Re: forward name resolution OK, but reverse doesn't work ...
The root servers no longer serve arpa or in-addr.arpa.
See the following for where to transfer these zones from
now. http://seclists.org/nanog/2011/Feb/1453
Mark
In message 4dfb848a.1080...@vr-web.de, Thomas Schweikle writes:
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--===3481814819935306570==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol=application/pgp-signature;
boundary==_vrwf203-17994-1308329101-0001-2
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--=_vrwf203-17994-1308329101-0001-2
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Hi!
I am having some problem with my nameserver:
It resolves forward:
!user@ks1:~$ host google.com
!google.com has address 74.125.79.147
!google.com has address 74.125.79.99
!google.com has address 74.125.79.104
!google.com mail is handled by 50 alt4.aspmx.l.google.com.
!google.com mail is handled by 10 aspmx.l.google.com.
!google.com mail is handled by 20 alt1.aspmx.l.google.com.
!google.com mail is handled by 30 alt2.aspmx.l.google.com.
!google.com mail is handled by 40 alt3.aspmx.l.google.com.
But not reverse:
!user@ks1:~$ host 74.125.79.99
!Host 99.79.125.74.in-addr.arpa not found: 2(SERVFAIL)
Main configuration (partly shorted):
!options {
!directory /var/tmp/named;
!pid-file/var/run/named/named.pid;
!dump-file /var/run/named/named_dump.db;
!statistics-file /var/run/named/named.stats;
!listen-on { any; };
!#listen-on-v6 { any; };
!recursion yes;
!auth-nxdomain no;
!};
!
!// slave to root name servers
!zone . {
! type slave;
! file /var/cache/named/root/root.slave;
! masters { 192.5.5.241; };
! notify no;
!};
!
!zone arpa {
! type slave;
! file /var/cache/named/root/arpa.slave;
! masters { 192.5.5.241; };
! notify no;
!};
!
!zone in-addr.arpa {
! type slave;
! file /var/cache/named/root/in-addr.arpa.slave;
! masters { 192.5.5.241; };
! notify no;
!};
!
!// RFC 1912 (and BCP 32 for localhost)
!zone localhost {
! type master;
! file /etc/named/master/localhost-forward.db;
!};
!
!zone 127.in-addr.arpa {
! type master;
! file /etc/named/master/localhost-reverse.db;
!};
localhost-forward.db:
!$TTL 3h
!localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
!; Serial, Refresh, Retry, Expire, Neg. cache TTL
!
!NS localhost.
!
!A 127.0.0.1
!::1
localhost-reverse.db:
!$TTL 3h
!@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
!; Serial, Refresh, Retry, Expire, Neg. cache TTL
!
!NS localhost.
!
!1.0.0 PTR localhost.
!
!1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0\
! PTR localhost.
The server has AFAIS all root servers available:
!$ORIGIN .
!$TTL 86400 ; 1 day
!@ IN SOA a.root-servers.net.\
! nstld.verisign-!grs.com. (
!2011061700 ; serial
!1800 ; refresh (30 minutes)
!900; retry (15 minutes)
!604800 ; expire (1 week)
!86400 ; minimum (1 day)
!)
!RRSIG SOA 8 0 86400 2011062400 (
!2011061623 34525 .
!kKIgiv5epNOi/mWtHYtH/Zwj6O6pV+wB09rnMiaTrYRk
!HKqH7CCBdnIei6Kc1ghTRgdPwzrpgxzB3VHH/IfjEGbM
!3sNGzMOYFtykMD1xjE93hBUU08yd1ojchWW2AXayGEJZ
!5UOkaiA7cN3txThTtd1/r+k1zR5pvL+S6Pt7TTE=3D )
!$TTL 518400 ; 6 days
!NS a.root-servers.net.
!NS b.root-servers.net.
!NS c.root-servers.net.
!NS d.root-servers.net.
!NS e.root-servers.net.
!NS f.root-servers.net.
!NS g.root-servers.net.
!NS h.root-servers.net.
!NS i.root-servers.net.
!NS j.root-servers.net.
!NS k.root-servers.net.
!NS l.root-servers.net.
!NS m.root-servers.net.
!RRSIG NS 8 0 518400 2011062400 (
!2011061623 34525 .
! KgMPA/Ucp/cFQHQ36kFe8lhVV6ckJx8Zk8Mm2aiKIxOB
! v9fsM3qYyGOOqnNUGPr7V0X604r5xaePysUNy0iET+Ga
! 9WPmPeEX9438srt54qEDCBeCqn5Zbjo1lOVTrykAvtBI
!
Re: forward name resolution OK, but reverse doesn't work ...
Am 18.06.2011 02:54, schrieb Mark Andrews: The root servers no longer serve arpa or in-addr.arpa. See the following for where to transfer these zones from now. http://seclists.org/nanog/2011/Feb/1453 Arr! Seems I'd overlooked that ... :-( I've corrected my config file. Now it works again! Thanks for directing me to the right paper! -- Thomas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forward name resolution OK, but reverse doesn't work ...
On 6/17/2011 12:44 PM, Thomas Schweikle wrote:
!zone in-addr.arpa {
! type slave;
! file /var/cache/named/root/in-addr.arpa.slave;
! masters { 192.5.5.241; };
! notify no;
!};
You're configuring you server to be authoritative for the reverse DNS
zone. It's only going to have the reverse records that it get in the
master zone from 192.5.5.241. Since your server thinks it knows
everything, it won't bother to check with google for their records.
--
Dave
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: forward name resolution OK, but reverse doesn't work ...
Am 17.06.2011 23:29, schrieb Eivind Olsen:
Thomas Schweikle wrote:
But not reverse:
!user@ks1:~$ host 74.125.79.99
!Host 99.79.125.74.in-addr.arpa not found: 2(SERVFAIL)
...
!zone in-addr.arpa {
! type slave;
! file /var/cache/named/root/in-addr.arpa.slave;
! masters { 192.5.5.241; };
! notify no;
!};
You seem to have set up slaving of the in-addr.arpa from 192.5.5.241
(f.root-servers.net), but that's not one of the authoritative servers for
in-addr.arpa.
Remove the slaving of in-addr.arpa from your configuration. Or check if
it's possible / allowed to slave it from any of the 6 in-addr.arpa
nameservers: [a-f].in-addr-servers.arpa
I'm guessing your logs also have entries about being unable to do zone
transfers of in-addr.arpa.
This was one of the problems --- no errors within logs at all. But I
could fix the whole thing now with given servers in the announcement
letter. All OK again. Hopefully next time I do not miss such an
announcement!
--
Thomas
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: forward name resolution OK, but reverse doesn't work ...
On 18/06/2011 02:54, Mark Andrews wrote: Actually, the root name servers still serve ARPA. They only dropped IN-ADDR.ARPA earlier this year. However, anyone who runs the kind of configuration that Thomas has should be more vigilant. I would even recommend against slaving the root zone and the arpa zone. Such configurations are best left to experts. Regards, Anand Buddhdev RIPE NCC The root servers no longer serve arpa or in-addr.arpa. See the following for where to transfer these zones from now. http://seclists.org/nanog/2011/Feb/1453 Mark ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forward name resolution OK, but reverse doesn't work ...
Hi!
I am having some problem with my nameserver:
It resolves forward:
!user@ks1:~$ host google.com
!google.com has address 74.125.79.147
!google.com has address 74.125.79.99
!google.com has address 74.125.79.104
!google.com mail is handled by 50 alt4.aspmx.l.google.com.
!google.com mail is handled by 10 aspmx.l.google.com.
!google.com mail is handled by 20 alt1.aspmx.l.google.com.
!google.com mail is handled by 30 alt2.aspmx.l.google.com.
!google.com mail is handled by 40 alt3.aspmx.l.google.com.
But not reverse:
!user@ks1:~$ host 74.125.79.99
!Host 99.79.125.74.in-addr.arpa not found: 2(SERVFAIL)
Main configuration (partly shorted):
!options {
!directory /var/tmp/named;
!pid-file/var/run/named/named.pid;
!dump-file /var/run/named/named_dump.db;
!statistics-file /var/run/named/named.stats;
!listen-on { any; };
!#listen-on-v6 { any; };
!recursion yes;
!auth-nxdomain no;
!};
!
!// slave to root name servers
!zone . {
! type slave;
! file /var/cache/named/root/root.slave;
! masters { 192.5.5.241; };
! notify no;
!};
!
!zone arpa {
! type slave;
! file /var/cache/named/root/arpa.slave;
! masters { 192.5.5.241; };
! notify no;
!};
!
!zone in-addr.arpa {
! type slave;
! file /var/cache/named/root/in-addr.arpa.slave;
! masters { 192.5.5.241; };
! notify no;
!};
!
!// RFC 1912 (and BCP 32 for localhost)
!zone localhost {
! type master;
! file /etc/named/master/localhost-forward.db;
!};
!
!zone 127.in-addr.arpa {
! type master;
! file /etc/named/master/localhost-reverse.db;
!};
localhost-forward.db:
!$TTL 3h
!localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
!; Serial, Refresh, Retry, Expire, Neg. cache TTL
!
!NS localhost.
!
!A 127.0.0.1
!::1
localhost-reverse.db:
!$TTL 3h
!@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
!; Serial, Refresh, Retry, Expire, Neg. cache TTL
!
!NS localhost.
!
!1.0.0 PTR localhost.
!
!1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0\
! PTR localhost.
The server has AFAIS all root servers available:
!$ORIGIN .
!$TTL 86400 ; 1 day
!@ IN SOA a.root-servers.net.\
! nstld.verisign-!grs.com. (
!2011061700 ; serial
!1800 ; refresh (30 minutes)
!900; retry (15 minutes)
!604800 ; expire (1 week)
!86400 ; minimum (1 day)
!)
!RRSIG SOA 8 0 86400 2011062400 (
!2011061623 34525 .
!kKIgiv5epNOi/mWtHYtH/Zwj6O6pV+wB09rnMiaTrYRk
!HKqH7CCBdnIei6Kc1ghTRgdPwzrpgxzB3VHH/IfjEGbM
!3sNGzMOYFtykMD1xjE93hBUU08yd1ojchWW2AXayGEJZ
!5UOkaiA7cN3txThTtd1/r+k1zR5pvL+S6Pt7TTE= )
!$TTL 518400 ; 6 days
!NS a.root-servers.net.
!NS b.root-servers.net.
!NS c.root-servers.net.
!NS d.root-servers.net.
!NS e.root-servers.net.
!NS f.root-servers.net.
!NS g.root-servers.net.
!NS h.root-servers.net.
!NS i.root-servers.net.
!NS j.root-servers.net.
!NS k.root-servers.net.
!NS l.root-servers.net.
!NS m.root-servers.net.
!RRSIG NS 8 0 518400 2011062400 (
!2011061623 34525 .
! KgMPA/Ucp/cFQHQ36kFe8lhVV6ckJx8Zk8Mm2aiKIxOB
! v9fsM3qYyGOOqnNUGPr7V0X604r5xaePysUNy0iET+Ga
! 9WPmPeEX9438srt54qEDCBeCqn5Zbjo1lOVTrykAvtBI
! Y8ONwpp0DcDw9D7mTyBzp+ARLVG56jaZ5AucyGQ= )
[... havily shortened -- the file has about 211k length ...]
Any idea, what is wrong here and where to change configuration to
make reverse dns-lookups happen?
--
Thomas
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: forward name resolution OK, but reverse doesn't work ...
On 06/17/11 11:44, Thomas Schweikle wrote:
Hi!
I am having some problem with my nameserver:
It resolves forward:
!user@ks1:~$ host google.com
!google.com has address 74.125.79.147
!google.com has address 74.125.79.99
!google.com has address 74.125.79.104
!google.com mail is handled by 50 alt4.aspmx.l.google.com.
!google.com mail is handled by 10 aspmx.l.google.com.
!google.com mail is handled by 20 alt1.aspmx.l.google.com.
!google.com mail is handled by 30 alt2.aspmx.l.google.com.
!google.com mail is handled by 40 alt3.aspmx.l.google.com.
But not reverse:
!user@ks1:~$ host 74.125.79.99
!Host 99.79.125.74.in-addr.arpa not found: 2(SERVFAIL)
Main configuration (partly shorted):
!options {
!directory /var/tmp/named;
!pid-file/var/run/named/named.pid;
!dump-file /var/run/named/named_dump.db;
!statistics-file /var/run/named/named.stats;
!listen-on { any; };
!#listen-on-v6 { any; };
!recursion yes;
!auth-nxdomain no;
!};
!
!// slave to root name servers
!zone . {
! type slave;
! file /var/cache/named/root/root.slave;
! masters { 192.5.5.241; };
! notify no;
!};
!
!zone arpa {
! type slave;
! file /var/cache/named/root/arpa.slave;
! masters { 192.5.5.241; };
! notify no;
!};
!
!zone in-addr.arpa {
! type slave;
! file /var/cache/named/root/in-addr.arpa.slave;
! masters { 192.5.5.241; };
! notify no;
!};
!
!// RFC 1912 (and BCP 32 for localhost)
!zone localhost {
! type master;
! file /etc/named/master/localhost-forward.db;
!};
!
!zone 127.in-addr.arpa {
! type master;
! file /etc/named/master/localhost-reverse.db;
!};
localhost-forward.db:
!$TTL 3h
!localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
!; Serial, Refresh, Retry, Expire, Neg. cache TTL
!
!NS localhost.
!
!A 127.0.0.1
!::1
localhost-reverse.db:
!$TTL 3h
!@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
!; Serial, Refresh, Retry, Expire, Neg. cache TTL
!
!NS localhost.
!
!1.0.0 PTR localhost.
!
!1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0\
! PTR localhost.
The server has AFAIS all root servers available:
!$ORIGIN .
!$TTL 86400 ; 1 day
!@ IN SOA a.root-servers.net.\
! nstld.verisign-!grs.com. (
!2011061700 ; serial
!1800 ; refresh (30 minutes)
!900; retry (15 minutes)
!604800 ; expire (1 week)
!86400 ; minimum (1 day)
!)
!RRSIG SOA 8 0 86400 2011062400 (
!2011061623 34525 .
!kKIgiv5epNOi/mWtHYtH/Zwj6O6pV+wB09rnMiaTrYRk
!HKqH7CCBdnIei6Kc1ghTRgdPwzrpgxzB3VHH/IfjEGbM
!3sNGzMOYFtykMD1xjE93hBUU08yd1ojchWW2AXayGEJZ
!5UOkaiA7cN3txThTtd1/r+k1zR5pvL+S6Pt7TTE= )
!$TTL 518400 ; 6 days
!NS a.root-servers.net.
!NS b.root-servers.net.
!NS c.root-servers.net.
!NS d.root-servers.net.
!NS e.root-servers.net.
!NS f.root-servers.net.
!NS g.root-servers.net.
!NS h.root-servers.net.
!NS i.root-servers.net.
!NS j.root-servers.net.
!NS k.root-servers.net.
!NS l.root-servers.net.
!NS m.root-servers.net.
!RRSIG NS 8 0 518400 2011062400 (
!2011061623 34525 .
! KgMPA/Ucp/cFQHQ36kFe8lhVV6ckJx8Zk8Mm2aiKIxOB
! v9fsM3qYyGOOqnNUGPr7V0X604r5xaePysUNy0iET+Ga
! 9WPmPeEX9438srt54qEDCBeCqn5Zbjo1lOVTrykAvtBI
! Y8ONwpp0DcDw9D7mTyBzp+ARLVG56jaZ5AucyGQ= )
[... havily shortened -- the file has about 211k length ...]
Any idea, what is wrong here and where to change configuration to
make reverse dns-lookups happen?
First of all, stop using host or nslookup. Use dig.
Dig tells you alot more about what it did and even who gave it the
answer it is trying to display.
Also try:
dig +trace -x 74.125.79.99
This is try to do a reverse lookup on this ip address and do a trace of
it as it travels through various dns servers to get to the right answer.
I noticed that you have three zones defined '.' 'arpa' and
'in.addr.arpa' showing 192.5.5.241 (f-root.servers.net) as the master.
Are you getting zone transfers from there?
I question the need or a desire to have a copy of that zone on your dns
server, let alone if you are getting a full zone from the F root.
Lyle Giese
Re: forward name resolution OK, but reverse doesn't work ...
Thomas Schweikle wrote:
But not reverse:
!user@ks1:~$ host 74.125.79.99
!Host 99.79.125.74.in-addr.arpa not found: 2(SERVFAIL)
...
!zone in-addr.arpa {
! type slave;
! file /var/cache/named/root/in-addr.arpa.slave;
! masters { 192.5.5.241; };
! notify no;
!};
You seem to have set up slaving of the in-addr.arpa from 192.5.5.241
(f.root-servers.net), but that's not one of the authoritative servers for
in-addr.arpa.
Remove the slaving of in-addr.arpa from your configuration. Or check if
it's possible / allowed to slave it from any of the 6 in-addr.arpa
nameservers: [a-f].in-addr-servers.arpa
I'm guessing your logs also have entries about being unable to do zone
transfers of in-addr.arpa.
Regards
Eivind Olsen
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
