Re: [Dnsmasq-discuss] wrong response code for no SRV record
[ top-posting fixed ] Simon Kelley wrote: I think you have mis-interpreted the way this works. NXDOMAIN means that there is no data in the DNS for the given domain. That is not what's happening here. The example line returns a valid SRV record for _ldap._tcp.example.com which happens to be empty. The domain refers to _ldap._tcp.example.com and not the domain which may be returned as part of the reply. Have you encountered real-world problems with the existing behaviour? On Sat, May 01, 2010 at 02:59:25PM +0530, Rahul Amaram wrote: Well yes. I have encountered some problems with this. I am using Kerberos in my company LAN. While performing kinit on my system, the SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up. Show the dig(1) results to demonstrate this. Is EXAMPLE.COM your company LAN domain? Does _kerberos-master.udp.EXAMPLE.COM exist in the form of any RR type, SRV or otherwise? Show what Kerberos is actually looking up. Is it as you said, _kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the documented LDAP example, _kerberos-master._udp.EXAMPLE.COM? Now if an NXDOMAIN is not returned but instead the default port 1 with empty host is returned, the kinit command tries to further resolve that empty host (which I think is replaced with ROOT somehow) and this causes a extereme slowdown of kinit. I think there should be some configuration option to say that an NXDOMAIN should be returned for a particular SRV record. This would be really helpful. What are your thoughts about this? Useless. NXDOMAIN, as Simon explained, means that there is no record of any RR type for the given name. If you want NXDOMAIN, define yourself as authoritative for any level of the parent domain[s] in question. local=/EXAMPLE.COM/ or, if you only want the SRV subdomains: local=/_tcp.EXAMPLE.COM/ local=/_udp.EXAMPLE.COM/ Then, any name NOT defined under those domains will be NXDOMAIN. I suspect you have misdiagnosed your original issue. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] wrong response code for no SRV record
Hi Rob, Thanks a lot for your response. Please find my responses inline. Btw, your last suggestion has helped me achieve the desired result though I still feel it would be great to have dnsmasq return NXDOMAIN only for a particular domain and forward the remainig domain queries to upstream servers. For example, dnsmasq should be configurable such that query for _kerberos-master._udp.example.com is returned as NXDOMAIN where as queries for _kerberos._udp.example.com and _kpasswd._udp.example.com are forwarded to upstream server. Thanks and Regards, Rahul. On Tuesday 04 May 2010 01:43 PM, /dev/rob0 wrote: Simon Kelley wrote: I think you have mis-interpreted the way this works. NXDOMAIN means that there is no data in the DNS for the given domain. That is not what's happening here. The example line returns a valid SRV record for _ldap._tcp.example.com which happens to be empty. The domain refers to _ldap._tcp.example.com and not the domain which may be returned as part of the reply. Have you encountered real-world problems with the existing behaviour? On Sat, May 01, 2010 at 02:59:25PM +0530, Rahul Amaram wrote: Well yes. I have encountered some problems with this. I am using Kerberos in my company LAN. While performing kinit on my system, the SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up. Show the dig(1) results to demonstrate this. # dig +short _kerberos-master._udp.example.com SRV [Request forwarded to upstream server] # echo 'srv-host=_kerberos-master._udp.example.com' /etc/dnsmasq.conf # /etc/init.d/dnsmasq restart Restarting DNS forwarder and DHCP server: dnsmasq. # dig +short _kerberos-master._udp.example.com SRV 0 0 1 . [Response from dnsmasq. I want this response to be NXDOMAIN) # Is EXAMPLE.COM your company LAN domain? Does _kerberos-master.udp.EXAMPLE.COM exist in the form of any RR type, SRV or otherwise? EXAMPLE.COM is the kerberos realm. I could even have SYNOVEL.COM as the realm. Show what Kerberos is actually looking up. Is it as you said, _kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the documented LDAP example, _kerberos-master._udp.EXAMPLE.COM? I do not understand the difference. If the kerberos realm is EXAMPLE.COM it looks up _kerberos-master._udp.example.com. If the kerberos realm is SYNOVEL.COM, it looks up _kerberos-master._udp.synovel.com. Now if an NXDOMAIN is not returned but instead the default port 1 with empty host is returned, the kinit command tries to further resolve that empty host (which I think is replaced withROOT somehow) and this causes a extereme slowdown of kinit. I think there should be some configuration option to say that an NXDOMAIN should be returned for a particular SRV record. This would be really helpful. What are your thoughts about this? Useless. NXDOMAIN, as Simon explained, means that there is no record of any RR type for the given name. If you want NXDOMAIN, define yourself as authoritative for any level of the parent domain[s] in question. local=/EXAMPLE.COM/ or, if you only want the SRV subdomains: local=/_tcp.EXAMPLE.COM/ local=/_udp.EXAMPLE.COM/ Then, any name NOT defined under those domains will be NXDOMAIN. I suspect you have misdiagnosed your original issue. Thanks. This solution works perfectly. I have added local=/_tcp.EXAMPLE.COM/ to dnsmasq.conf and now I am able to get the desired result.
Re: [Dnsmasq-discuss] wrong response code for no SRV record
On Tue, May 04, 2010 at 03:29:27PM +0530, Rahul Amaram wrote: Thanks a lot for your response. Please find my responses inline. Btw, your last suggestion has helped me achieve the desired result That's good, glad to hear it. though I still feel it would be great to have dnsmasq return NXDOMAIN only for a particular domain and forward the remainig domain queries to upstream servers. For example, dnsmasq should be configurable such that query for _kerberos-master._udp.example.com is returned as NXDOMAIN where as queries for _kerberos._udp.example.com and _kpasswd._udp.example.com are forwarded to upstream server. Something like address=/_kerberos-master._udp.example.com/nxdomain Actually I think this would work, but I'm not able to try it now: local=/_kerberos-master._udp.example.com/ With no listings in /etc/hosts that should return NXDOMAIN, not consulting upstream servers. On Tuesday 04 May 2010 01:43 PM, /dev/rob0 wrote: Show what Kerberos is actually looking up. Is it as you said, _kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the documented LDAP example, _kerberos-master._udp.EXAMPLE.COM? I do not understand the difference. If the kerberos realm is The difference is the leading underscore on the second segment, ._udp. versus .udp. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] wrong response code for no SRV record
Hi Rob, local=/_kerberos-master._udp.example.com/ works like a charm. Really appreciate all the help. Thanks and Regards, Rahul. /dev/rob0 wrote: On Tue, May 04, 2010 at 03:29:27PM +0530, Rahul Amaram wrote: Thanks a lot for your response. Please find my responses inline. Btw, your last suggestion has helped me achieve the desired result That's good, glad to hear it. though I still feel it would be great to have dnsmasq return NXDOMAIN only for a particular domain and forward the remainig domain queries to upstream servers. For example, dnsmasq should be configurable such that query for _kerberos-master._udp.example.com is returned as NXDOMAIN where as queries for _kerberos._udp.example.com and _kpasswd._udp.example.com are forwarded to upstream server. Something like address=/_kerberos-master._udp.example.com/nxdomain Actually I think this would work, but I'm not able to try it now: local=/_kerberos-master._udp.example.com/ With no listings in /etc/hosts that should return NXDOMAIN, not consulting upstream servers. On Tuesday 04 May 2010 01:43 PM, /dev/rob0 wrote: Show what Kerberos is actually looking up. Is it as you said, _kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the documented LDAP example, _kerberos-master._udp.EXAMPLE.COM? I do not understand the difference. If the kerberos realm is The difference is the leading underscore on the second segment, ._udp. versus .udp.