Hello, For the Devuan project we use a DNS round robin for mirrors - deb.devuan.org. Mostly for cleanliness and separation which part is maintained by humans and which by tools, there is a separate zone rr.devuan.org fully maintained by tools. deb.devuan.org is CNAME of deb.rr.devuan.org, which in turn is the list of all up-to-date mirrors' A and AAAA. The master DNS server is not publicly visible and the only visible ones are authoritative slaves (for both zones).
The weird part is that bind is replying with CNAME and AAAA records only (using host, because it has shorter output, result is same with other tools): # host deb.devuan.org ns4.devuan.dev Using domain server: Name: ns4.devuan.dev Address: 2a01:9e40::108#53 Aliases: deb.devuan.org is an alias for deb.rr.devuan.org. deb.rr.devuan.org has IPv6 address 2801:82:80ff:8000::2 deb.rr.devuan.org has IPv6 address 2001:4190:801c:1::150 deb.rr.devuan.org has IPv6 address 2a0a:e5c0:2:2:400:c8ff:fe68:bef3 deb.rr.devuan.org has IPv6 address 2a01:4f9:2a:fa9::2 deb.rr.devuan.org has IPv6 address 2a01:9e40::180 deb.rr.devuan.org has IPv6 address 2a01:4f8:162:7293::14 deb.rr.devuan.org has IPv6 address 2001:e42:102:1704:160:16:137:156 deb.rr.devuan.org has IPv6 address 2a01:4f8:140:1102:2b76:955d:b48f:bdf3 deb.rr.devuan.org has IPv6 address 2607:5300:61:95f:7283:11d9:f86:e691 deb.rr.devuan.org has IPv6 address 2001:638:a000:1021:21::1 deb.rr.devuan.org has IPv6 address 2001:4ca0:4300::1:19 deb.rr.devuan.org has IPv6 address 2a02:2a38:1:400:422a:422a:422a:422a # nslookup -class=CHAOS -type=txt version.bind ns4.devuan.dev Server: ns4.devuan.dev Address: 2a01:9e40::108#53 version.bind text = "9.16.27-Debian" I did check with RFC 1034 and the above does not look like a proper reply as per my understanding. If bind does not see itself as auth for rr.devuan.org, it should reply only with the CNAME, else it should include the A records too. I have tried various options - enabling recursion makes it behave correctly but that is not an option for a public DNS. Replacing bind with nsd also fixes the behavior. As a side note knot behaves exactly like bind. I would prefer to run different software across the slaves. The next thing was to try with the most recent Debian package from the testing distribution: The only related option in named.conf.options is "recursion no;" # host deb.devuan.org 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: deb.devuan.org is an alias for deb.rr.devuan.org. deb.rr.devuan.org has IPv6 address 2001:638:a000:1021:21::1 deb.rr.devuan.org has IPv6 address 2a0a:e5c0:2:2:400:c8ff:fe68:bef3 deb.rr.devuan.org has IPv6 address 2801:82:80ff:8000::2 deb.rr.devuan.org has IPv6 address 2001:4ca0:4300::1:19 deb.rr.devuan.org has IPv6 address 2001:e42:102:1704:160:16:137:156 deb.rr.devuan.org has IPv6 address 2a01:4f8:162:7293::14 deb.rr.devuan.org has IPv6 address 2001:878:346::116 deb.rr.devuan.org has IPv6 address 2001:4190:801c:1::150 deb.rr.devuan.org has IPv6 address 2a01:4f9:2a:fa9::2 deb.rr.devuan.org has IPv6 address 2a01:4f8:140:1102:2b76:955d:b48f:bdf3 deb.rr.devuan.org has IPv6 address 2607:5300:61:95f:7283:11d9:f86:e691 deb.rr.devuan.org has IPv6 address 2a01:9e40::180 deb.rr.devuan.org has IPv6 address 2a02:2a38:1:400:422a:422a:422a:422a # nslookup -class=CHAOS -type=txt version.bind 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 version.bind text = "9.18.4-2-Debian" Please advise what is happening - is that expected behavior, a configuration option is missing or there is a bug in bind? With best regards, b. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users