Re: Bind 9 with Views: zone transfer refused from master to slave

2019-07-03 Thread Sten Carlsen 


On 03/07/2019 22.14, Grant Taylor via bind-users wrote:
> On 7/3/19 2:04 PM, Lightner, Jeffrey wrote:
>> You have to use separate IPs for the separate views on the master and
>> the slave.
>
> I thought you could use different TSIG keys to identify different
> zones with a single IP at each end.
>
> Is that not the case?
As far as I am aware the two views must use different keys, with the
same IP the key (or the view's ACL) is the only thing to distinguish
between the views.

You can use the same IP for both views at least on the master, I have
that setup and have for a very long time seen it running without any
problem. I do not use keys but let view ACL do the work.
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9 with Views: zone transfer refused from master to slave

2019-07-03 Thread Grant Taylor via bind-users 

On 7/3/19 2:04 PM, Lightner, Jeffrey wrote:
You have to use separate IPs for the separate views on the master and 
the slave.


I thought you could use different TSIG keys to identify different zones 
with a single IP at each end.


Is that not the case?



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind 9 with Views: zone transfer refused from master to slave

2019-07-03 Thread Lightner, Jeffrey 
You have to use separate IPs for the separate views on the master and the slave.

Here we just put alias IPs on the primary interfaces and use those for the 
second view.


From: bind-users  On Behalf Of Roberto Carna
Sent: Wednesday, July 03, 2019 3:21 PM
To: ML BIND Users 
Subject: Bind 9 with Views: zone transfer refused from master to slave

Hi people, I have a master/slave Bind 9.10.3 servers configured with views and 
TSIG keys on a Debian 9 host. But the transfer from master to slave is refused 
in the slave side, there is no a descriptive error.

In both Views I have delegated the same two zones: black.com 
and white.com, with different records according to the view.

Please if I send my configuration, can you help me to detect the fail in the 
zone transfer from master to slave??? Thanks a lot in advance.

MASTER

named.conf:

key "rndc-key" {
algorithm hmac-md5;
secret "+PGWO1r5rrT8hcA47Anu0w==";
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
directory "/var/cache/bind";
also-notify { 10.0.0.2; };
dnssec-validation no;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
notify explicit;
recursion no;
version "none";
};


named.conf.local:

key one {
 algorithm HMAC-MD5;
 secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
 algorithm HMAC-MD5;
 secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
 algorithm HMAC-MD5;
 secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.2 { keys one; };
   recursion yes;
   allow-transfer { key one; };

zone "black.com." {
type master;
file "/etc/bind/zones/black.com.one.db";
also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
type master;
file "/etc/bind/zones/white.com.one.db";
also-notify { 10.0.0.2 key one; };
};
};

view "two" {
match-clients { two; };
server 10.0.0.2 { keys two; };
recursion yes;
allow-transfer { key two; };

zone "black.com." {
type master;
file "/etc/bind/zones/black.com.two.db";
also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
type master;
file "/etc/bind/zones/white.com.two.db";
also-notify { 10.0.0.2 key one; };
};
};


SLAVE

named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
directory "/var/cache/bind";
allow-transfer {"none";};
dnssec-validation no;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
notify explicit;
recursion no;
version "none";
};


named.conf.local:

key one {
 algorithm HMAC-MD5;
 secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
 algorithm HMAC-MD5;
 secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
 algorithm HMAC-MD5;
 secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.1 { keys one; };
   recursion yes;

zone "black.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/black.com.one.db";
};

zone "white.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/white.com.one.db";
};

};

view "two" {
match-clients { two; };
server 10.0.0.1 { keys two; };
recursion yes;

zone "black.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/black.com.two.db";
};

zone "white.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/white.com.two.db";
};

};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind 9 with Views: zone transfer refused from master to slave

2019-07-03 Thread Roberto Carna 
Hi people, I have a master/slave Bind 9.10.3 servers configured with views
and TSIG keys on a Debian 9 host. But the transfer from master to slave is
refused in the slave side, there is no a descriptive error.

In both Views I have delegated the same two zones: black.com and white.com,
with different records according to the view.

Please if I send my configuration, can you help me to detect the fail in
the zone transfer from master to slave??? Thanks a lot in advance.

MASTER

named.conf:

key "rndc-key" {
algorithm hmac-md5;
secret "+PGWO1r5rrT8hcA47Anu0w==";
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
directory "/var/cache/bind";
also-notify { 10.0.0.2; };
dnssec-validation no;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
notify explicit;
recursion no;
version "none";
};


named.conf.local:

key one {
 algorithm HMAC-MD5;
 secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
 algorithm HMAC-MD5;
 secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
 algorithm HMAC-MD5;
 secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.2 { keys one; };
   recursion yes;
   allow-transfer { key one; };

zone "black.com." {
type master;
file "/etc/bind/zones/black.com.one.db";
also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
type master;
file "/etc/bind/zones/white.com.one.db";
also-notify { 10.0.0.2 key one; };
};
};

view "two" {
match-clients { two; };
server 10.0.0.2 { keys two; };
recursion yes;
allow-transfer { key two; };

zone "black.com." {
type master;
file "/etc/bind/zones/black.com.two.db";
also-notify { 10.0.0.2 key one; };
};

zone "white.com" {
type master;
file "/etc/bind/zones/white.com.two.db";
also-notify { 10.0.0.2 key one; };
};
};


SLAVE

named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

named.conf.options:

options {
directory "/var/cache/bind";
allow-transfer {"none";};
dnssec-validation no;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
notify explicit;
recursion no;
version "none";
};


named.conf.local:

key one {
 algorithm HMAC-MD5;
 secret "uohej/pa1oLBK4Cfhi3zAA==";
};

key two {
 algorithm HMAC-MD5;
 secret "HcKSpnKhqg/+KFvOg2uTag==";
};

key three {
 algorithm HMAC-MD5;
 secret "1JikGx1kdjq/cTCsi36/JQ==";
};

acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };

view "one" {
   match-clients { one; };
   server 10.0.0.1 { keys one; };
   recursion yes;

zone "black.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/black.com.one.db";
};

zone "white.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/white.com.one.db";
};

};

view "two" {
match-clients { two; };
server 10.0.0.1 { keys two; };
recursion yes;

zone "black.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/black.com.two.db";
};

zone "white.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/white.com.two.db";
};

};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Query CNAME failed

2019-07-03 Thread Wilfred Sarmiento via bind-users 
Hi Mark,

It also happen to all domain record with a CNAME on external domain. It
doesn't only happen in cebupacificair.com domain.
Also, i notice the issue happens after an hour of server reboot. From the
1st hour after reboot, the issue didn't happen. So i am thinking this might
be a session limit?

Wil


On Wed, Jul 3, 2019 at 4:19 PM Mark Andrews  wrote:

> Try just diagnosing why the lookup of book.cebupacair.cust.lldns.net
> and/or cebupacair-dd.lldns.net is failing which are the target in the
> CNAME chain.  You know the lookup of book.cebupacificair.com returns a
> CNAME record so the next step to a lookup of book.cebupacificair.com and
> book.cebupacificair.com/CNAME.
>
> ; <<>> DiG 9.15.1 <<>> book.cebupacair.cust.lldns.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5908
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: cbdd8bcfcc962e6a9e1b6a5e5d1c63554cdb8ed4c7c121da (good)
> ;; QUESTION SECTION:
> ;book.cebupacair.cust.lldns.net.IN  A
>
> ;; ANSWER SECTION:
> book.cebupacair.cust.lldns.net. 300 IN  CNAME   cebupacair-dd.lldns.net.
> cebupacair-dd.lldns.net. 60 IN  A   68.142.70.27
> cebupacair-dd.lldns.net. 60 IN  A   68.142.68.27
>
> Mark
>
> > On 3 Jul 2019, at 5:48 pm, Wilfred Sarmiento via bind-users <
> bind-users@lists.isc.org> wrote:
> >
> > Hi Bind Users,
> >
> > Currently drained my brain troubleshooting where could be the cause of
> my issue on one of our Authoritative DNS server.
> > When querying a CNAME directly to the server, where a CNAME is pointed
> to an external domain, results failed with timeout error and no server
> could be reached.
> >
> > ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> book.cebupacificair.com @
> dns1.globenet.com.ph
> > ;; global options: +cmd
> > ;; connection timed out; no servers could be reached
> >
> > Server logs produce 3 query log then show a query failed (timed out);
> >
> > client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com): query:
> book.cebupacificair.com IN A +E(0) (203.177.255.10)
> > client @0x7fd9a4484080 x.x.x.x#51579 (book.cebupacificair.com): query:
> book.cebupacificair.com IN A +E(0) (203.177.255.10)
> > client @0x7fd9a4481cb0 x.x.x.x#51579 (book.cebupacificair.com): query:
> book.cebupacificair.com IN A +E(0) (203.177.255.10)
> > client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com): query
> failed (timed out) for book.cebupacificair.com/IN/A at query.c:6786
> >
> > But when i send a query with +norecurse option, results is successful.
> >
> > dig +norecurse book.cebupacificair.com @dns1.globenet.com.ph
> >
> > ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +norecurse
> book.cebupacificair.com @dns1.globenet.com.ph
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19755
> > ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;book.cebupacificair.com.   IN  A
> >
> > ;; ANSWER SECTION:
> > book.cebupacificair.com. 1200   IN  CNAME
> book.cebupacair.cust.lldns.net.
> >
> > ;; AUTHORITY SECTION:
> > lldns.net.  171335  IN  NS  ns1.lldns.net.
> > lldns.net.  171335  IN  NS  ns2.lldns.net.
> >
> > ;; ADDITIONAL SECTION:
> > ns1.lldns.net.  149880  IN  A   208.111.184.11
> > ns2.lldns.net.  93416   IN  A   208.111.184.12
> > ns1.lldns.net.  93416   IN  2607:f4e8:ac:1::11
> > ns2.lldns.net.  93416   IN  2607:f4e8:ac:1::12
> >
> > ;; Query time: 1 msec
> > ;; SERVER: 203.177.255.10#53(203.177.255.10)
> > ;; WHEN: Wed Jul 03 03:36:21 EDT 2019
> > ;; MSG SIZE  rcvd: 229
> >
> > This is the named.conf options;
> >
> > options {
> > directory "/var/namedb";
> > version "Query Not Allowed.";
> > allow-recursion { globenet; };
> > recursive-clients 100;
> > allow-query-cache { globenet; };
> > allow-query { any; };
> > tcp-clients 5000;
> >
> > blackhole { bogusnet; };
> >
> > pid-file "/var/local/bind/var/run/named.pid";
> > zone-statistics yes;
> > statistics-file "/var/namedb/named.stats";
> > };
> >
> > Bind version is 9.14.2
> >
> > The "globenet" group are the list of IPs we allowed for recursion. And
> this issue happens only on the CNAME record with external domain.
> >
> > Thank you in advance.
> >
> > Regards,
> > Wil Sarmiento
> >
> >
> >
> > This e-mail message (including attachments, if any) is intended for the
> use of the individual or the entity to whom it is addressed and may contain
> information that is privileged, proprietary, confidential and exempt from
> disclosure. If you are not the intended recipient, you are notified that
> any

Re: Query CNAME failed

2019-07-03 Thread Mark Andrews 
Try just diagnosing why the lookup of book.cebupacair.cust.lldns.net and/or 
cebupacair-dd.lldns.net is failing which are the target in the CNAME chain.  
You know the lookup of book.cebupacificair.com returns a CNAME record so the 
next step to a lookup of book.cebupacificair.com and 
book.cebupacificair.com/CNAME.

; <<>> DiG 9.15.1 <<>> book.cebupacair.cust.lldns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5908
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cbdd8bcfcc962e6a9e1b6a5e5d1c63554cdb8ed4c7c121da (good)
;; QUESTION SECTION:
;book.cebupacair.cust.lldns.net.IN  A

;; ANSWER SECTION:
book.cebupacair.cust.lldns.net. 300 IN  CNAME   cebupacair-dd.lldns.net.
cebupacair-dd.lldns.net. 60 IN  A   68.142.70.27
cebupacair-dd.lldns.net. 60 IN  A   68.142.68.27

Mark

> On 3 Jul 2019, at 5:48 pm, Wilfred Sarmiento via bind-users 
>  wrote:
> 
> Hi Bind Users,
> 
> Currently drained my brain troubleshooting where could be the cause of my 
> issue on one of our Authoritative DNS server.
> When querying a CNAME directly to the server, where a CNAME is pointed to an 
> external domain, results failed with timeout error and no server could be 
> reached.
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> book.cebupacificair.com 
> @dns1.globenet.com.ph
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> Server logs produce 3 query log then show a query failed (timed out);
> 
> client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com): query: 
> book.cebupacificair.com IN A +E(0) (203.177.255.10)
> client @0x7fd9a4484080 x.x.x.x#51579 (book.cebupacificair.com): query: 
> book.cebupacificair.com IN A +E(0) (203.177.255.10)
> client @0x7fd9a4481cb0 x.x.x.x#51579 (book.cebupacificair.com): query: 
> book.cebupacificair.com IN A +E(0) (203.177.255.10)
> client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com): query failed 
> (timed out) for book.cebupacificair.com/IN/A at query.c:6786
> 
> But when i send a query with +norecurse option, results is successful.
> 
> dig +norecurse book.cebupacificair.com @dns1.globenet.com.ph
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +norecurse 
> book.cebupacificair.com @dns1.globenet.com.ph
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19755
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;book.cebupacificair.com.   IN  A
> 
> ;; ANSWER SECTION:
> book.cebupacificair.com. 1200   IN  CNAME   
> book.cebupacair.cust.lldns.net.
> 
> ;; AUTHORITY SECTION:
> lldns.net.  171335  IN  NS  ns1.lldns.net.
> lldns.net.  171335  IN  NS  ns2.lldns.net.
> 
> ;; ADDITIONAL SECTION:
> ns1.lldns.net.  149880  IN  A   208.111.184.11
> ns2.lldns.net.  93416   IN  A   208.111.184.12
> ns1.lldns.net.  93416   IN  2607:f4e8:ac:1::11
> ns2.lldns.net.  93416   IN  2607:f4e8:ac:1::12
> 
> ;; Query time: 1 msec
> ;; SERVER: 203.177.255.10#53(203.177.255.10)
> ;; WHEN: Wed Jul 03 03:36:21 EDT 2019
> ;; MSG SIZE  rcvd: 229
> 
> This is the named.conf options;
> 
> options {
> directory "/var/namedb";
> version "Query Not Allowed.";
> allow-recursion { globenet; };
> recursive-clients 100;
> allow-query-cache { globenet; };
> allow-query { any; };
> tcp-clients 5000;
> 
> blackhole { bogusnet; };
> 
> pid-file "/var/local/bind/var/run/named.pid";
> zone-statistics yes;
> statistics-file "/var/namedb/named.stats";
> };
> 
> Bind version is 9.14.2
> 
> The "globenet" group are the list of IPs we allowed for recursion. And this 
> issue happens only on the CNAME record with external domain.
> 
> Thank you in advance.
> 
> Regards,
> Wil Sarmiento
> 
> 
> 
> This e-mail message (including attachments, if any) is intended for the use 
> of the individual or the entity to whom it is addressed and may contain 
> information that is privileged, proprietary, confidential and exempt from 
> disclosure. If you are not the intended recipient, you are notified that any 
> dissemination, distribution or copying of this communication is strictly 
> prohibited. If you have received this communication in error, please notify 
> the sender and delete this E-mail message immediately.
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2

Query CNAME failed

2019-07-03 Thread Wilfred Sarmiento via bind-users 
Hi Bind Users,

Currently drained my brain troubleshooting where could be the cause of my
issue on one of our Authoritative DNS server.
When querying a CNAME directly to the server, where a CNAME is pointed to
an external domain, results failed with timeout error and no server could
be reached.



*; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> book.cebupacificair.com
 @dns1.globenet.com.ph
;; global options: +cmd;; connection timed
out; no servers could be reached*

Server logs produce 3 query log then show a query failed (timed out);




*client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com
): query: book.cebupacificair.com
 IN A +E(0) (203.177.255.10)client
@0x7fd9a4484080 x.x.x.x#51579 (book.cebupacificair.com
): query: book.cebupacificair.com
 IN A +E(0) (203.177.255.10)client
@0x7fd9a4481cb0 x.x.x.x#51579 (book.cebupacificair.com
): query: book.cebupacificair.com
 IN A +E(0) (203.177.255.10)*
*client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com
): query failed (timed out) for
book.cebupacificair.com/IN/A  at
query.c:6786*

But when i send a query with *+norecurse* option, results is successful.






























*dig +norecurse book.cebupacificair.com 
@dns1.globenet.com.ph ; <<>> DiG
9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +norecurse book.cebupacificair.com
 @dns1.globenet.com.ph
;; global options: +cmd;; Got answer:;;
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19755;; flags: qr aa ra;
QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5;; OPT PSEUDOSECTION:;
EDNS: version: 0, flags:; udp: 4096;; QUESTION
SECTION:;book.cebupacificair.com .   IN
 A;; ANSWER SECTION:book.cebupacificair.com
. 1200   IN  CNAME
book.cebupacair.cust.lldns.net .;;
AUTHORITY SECTION:lldns.net .  171335  IN
 NS  ns1.lldns.net .lldns.net .
 171335  IN  NS  ns2.lldns.net
.;; ADDITIONAL SECTION:ns1.lldns.net
.  149880  IN  A
208.111.184.11ns2.lldns.net .  93416   IN
 A   208.111.184.12ns1.lldns.net .  93416
  IN  2607:f4e8:ac:1::11ns2.lldns.net .
   93416   IN  2607:f4e8:ac:1::12;; Query time: 1 msec;;
SERVER: 203.177.255.10#53(203.177.255.10);; WHEN: Wed Jul 03 03:36:21 EDT
2019;; MSG SIZE  rcvd: 229*

This is the named.conf options;















*options {directory "/var/namedb";version "Query Not
Allowed.";allow-recursion { globenet; };recursive-clients
100;allow-query-cache { globenet; };allow-query { any;
};tcp-clients 5000;blackhole { bogusnet; };pid-file
"/var/local/bind/var/run/named.pid";zone-statistics yes;
statistics-file "/var/namedb/named.stats";};*

Bind version is 9.14.2

The "globenet" group are the list of IPs we allowed for recursion. And this
issue happens only on the CNAME record with external domain.

Thank you in advance.

Regards,
*Wil Sarmiento*

-- 
This e-mail message (including attachments, if any) is intended for the use 
of the individual or the entity to whom it is addressed and may contain 
information that is privileged, proprietary, confidential and exempt from 
disclosure. If you are not the intended recipient, you are notified that 
any dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, 
please notify the sender and delete this E-mail message immediately.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users