Re: [SOLVED] Problem with recursive name server
Dear Mark, thanks for the help, now we are up and running. Because of some very bad things the Apple Admin Interface did to the PTR-file preventing it from being loaded AND not reporting this somewhere the times of OS X Server are over. But there is one last thing that puzzles me: to my understanding our nameserver is now master for the ip addresses 213.191.95.0 - 27. Shouldn´t it be responsible for our complete subnet which is from 0-32? It´s no problem at this point because all the mail servers are in the lower region, but did we have to contact our isp about that? Best regards, Mike P.S. If you ever make it to Hamburg I owe you a beer... Mike Am 10.06.2012 um 06:58 schrieb Mark Andrews: In message f98496e3-ca16-4c5c-8f04-18ee49d20...@commobil.de, Mike Bobkiewicz writes: HI all, first Eduardo: I did an upgrade with the mentioned package to 9.9.1 P1, it=B4s now up and = running but doesn=B4t fix the problem. I have to correct one thing: It=B4s not a 10.6 client system it=B4s a 10.7.= 4 Server system, this is important because the client running this server d= oes configure bind with Apple=B4s Admin Tools. When something doesn=B4t wor= k he calls me and I log in via ssh and try to figure out what=B4s wrong. Te= lling the truth: I like vi very much... Am 08.06.2012 um 22:13 schrieb Chuck Swiger: Hi-- = On Jun 8, 2012, at 1:08 PM, Mike Bobkiewicz wrote: we are running an authorative name server for some domains. After some t= ime our ISP has now delegated the reverse name lookups to our server. We ar= e running bind 9.7.3 on Mac OS X 10.6 and are not able to bring the reverse= name lookups to life. The master db-file is loaded and we to set the allo= w-recursive { any; }; option in the named.conf but it still doesn=B4t work.= We are getting RFC 1912 2.1 with some mail servers which is the biggest pr= oblem. Which additional options must be set in the named.conf to make the r= everse name lookups for our domains work? = Mailservers doing a double-reverse lookup try to validate that your IP ha= s a PTR record which returns a name that a normal forward lookup finds, and= gives back the original IP. = Give us an example of a bad hostname or IP, and we can probably tell you = what aspect isn't working right... = Sorry, was late last night for me so here are some parts of the configurati= on: /etc/named.conf include /etc/rndc.key; options { directory /var/named; listen-on-v6 port 53 { none; }; allow-recursion { any; }; allow-transfer { none; }; }; controls { inet 127.0.0.1 port 54 allow { any; } keys { rndc-key; }; }; acl com.apple.ServerAdmin.DNS.public { any; }; logging { channel _default_log { file /Library/Logs/named.log; severity info; print-time yes; }; category default { _default_log; }; }; view com.apple.ServerAdmin.DNS.public { zone 0.0.127.in-addr.arpa IN { type master; file named.local; allow-update { none; }; }; ... around 15 working master zones zone 95.191.213.in-addr.arpa IN { type master; file db.95.191.213.in-addr.arpa; allow-transfer { com.apple.ServerAdmin.DNS.public; }; allow-update { none; }; }; }; }; The ISP has delegated 0/27.95.191.213.in-addr.arpa not 95.191.213.in-addr.arpa to you. You need to be serving 0/27.95.191.213.in-addr.arpa. You should be slaving 95.191.213.in-addr.arpa so that you have the CNAME records available locally for when the external link is down and have 0/27.95.191.213.in-addr.arpa as a master. zone 95.191.213.in-addr.arpa { type slave; file db.95.191.213.in-addr.arpa; masters { 213.191.73.65; 213.191.74.20; }; }; zone 0/27.95.191.213.in-addr.arpa { type master; file db.0.95.191.213.in-addr.arpa; }; The lines of question in the db-file: 10800 IN NS ns1.hektor.de. 10800 IN NS ns2.hansenet.de. 3.95.191.213.in-addr.arpa.10800 IN PTR mailserver.hektor.d= e. The name of the server is ns1.hektor.de. Trying to send an email to a server trying to get the PTR record the sender= receives an Undelivered Mail... mail with this: 550 inconsistent or no DNS PTR record for 213.191.95.3 (see RFC 1912 2.1) (in reply to RCPT = TO command) Hope this helps to clear out the problem Best regards, Mike = Regards, -- = -Chuck = ___ Please visit
Re: [SOLVED] Problem with recursive name server
glad you got this resolved -- rfc2317 delegation usually always trips folks up the first time around. it's almost always good to ask your isp for the exact zone definitions they delegate so you can match things up. your server is in fact responsible for the full subnet that was delegated to you by your isp. 213.191.95.0/27 is a cidr subnet containing 32 (30 usable) addresses. http://www.oav.net/mirrors/cidr.html ipv4 provides 32-bit network addresses, 27 bits reserved for the network, 32-27=5, 2^5=32. :-) -Original Message- From: Mike Bobkiewicz bind-l...@commobil.de Date: Sunday, June 10, 2012 5:37 AM To: bind-users@lists.isc.org Subject: Re: [SOLVED] Problem with recursive name server Dear Mark, thanks for the help, now we are up and running. Because of some very bad things the Apple Admin Interface did to the PTR-file preventing it from being loaded AND not reporting this somewhere the times of OS X Server are over. But there is one last thing that puzzles me: to my understanding our nameserver is now master for the ip addresses 213.191.95.0 - 27. Shouldn´t it be responsible for our complete subnet which is from 0-32? It´s no problem at this point because all the mail servers are in the lower region, but did we have to contact our isp about that? Best regards, Mike P.S. If you ever make it to Hamburg I owe you a beer... Mike Am 10.06.2012 um 06:58 schrieb Mark Andrews: In message f98496e3-ca16-4c5c-8f04-18ee49d20...@commobil.de, Mike Bobkiewicz writes: HI all, first Eduardo: I did an upgrade with the mentioned package to 9.9.1 P1, it=B4s now up and = running but doesn=B4t fix the problem. I have to correct one thing: It=B4s not a 10.6 client system it=B4s a 10.7.= 4 Server system, this is important because the client running this server d= oes configure bind with Apple=B4s Admin Tools. When something doesn=B4t wor= k he calls me and I log in via ssh and try to figure out what=B4s wrong. Te= lling the truth: I like vi very much... Am 08.06.2012 um 22:13 schrieb Chuck Swiger: Hi-- = On Jun 8, 2012, at 1:08 PM, Mike Bobkiewicz wrote: we are running an authorative name server for some domains. After some t= ime our ISP has now delegated the reverse name lookups to our server. We ar= e running bind 9.7.3 on Mac OS X 10.6 and are not able to bring the reverse= name lookups to life. The master db-file is loaded and we to set the allo= w-recursive { any; }; option in the named.conf but it still doesn=B4t work.= We are getting RFC 1912 2.1 with some mail servers which is the biggest pr= oblem. Which additional options must be set in the named.conf to make the r= everse name lookups for our domains work? = Mailservers doing a double-reverse lookup try to validate that your IP ha= s a PTR record which returns a name that a normal forward lookup finds, and= gives back the original IP. = Give us an example of a bad hostname or IP, and we can probably tell you = what aspect isn't working right... = Sorry, was late last night for me so here are some parts of the configurati= on: /etc/named.conf include /etc/rndc.key; options { directory /var/named; listen-on-v6 port 53 { none; }; allow-recursion { any; }; allow-transfer { none; }; }; controls { inet 127.0.0.1 port 54 allow { any; } keys { rndc-key; }; }; acl com.apple.ServerAdmin.DNS.public { any; }; logging { channel _default_log { file /Library/Logs/named.log; severity info; print-time yes; }; category default { _default_log; }; }; view com.apple.ServerAdmin.DNS.public { zone 0.0.127.in-addr.arpa IN { type master; file named.local; allow-update { none; }; }; ... around 15 working master zones zone 95.191.213.in-addr.arpa IN { type master; file db.95.191.213.in-addr.arpa; allow-transfer { com.apple.ServerAdmin.DNS.public; }; allow-update { none; }; }; }; }; The ISP has delegated 0/27.95.191.213.in-addr.arpa not 95.191.213.in-addr.arpa to you. You need to be serving 0/27.95.191.213.in-addr.arpa. You should be slaving 95.191.213.in-addr.arpa so that you have the CNAME records available locally for when the external link is down and have 0/27.95.191.213.in-addr.arpa as a master. zone 95.191.213.in-addr.arpa { type slave; file db.95.191.213.in-addr.arpa; masters { 213.191.73.65; 213.191.74.20; }; }; zone 0/27.95.191.213.in-addr.arpa { type master; file db.0.95.191.213.in-addr.arpa; }; The lines of question
Re: Problem with recursive name server
HI all, first Eduardo: I did an upgrade with the mentioned package to 9.9.1 P1, it´s now up and running but doesn´t fix the problem. I have to correct one thing: It´s not a 10.6 client system it´s a 10.7.4 Server system, this is important because the client running this server does configure bind with Apple´s Admin Tools. When something doesn´t work he calls me and I log in via ssh and try to figure out what´s wrong. Telling the truth: I like vi very much... Am 08.06.2012 um 22:13 schrieb Chuck Swiger: Hi-- On Jun 8, 2012, at 1:08 PM, Mike Bobkiewicz wrote: we are running an authorative name server for some domains. After some time our ISP has now delegated the reverse name lookups to our server. We are running bind 9.7.3 on Mac OS X 10.6 and are not able to bring the reverse name lookups to life. The master db-file is loaded and we to set the allow-recursive { any; }; option in the named.conf but it still doesn´t work. We are getting RFC 1912 2.1 with some mail servers which is the biggest problem. Which additional options must be set in the named.conf to make the reverse name lookups for our domains work? Mailservers doing a double-reverse lookup try to validate that your IP has a PTR record which returns a name that a normal forward lookup finds, and gives back the original IP. Give us an example of a bad hostname or IP, and we can probably tell you what aspect isn't working right... Sorry, was late last night for me so here are some parts of the configuration: /etc/named.conf include /etc/rndc.key; options { directory /var/named; listen-on-v6 port 53 { none; }; allow-recursion { any; }; allow-transfer { none; }; }; controls { inet 127.0.0.1 port 54 allow { any; } keys { rndc-key; }; }; acl com.apple.ServerAdmin.DNS.public { any; }; logging { channel _default_log { file /Library/Logs/named.log; severity info; print-time yes; }; category default { _default_log; }; }; view com.apple.ServerAdmin.DNS.public { zone 0.0.127.in-addr.arpa IN { type master; file named.local; allow-update { none; }; }; ... around 15 working master zones zone 95.191.213.in-addr.arpa IN { type master; file db.95.191.213.in-addr.arpa; allow-transfer { com.apple.ServerAdmin.DNS.public; }; allow-update { none; }; }; }; }; The lines of question in the db-file: 10800 IN NS ns1.hektor.de. 10800 IN NS ns2.hansenet.de. 3.95.191.213.in-addr.arpa.10800 IN PTR mailserver.hektor.de. The name of the server is ns1.hektor.de. Trying to send an email to a server trying to get the PTR record the sender receives an Undelivered Mail... mail with this: 550 inconsistent or no DNS PTR record for 213.191.95.3 (see RFC 1912 2.1) (in reply to RCPT TO command) Hope this helps to clear out the problem Best regards, Mike Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursive name server
Hello Mike; Sorry I forgot to put the list address from my first message. Here is for the list to follow. Hello Mike; Upgrade your Bind Server to 9.9.1 Packages for the OS X Snow Leopard and others can be found here; http://support.menandmice.com/download/bind/macosx/10.6-Snow-Leopard/ Administrating Bind thru the terminal is fun but you also can use a combination of webmin to admin your Bind Server. I would divide your zones in internal and external and give recursion to the internal zones only. I am in the OSX Client and I developed 2 Bind Servers configuration that is working without any problems. It took me a little a while to tune both servers and understand how make that work with the OSX. If you need more information, please drop me a line. Regards; Eduardo == == Anyway I hope I can help a little since I am not in the Mac OSX Server and I do not configure my Server using this type of gui. I performed some tests using dig and here is what I found. ; term DiG ns1.hektor.de ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 491 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns1.hektor.de. IN A ;; ANSWER SECTION: ns1.hektor.de. 10800 IN A 213.191.95.4 ;; AUTHORITY SECTION: . 34434 IN NS f.root-servers.net. == So your name server is giving an A record ip address of 213.191.95.4 Performing a nslookup on your first name server returned; == term# nslookup ns1.hansenet.de Server: my server Address:my address#53 Non-authoritative answer: Name: ns1.hansenet.de Address: 213.191.73.65 As you can see, the A record does not correspond to the reverse record returned by your ns1.hansenet.de nslookup. You have to fix that in your TTL Zone files. You should post them as well so people can comment on it and find any errors, if any. term# dig mailserver.hektor.de ; term DiG mailserver.hektor.de ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24785 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mailserver.hektor.de. IN A ;; ANSWER SECTION: mailserver.hektor.de. 10800 IN A 213.191.95.3 ;; AUTHORITY SECTION: . 32412 IN NS h.root-servers.net. . 32412 IN NS d.root-servers.net. . 32412 IN NS j.root-servers.net. . 32412 IN NS c.root-servers.net. . 32412 IN NS f.root-servers.net. . 32412 IN NS l.root-servers.net. . 32412 IN NS b.root-servers.net. . 32412 IN NS g.root-servers.net. . 32412 IN NS m.root-servers.net. . 32412 IN NS e.root-servers.net. . 32412 IN NS a.root-servers.net. . 32412 IN NS k.root-servers.net. . 32412 IN NS i.root-servers.net. ;; Query time: 205 msec ;; SERVER: my server#53(my ip) ;; WHEN: Sat Jun 9 15:06:47 2012 ;; MSG SIZE rcvd: 276 term# nslookup mailserver.hektor.de Server: my server Address:my server #53 Non-authoritative answer: Name: mailserver.hektor.de Address: 213.191.95.3 Your mail server is returning the correct ip address so it is reversing ok. One of the advises is that you should not give recursion to your external name server or any of your external ip addresses. You should tell us if you configure your intranet LAN and WAN ports to work as internal and external zones. I hope someone here from the list is also running a Mac OSX server and could help you. I can see some minor differences in your named file as: // Default controls controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; }; and key rndc-key { algorithm hmac-md5; secret my secret key goes here; }; On 6/9/12 1:28 PM, Mike Bobkiewicz wrote: HI all, first Eduardo: I did an upgrade with the mentioned package to 9.9.1 P1, it´s now up and running but doesn´t fix the problem. I have to correct one thing: It´s not a 10.6 client system it´s a 10.7.4 Server system, this is important because the client running this server does configure bind with Apple´s Admin Tools. When something doesn´t work he calls
Re: Problem with recursive name server
In message f98496e3-ca16-4c5c-8f04-18ee49d20...@commobil.de, Mike Bobkiewicz writes: HI all, first Eduardo: I did an upgrade with the mentioned package to 9.9.1 P1, it=B4s now up and = running but doesn=B4t fix the problem. I have to correct one thing: It=B4s not a 10.6 client system it=B4s a 10.7.= 4 Server system, this is important because the client running this server d= oes configure bind with Apple=B4s Admin Tools. When something doesn=B4t wor= k he calls me and I log in via ssh and try to figure out what=B4s wrong. Te= lling the truth: I like vi very much... Am 08.06.2012 um 22:13 schrieb Chuck Swiger: Hi-- = On Jun 8, 2012, at 1:08 PM, Mike Bobkiewicz wrote: we are running an authorative name server for some domains. After some t= ime our ISP has now delegated the reverse name lookups to our server. We ar= e running bind 9.7.3 on Mac OS X 10.6 and are not able to bring the reverse= name lookups to life. The master db-file is loaded and we to set the allo= w-recursive { any; }; option in the named.conf but it still doesn=B4t work.= We are getting RFC 1912 2.1 with some mail servers which is the biggest pr= oblem. Which additional options must be set in the named.conf to make the r= everse name lookups for our domains work? = Mailservers doing a double-reverse lookup try to validate that your IP ha= s a PTR record which returns a name that a normal forward lookup finds, and= gives back the original IP. = Give us an example of a bad hostname or IP, and we can probably tell you = what aspect isn't working right... = Sorry, was late last night for me so here are some parts of the configurati= on: /etc/named.conf include /etc/rndc.key; options { directory /var/named; listen-on-v6 port 53 { none; }; allow-recursion { any; }; allow-transfer { none; }; }; controls { inet 127.0.0.1 port 54 allow { any; } keys { rndc-key; }; }; acl com.apple.ServerAdmin.DNS.public { any; }; logging { channel _default_log { file /Library/Logs/named.log; severity info; print-time yes; }; category default { _default_log; }; }; view com.apple.ServerAdmin.DNS.public { zone 0.0.127.in-addr.arpa IN { type master; file named.local; allow-update { none; }; }; ... around 15 working master zones zone 95.191.213.in-addr.arpa IN { type master; file db.95.191.213.in-addr.arpa; allow-transfer { com.apple.ServerAdmin.DNS.public; }; allow-update { none; }; }; }; }; The ISP has delegated 0/27.95.191.213.in-addr.arpa not 95.191.213.in-addr.arpa to you. You need to be serving 0/27.95.191.213.in-addr.arpa. You should be slaving 95.191.213.in-addr.arpa so that you have the CNAME records available locally for when the external link is down and have 0/27.95.191.213.in-addr.arpa as a master. zone 95.191.213.in-addr.arpa { type slave; file db.95.191.213.in-addr.arpa; masters { 213.191.73.65; 213.191.74.20; }; }; zone 0/27.95.191.213.in-addr.arpa { type master; file db.0.95.191.213.in-addr.arpa; }; The lines of question in the db-file: 10800 IN NS ns1.hektor.de. 10800 IN NS ns2.hansenet.de. 3.95.191.213.in-addr.arpa.10800 IN PTR mailserver.hektor.d= e. The name of the server is ns1.hektor.de. Trying to send an email to a server trying to get the PTR record the sender= receives an Undelivered Mail... mail with this: 550 inconsistent or no DNS PTR record for 213.191.95.3 (see RFC 1912 2.1) (in reply to RCPT = TO command) Hope this helps to clear out the problem Best regards, Mike = Regards, -- = -Chuck = ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri= be from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problem with recursive name server
Dear list, we are running an authorative name server for some domains. After some time our ISP has now delegated the reverse name lookups to our server. We are running bind 9.7.3 on Mac OS X 10.6 and are not able to bring the reverse name lookups to life. The master db-file is loaded and we to set the allow-recursive { any; }; option in the named.conf but it still doesn´t work. We are getting RFC 1912 2.1 with some mail servers which is the biggest problem. Which additional options must be set in the named.conf to make the reverse name lookups for our domains work? Best regards, Mike ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursive name server
Hi-- On Jun 8, 2012, at 1:08 PM, Mike Bobkiewicz wrote: we are running an authorative name server for some domains. After some time our ISP has now delegated the reverse name lookups to our server. We are running bind 9.7.3 on Mac OS X 10.6 and are not able to bring the reverse name lookups to life. The master db-file is loaded and we to set the allow-recursive { any; }; option in the named.conf but it still doesn´t work. We are getting RFC 1912 2.1 with some mail servers which is the biggest problem. Which additional options must be set in the named.conf to make the reverse name lookups for our domains work? Mailservers doing a double-reverse lookup try to validate that your IP has a PTR record which returns a name that a normal forward lookup finds, and gives back the original IP. Give us an example of a bad hostname or IP, and we can probably tell you what aspect isn't working right... Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with recursive name server
please share configuration and possibly zone file(s) so we can help... if your isp has done rfc2317 style delegation, your servers are actually authoritative so i don't think it has anything to do with allow-recursion (and i doubt you want to set that to any, unless you have network acls in place to prevent abuse). http://www.ietf.org/rfc/rfc2317.txt -Original Message- From: Mike Bobkiewicz bind-l...@commobil.de Date: Friday, June 8, 2012 1:08 PM To: bind-users@lists.isc.org Subject: Problem with recursive name server Dear list, we are running an authorative name server for some domains. After some time our ISP has now delegated the reverse name lookups to our server. We are running bind 9.7.3 on Mac OS X 10.6 and are not able to bring the reverse name lookups to life. The master db-file is loaded and we to set the allow-recursive { any; }; option in the named.conf but it still doesn´t work. We are getting RFC 1912 2.1 with some mail servers which is the biggest problem. Which additional options must be set in the named.conf to make the reverse name lookups for our domains work? Best regards, Mike ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users