Re: nxdomain
Barry, On Thu, 2013-08-29 at 16:16 -0400, Barry Margolin wrote: > In article , > Noel Butler wrote: > > > replying to ones self a few times in one day or a sign I need a break.. > > but... > > > > I think the issue is this > > > > Trying "www.undernet.org" > > Received 34 bytes from 198.147.21.12#53 in 348 ms > > Trying "www.undernet.org.ausics.net" > > Using domain server: > > > > Host www.undernet.org not found: 3(NXDOMAIN) > > > > it comes down the host etc once again needing the period after the > > domain - this was a reported and fixed bug a few years ago, it seems > > sometime between then and now, it is become broken again. > > > > So I guess those 3rd party servers I've tested still use te older and > > "fixed" version. > > What does your /etc/resolv.conf look like? This looks like it might be > an "ndots" issue, causing host (and other applications that use the > default search option) to try adding the default domain to names that it > shouldn't. > domain and 2x nameservers , nothing special is defined From memory this bug was confirmed and fixed, but, if my summary proves correct, was back in ... March 2007 ndots appears to be where the bug is, since nothing is defined, it should 1, so it should have seen, in our example, www.undernet.org, as www.undernet.org and nothing more, and returned REFUSED, not carried on. " The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf. " proving the point... ~$ host -v -N1 www.undernet.org ns1.ausics.net Trying "www.undernet.org" Received 34 bytes from 62.113.243.167#53 in 365 ms Trying "www.undernet.org.ausics.net" Using domain server: Name: ns1.ausics.net Address: 62.113.243.167#53 Aliases: Host www.undernet.org not found: 3(NXDOMAIN) (even -N0 reports same as above) Cheers signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration/setup question
Alan, None of the files you listed (bind.keys, managed-keys.bind and managed-keys.bind.jnl) are in the bind installation directory, or the chroot that named is run in. I did add the following line in the named.conf file : managed-keys-directory "/var/log"; where /var/log is a writable directory for the userid named is run as. Re-hit the process with a kill -1 name.pid and the same errors are in the log file also touched blank managed-keys.bind and managed-keys.bind.jnl files in /var/log then re-hit the process with the same results. When I change the database directory to an OS writable directory in named.conf with this line in the options block: directory "/var/log/namedb"; // Directory where data files are stored the errors do not show up in the logs, but the database files are now writable to the OS. Note user permissions are set so the database files in /var/log/namedb and the/var/log/namedb directory is read only for the userid named is run as. Did I use the correct syntax for the managed-keys-directory options line, or is the problem there is not bind.keys file with the managed-keys statements? *The content of this message is my personal opinion only, and should not be construed as anything that has been through rigorous scrutiny of the professional groups who devote their life and work to the topics being discussed From: Alan Clegg To: mm half Cc: "bind-users@lists.isc.org" Sent: Wednesday, August 28, 2013 1:34 PM Subject: Re: bind configuration/setup question On Aug 28, 2013, at 1:29 PM, Alan Clegg wrote: > > I believe that what you are seeing is the result of BIND 9.9 doing more > things "automatically", including bringing in a set of DNSSEC trust anchors > (root and DLV) and not being able to create the file. > > You should be able to use the option "bindkeys-file" to set a location that > is writable for this file. And as soon as I sent this I realized that I'd goofed. bind.keys is created on install (it is part of the problem, however). This file contains "managed-keys" statements that I refer to below (and it was supposed to be "keystore" not "keystone" -- spellcheck will be the death of the computer industry). > It's also going to happen if you use managed-keys, as there is a "keystone" > created that needs to be updated. See the "managed-keys-directory" option. This is where the problem lies. The fact that you have managed-keys requires BIND to create a journal of updates made to the trust-anchor material. Set "managed-keys-directory" to a writable directory and copy the managed-keys.bind and managed-keys.bind.jnl files there. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL when two SOA in the domain
In message <20130829182253.ga13...@laperouse.bortzmeyer.org>, Stephane Bortzmey er writes: > One of my contacts noticed that you cannot query 42.fr's SOA with > BIND: SERVFAIL. Querying other types, or using Unbound (or Google > Public DNS) instead of BIND works. > > The only thing special he sees is the double SOA: > > % dig SOA 42.fr > > ; <<>> DiG 9.9.2-P1 <<>> SOA 42.fr > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9894 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;42.fr. IN SOA > > ;; ANSWER SECTION: > 42.fr.2907IN SOA ns1.42.fr. postmaster.4 > 2.fr. 2013032901 300 300 604800 86400 > 42.fr.2907IN SOA ns2.42.fr. postmaster.4 > 2.fr. 2013032901 300 300 604800 86400 > > ;; AUTHORITY SECTION: > 42.fr.2897IN NS ns1.42.fr. > 42.fr.2897IN NS ns2.42.fr. > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1)<- Unbound > ;; WHEN: Thu Aug 29 20:21:51 2013 > ;; MSG SIZE rcvd: 153 > > I'm not sure of what the RFC say about that... > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Named will reject answers which contain multiple non-identical records at the same name and type that should be singletons. The list of types with that attribute is below. % grep SINGL lib/dns/rdata/*/*.c lib/dns/rdata/generic/cname_5.c:(DNS_RDATATYPEATTR_EXCLUSIVE | DNS_RDATATYPEATTR_SINGLETON) lib/dns/rdata/generic/dname_39.c:#define RRTYPE_DNAME_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON) lib/dns/rdata/generic/opt_41.c:#define RRTYPE_OPT_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON | \ lib/dns/rdata/generic/soa_6.c:#define RRTYPE_SOA_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON) % Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nxdomain
In article , Noel Butler wrote: > replying to ones self a few times in one day or a sign I need a break.. > but... > > I think the issue is this > > Trying "www.undernet.org" > Received 34 bytes from 198.147.21.12#53 in 348 ms > Trying "www.undernet.org.ausics.net" > Using domain server: > > Host www.undernet.org not found: 3(NXDOMAIN) > > it comes down the host etc once again needing the period after the > domain - this was a reported and fixed bug a few years ago, it seems > sometime between then and now, it is become broken again. > > So I guess those 3rd party servers I've tested still use te older and > "fixed" version. What does your /etc/resolv.conf look like? This looks like it might be an "ndots" issue, causing host (and other applications that use the default search option) to try adding the default domain to names that it shouldn't. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL when two SOA in the domain
When RFC 1035 was written, the strict rules between SHOULD/MUST didn't yet exist. That "should" is to be considered a MUST from the standpoint of modern RFCs. - Kevin On 8/29/2013 2:31 PM, Steven Carr wrote: On 29 August 2013 19:22, Stephane Bortzmeyer wrote: I'm not sure of what the RFC say about that... While RFC 1035 doesn't seem to explicitely say that multiple are forbidden, or how to handle the case of multiple records, it does state under section 5.2. (Use of master files to define zones): 2. Exactly one SOA RR should be present at the top of the zone. Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL when two SOA in the domain
On 29 August 2013 19:22, Stephane Bortzmeyer wrote: > I'm not sure of what the RFC say about that... While RFC 1035 doesn't seem to explicitely say that multiple are forbidden, or how to handle the case of multiple records, it does state under section 5.2. (Use of master files to define zones): 2. Exactly one SOA RR should be present at the top of the zone. Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
SERVFAIL when two SOA in the domain
One of my contacts noticed that you cannot query 42.fr's SOA with BIND: SERVFAIL. Querying other types, or using Unbound (or Google Public DNS) instead of BIND works. The only thing special he sees is the double SOA: % dig SOA 42.fr ; <<>> DiG 9.9.2-P1 <<>> SOA 42.fr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9894 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;42.fr. IN SOA ;; ANSWER SECTION: 42.fr. 2907IN SOA ns1.42.fr. postmaster.42.fr. 2013032901 300 300 604800 86400 42.fr. 2907IN SOA ns2.42.fr. postmaster.42.fr. 2013032901 300 300 604800 86400 ;; AUTHORITY SECTION: 42.fr. 2897IN NS ns1.42.fr. 42.fr. 2897IN NS ns2.42.fr. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1)<- Unbound ;; WHEN: Thu Aug 29 20:21:51 2013 ;; MSG SIZE rcvd: 153 I'm not sure of what the RFC say about that... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How BIND works ?
On Aug 29, 2013, at 8:48 AM, Nidal Shater wrote: > Hi , can anybody explain the process that bind9 do When we press dig > www.example.com. > > What the files which is opened ? > > What the functions and classes which is used? I would recommend that you may want to read some of the documents presented earlier: Pro DNS and BIND by Ron Atchison - http://www.amazon.com/Pro-DNS-BIND-Ron-Aitchison/dp/1590594940 and DNS and BIND by Cricket Liu - http://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574 When you have anything that looks like a specific question, please feel free to post it to the list. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nxdomain
Good Morning,
Wow, all these messages, as other posters have pointed out to me, dig
shows what I wanted to see, REFUSED, only host shows NXDOMAIN and from
other posts I see why I am getting that result, so in the end its all
just a false alarm, my servers are doing the right thing, so I can
rest easy.
On 8/29/13, Mark Andrews wrote:
>
> In message
>
> , Nick Edwards writes:
>> Mark,
>>
>> On 8/29/13, Mark Andrews wrote:
>> >
>> > In message
>> >
>> > , Nick Edwards writes:
>> >> The typos was more of how I came about my request, forget the typo as
>> >> such, it the actual answer, to use a more common well known name, if
>> >> I type
>> >>
>> >> ~$ host www.undernet.org ns1
>> >> Using domain server:
>> >> Name: ns1
>> >>
>> >> Host www.undernet.org not found: 3(NXDOMAIN)
>> >>
>> >> Above should be, and I'm darn sure used to be, REFUSED - not NXDOMAIN
>> >>
>> >> perhaps I should also include my options in my original post, that was
>> >> remiss of me
>> >>
>> >> acl trust contains localhost and the servers actual IP addresses,
>> >> nowhere does it permit the IP range I tried from
>> >>
>> >> options {
>> >> directory "/var/named";
>> >> allow-query { trust; };
>> >> allow-transfer { localhost; };
>> >> blackhole { bogon; };
>> >> recursive-clients 2000;
>> >> clients-per-query 40;
>> >> tcp-clients 100;
>> >> recursion no;
>> >> additional-from-cache no;
>> >> transfer-format many-answers;
>> >> masterfile-format text;
>> >> interface-interval 0;
>> >> dnssec-enable yes;
>> >> dnssec-validation yes;
>> >> };
>> >
>> > Given www.undernet.org exists on the Internet (so you wouldn't be
>> > getting NXDOMAIN if it was recursing to the Internet) and you havn't
>> > shown the entire configuration we can't tell if it is a lack of
>> > understanding about your configuration or a bug.
>> >
>>
>> The only other components to our pure authoratitive only server
>> configuration are
>>
>> The bogon acl from team cymru
>>
>> include "/var/named/root_trusted_key";
>>
>> logging {
>> category lame-servers { null; };
>> category edns-disabled { null; };
>> category client { null; };
>> };
>>
>> zone "." {
>> type hint;
>> file "root.hints";
>> };
>>
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "localhost.rev";
>> notify no;
>> };
>>
>> zone "localhost" {
>> type master;
>> file "localhost.zone";
>> notify no;
>> };
>>
>> zone "somedomain.org" {
>> type master;
>> allow-transfer { slave.ip; };
>> file "somedomain.org.signed";
>> allow-query { any; };
>> allow-update { none; };
>> };
>>
>>
>> zone ".in-addr.arpa" {
>> type master;
>> allow-transfer { sec.IP; };
>> file "00v4.zone";
>> allow-query { any; };
>> allow-update { none; };
>> }
>>
>> zone "xxx.ip6.arpa" {
>> type master;
>> allow-transfer { sec.IP; };
>> file "00v6.zone";
>> allow-query { any; };
>> allow-update { none; };
>> };
>>
>> zone "" {
>> type slave;
>> masters { x.x.x.x; };
>> file "xx.signed";
>> allow-query { any; };
>> };
>>
>>
>> there are 27 more master/slave zones, but they all are in identical
>> format as above and
>> we certainly do not host undernet :-)
>>
>> and with no customer IP ranges included in any ACL since these are
>> not caching servers), and, having friends trying from different ISP's,
>> we get NXDOMAIN, be it undernet, or google Host www.google.com not
>> found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it
>> does respond correctly to domains it is supposed too
>>
>> in the end because of this config, I expect to see REFUSED here, like
>> we have in the past, not sure when this changed.
>>
>> Both our ns1 ans ns2 respond in same
>
> You still havn't provided enough information to workout whether
> there is a bug or not.
>
> Why don't you post the complete response to the dig request unaltered.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
How BIND works ?
Hi , can anybody explain the process that bind9 do When we press dig www.example.com. What the files which is opened ? What the functions and classes which is used? and Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nxdomain
On Aug 29 2013, Mark Andrews wrote: The fix will be to only go onto the next element of the search list on nxdomain. Searches really should stop on REFUSED, SERVFAIL, NOERROR, NOTIMP. Regardless of the stopping rule, host and nslookup ought to display the FQDN they are claiming to get (say) an NXDOMAIN for, rather than the unqualified one. The OP would probably have been a lot less mystified if the message had been Host www.undernet.org.my-domain.example not found: 3(NXDOMAIN) rather than Host www.undernet.org not found: 3(NXDOMAIN) -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nxdomain
The fix will be to only go onto the next element of the search list on nxdomain. Searches really should stop on REFUSED, SERVFAIL, NOERROR, NOTIMP. You move onto the next nameserver on REFUSED, SERVFAIL, NOTIMP. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
