Re: Problem with subdomain delegation - NS RR ignored?

2023-05-10 Thread Nick Tait via bind-users 

Hi TG.

I just wanted to check:

1. Your "hub" zone contains the NS delegation for "fish.hub." to
   "ns1.fish.hub." with glue record "4.4.4.4". Is 4.4.4.4 the correct
   IP address of the server you are delegating to?
2. You haven't included the sub zone configuration (i.e. from 4.4.4.4)
   below. What do the zone stanza in the config file, and the zone file
   itself look like?
3. What answer do you get if you try: *dig @4.4.4.4 **fish.hub soa
   +norecurse*

Nick.

On 10/05/23 16:07, bindu...@thegeezer.net wrote:

Howdy

I'm struggling with subdomain creation, for some reason the delegation 
glue records are being ignored - and i was wondering if someone could 
help me identify what I've done wrong please.  I know i need to setup 
another server for the subdomain, but I've been trying to get this 
going at work and getting the same issue, so thought to try on my test 
bed.  Can't even get the NS record returned for the subdomain


Given the domain ".hub"  I can verify the domain level NS
# host -t NS hub localhost
> hub name server localhost.

I can create an A record  for "salmon.hub."  and this resolves as 
expected:

# host -t a salmon.hub localhost
> salmon.hub has address 8.8.8.8

I want to delegate to a different domain server the subdomain 
"fish.hub" and have created glue records as below in the config 
snippet, but get NXDOMAIN for both the A record and the NS record

# host -t a ns1.fish.hub localhost
> Host ns1.fish.hub not found: 3(NXDOMAIN)

# host -t NS fish.hub localhost
> Host fish.hub not found: 3(NXDOMAIN)

Any suggestions gratefully received.  Pertinent parts of named.conf 
and zone file are shown below, if you need more info please don't 
hesitate to ask


thanks in advance!

TG

/etc/bind/named.conf
acl "trusted" {
    10.0.0.0/8;
    192.168.0.0/16;
    127.0.0.0/8;
    ::1/128;
};
allow-recursion {
    trusted;
   };
forwarders {
    208.67.220.220;
    208.67.222.222;
    };
zone "hub" IN {
   type master;
   file "pri/hub.zone";
   notify no;
    };

/etc/bind/pri/hub.zone
$TTL 1W
@   IN  SOA hub. root.hub.  (
  2008122601 ; Serial
  28800  ; Refresh
  14400  ; Retry
  604800 ; Expire - 1 week
  86400 )    ; Minimum
@   IN  NS  localhost.
@   IN  A   127.0.0.1

@   IN      ::1

salmon.hub. IN  A   8.8.8.8
fish.hub.   IN  NS  ns1.fish.hub.
ns1.fish.hub.   IN  A   4.4.4.4


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rpz_rewrite(): failure

2023-05-10 Thread Darren Ankney 
Hi Wilfred,

You might want to consider updating your BIND server.  The latest
9.18.x is 9.18.14.  There have been many fixes between 9.18.2 and
9.18.14 as can be seen here:
https://bind9.readthedocs.io/en/v9.18.14/notes.html  Also, when
testing, you may want to consider using dig as it provides far more
detail.  nslookup usage is no longer recommended as it has been
deprecated.

As to this specific issue, I'm not sure.  You might get more help from
others, however, if you share your configuration.  You can get a
configuration scrubbed of keys using `named-checkconf -px`

Thank you,

Darren Ankney

On Tue, May 9, 2023 at 9:39 AM Wilfred Sarmiento via bind-users
 wrote:
>
> Hi Bind Users,
>
> Any one familiar with the error we encountered on DNS BIND 9.18.2 Ubuntu for 
> DNS Caching, below;
>
> We are using RPZ for redirecting domains (porn sites) where we already have 
> 20k+ entries.
> The domain (globem2m.com.ph) from below logs is not in the RPZ list but was 
> processed for RPZ QNAME rewrite, based on the logs, and query to that domain 
> results to SERVFAIL.
> The issue is isolated to several domains only including globem2m.com.ph, all 
> other queries to different domains are successful.
>
> To resolve this issue, we have to flush cache or restart the BIND service.
>
> root@bind# nslookup globem2m.com.ph 
>
>
> ** server can't find globem2m.com.ph: SERVFAIL
>
>
> Trace logs:
>
> : query (cache) 'globem2m.com.ph/A/IN' approved
>
> : rpz QNAME rewrite globem2m.com.ph stop on qresult in rpz_rewrite(): failure
>
> : query failed (failure) for globem2m.com.ph/IN/A at query.c:7657
>
> fetch completed at resolver.c:4053 for globem2m.com.ph/A in 0.00: 
> failure/success 
> [domain:com.ph,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]
>
> : reset client
>
> : servfail cache hit globem2m.com.ph/A (CD=0)
>
> : query failed (SERVFAIL) for globem2m.com.ph/IN/A at query.c:6949
>
> : reset client
>
>
> Thank you,
> Wil
>
>
>
>
> This e-mail message (including attachments, if any) is intended for the use 
> of the individual or the entity to whom it is addressed and may contain 
> information that is privileged, proprietary, confidential and exempt from 
> disclosure. If you are not the intended recipient, you are notified that any 
> dissemination, distribution or copying of this communication is strictly 
> prohibited. If you have received this communication in error, please notify 
> the sender and delete this E-mail message immediately.
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users