuration are > > The bogon acl from team cymru > > include "/var/named/root_trusted_key"; > > logging { > category lame-servers { null; }; > category edns-disabled { null; }; > category client { null; }; > }; > > zone "." { > type hint; > file "root.hints"; > }; > > > zone "127.in-addr.arpa" { > type master; > file "localhost.rev"; > notify no; > }; > > zone "localhost" { > type master; > file "localhost.zone"; > notify no; > }; > > zone "somedomain.org" { > type master; > allow-transfer { slave.ip; }; > file "somedomain.org.signed"; > allow-query { any; }; > allow-update { none; }; > }; > > > zone "xxxx.in-addr.arpa" { > type master; > allow-transfer { sec.IP; }; > file "00v4.zone"; > allow-query { any; }; > allow-update { none; }; > } > > zone "xxxxxxx.ip6.arpa" { > type master; > allow-transfer { sec.IP; }; > file "00v6.zone"; > allow-query { any; }; > allow-update { none; }; > }; > > zone "xxxx" { > type slave; > masters { x.x.x.x; }; > file "xxxxxx.signed"; > allow-query { any; }; > }; > > > there are 27 more master/slave zones, but they all are in identical > format as above and > we certainly do not host undernet :-) > > and with no customer IP ranges included in any ACL since these are > not caching servers), and, having friends trying from different ISP's, > we get NXDOMAIN, be it undernet, or google Host www.google.com not > found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it > does respond correctly to domains it is supposed too > > in the end because of this config, I expect to see REFUSED here, like > we have in the past, not sure when this changed. > > Both our ns1 ans ns2 respond in same
You still havn't provided enough information to workout whether there is a bug or not. Why don't you post the complete response to the dig request unaltered. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users