Re: wildcard not working after record deleted
On Tue, Jun 20, 2017 at 11:29:27PM +0100, Cathy Almond wrote: > On 20/06/2017 14:17, Maria Iano wrote: > > As has been explained already, no answer, no error means that the name > exists, but not an RRset of the type you queried for. > > Since the ANY query also comes back empty, you've probably got a > situation something like this in the zone: > > sample7200IN A 192.0.2.53 > child.sample 7200IN A 192.0.2.54 > * 7200IN A 192.0.2.101 > > If you delete the 'sample' RR, the wildcard will still not match any > queries for sample. This is because the existence of 'child.sample' > means that 'sample' also exists, even though it has no RRsets of any type. > > 'sample' in this case is what's called an 'Empty Non-Terminal'. > > Does this scenario explain what you are seeing? > > Cathy Yes it does, that is exactly what was happening and we are in good shape now. I was able to explain to the users and they plan to delete the child records. I did recommend to them that they not use wildcard records, but they continue to need them. Thank you for the detailed explanation! Maria ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On 20/06/2017 14:17, Maria Iano wrote: > On Mon, Jun 19, 2017 at 09:08:33PM -0500, /dev/rob0 wrote: >> On Mon, Jun 19, 2017 at 06:19:31PM -0400, Maria Iano wrote: >>> We have a group of users that need to use a wildcard record in >>> their zone. Their wildcard works in general, but they have a >>> situation where it isn't working. They had some records that they >>> deleted, and expected the wildcard to take over, but it hasn't. If >>> we query a record that doesn't exist and never has in the zone, >>> then we get the answer from the wildcard. If we query a record that >>> used to exist but was deleted and now doesn't exist, then we get no >>> answer. We don't get NXDOMAIN, we get As has been explained already, no answer, no error means that the name exists, but not an RRset of the type you queried for. Since the ANY query also comes back empty, you've probably got a situation something like this in the zone: sample 7200IN A 192.0.2.53 child.sample7200IN A 192.0.2.54 * 7200IN A 192.0.2.101 If you delete the 'sample' RR, the wildcard will still not match any queries for sample. This is because the existence of 'child.sample' means that 'sample' also exists, even though it has no RRsets of any type. 'sample' in this case is what's called an 'Empty Non-Terminal'. Does this scenario explain what you are seeing? Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Tue, Jun 20, 2017 at 12:22:42PM -0400, wbr...@e1b.org wrote: > Can you post a copy of the zone file, changing any server names that > absolutely must be obscure? > Thank you for your help with this, and you are right, if I had sent you the edited zone file that would have revealed the cause - i.e. the subdomain records of the deleted records. I had searched for records beginning with the deleted names, and not records that were subdomains of the deleted names. Also, our secondary DNS providers hand out the wildcard record even though the subdomain records exist. Thanks! Maria ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
Can you post a copy of the zone file, changing any server names that absolutely must be obscure? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Tue, Jun 20, 2017 at 05:39:46PM +0200, Matus UHLAR - fantomas wrote: > > note that existande of "something.sample" subdomain also means that > "sample" exists and is empty. > That's it! They have www.deletedrecord in the zone! I missed it because I was searching for deletedrecord* and not *.deletedrecord*. It didn't help that both of our secondary dns providers do hand back the wildcard answer to the query. I take it that means they are not using bind, and their implementations follow different rules for wildcards. Thank you all for your time! Maria ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Tue, Jun 20, 2017 at 10:08:44AM -0500, Bryan Bradsby wrote: > On Tue, 2017-06-20 at 10:51 -0400, Maria Iano wrote: > > > > The queries are being directed at an authoritative server, exactly as > > you describe above. > > > > We also pay for a secondary dns provider who pulls our zones from the > > same authoritative servers of ours which have this issue. > > The wildcard works when we send the query to one of our secondary > > provider's name servers. > > > > Here is the answer from one of the secondary provider's servers: > > > > ; <<>> DiG 9.10.2-P3 <<>> @ any > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ; IN ANY > > > > ;; ANSWER SECTION: > > 300 IN CNAME > > BIND does not allow a CNAME at the apex of the zone, some other flavors > of DNS servers allow this. At first I was really hopeful that we had our explanation, but then I realized you are talking about a CNAME for the zone itself, which we don't have. I think this was a misunderstanding because of my sloppy editing of the dig results. Replacing our zone name with example.com, our wildcard record looks like this: *.example.com. 300 IN CNAME name.cname.points.to. Here are the results of a dig query for a record that was deleted, and a dig query for a record that never existed, this time with the names again replaced (sorry) with something more helpful. $ dig @ns1.domain.com. deletedname.example.com. any ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.12 <<>> @ns1.domain.com. deletedname.example.com. any ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4107 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;deletedname.example.com. IN ANY ;; AUTHORITY SECTION: example.com.300 IN SOA ns1.domain.com. dnsadmin.example.com. 2017062002 1200 600 604800 300 ;; Query time: 6 msec ;; SERVER: IPofns1#53(IPofns1) ;; WHEN: Tue Jun 20 11:27:17 2017 ;; MSG SIZE rcvd: 96 $ dig @ns1.domain.com. nonexistentname.example.com. any ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.12 <<>> @ns1.domain.com. nonexistentname.example.com. any ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8568 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 16, ADDITIONAL: 4 ;; QUESTION SECTION: ;nonexistentname.example.com. IN ANY ;; ANSWER SECTION: nonexistentname.example.com.300 IN CNAME name.cname.points.to. ;; AUTHORITY SECTION: list of all of our NS records ;; ADDITIONAL SECTION: list of IPs of our name servers ;; Query time: 1 msec ;; SERVER: IPofns1#53(IPofns1) ;; WHEN: Tue Jun 20 11:27:26 2017 ;; MSG SIZE rcvd: 462 > > Was the wildcard changed to a CNAME in the last edit? > I just checked, and the wildcard record hasn't been changed since 2015. Thanks, Maria ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[Fwd: Re: wildcard not working after record deleted]
On Tue, 2017-06-20 at 10:51 -0400, Maria Iano wrote: BIND does not allow a CNAME at the apex of the zone, some other flavors of DNS servers allow this. Was the wildcard changed to a CNAME in the last edit? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Mon, Jun 19, 2017 at 09:08:33PM -0500, /dev/rob0 wrote: sample 7200IN A 192.0.2.53 sample 7200IN TXT "This is a sample." * 7200IN A 192.0.2.101 If you delete the A record, the TXT is still there, and your wildcard A record in the zone would not be used for that name. On 20.06.17 09:17, Maria Iano wrote: Thanks for your answer. There are no other records with that name in the zone, and an ANY query comes back empty but still with status of NOERROR. Unfortunately, I can't provide the query and zone data, and I do understand that prevents you from helping. I was hoping someone else had come across this at some point. note that existande of "something.sample" subdomain also means that "sample" exists and is empty. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
-- At your service, Bryan Bradsby 512.936.2248 DIR/CTS/NOC-IT On Tue, 2017-06-20 at 10:51 -0400, Maria Iano wrote: > > The queries are being directed at an authoritative server, exactly as > you describe above. > > We also pay for a secondary dns provider who pulls our zones from the > same authoritative servers of ours which have this issue. > The wildcard works when we send the query to one of our secondary > provider's name servers. > > Here is the answer from one of the secondary provider's servers: > > ; <<>> DiG 9.10.2-P3 <<>> @ any > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ; IN ANY > > ;; ANSWER SECTION: > 300 IN CNAME BIND does not allow a CNAME at the apex of the zone, some other flavors of DNS servers allow this. Was the wildcard changed to a CNAME in the last edit? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Tue, Jun 20, 2017 at 09:37:04AM -0500, /dev/rob0 wrote: > On Tue, Jun 20, 2017 at 09:29:59AM -0500, /dev/rob0 wrote: > > On Tue, Jun 20, 2017 at 09:17:58AM -0400, Maria Iano wrote: > > > Thanks for your answer. There are no other records with that name > > > in the zone, and an ANY query comes back empty but still with > > > status of NOERROR. Unfortunately, I can't provide the query and > > > zone data, and I do understand that prevents you from helping. > > > > > > I was hoping someone else had come across this at some point. > > > > I can continue to waste our time with guesses, however. :) > > > > Have you tried directed queries to an authoritative nameserver? > > Today's guess is that you might be seeing some kind of caching > > issue. > > Today's guess retracted, I just saw your followup. :) > > > Is the authoritative nameserver BIND? > > If so, what version? You might need to file a bug report (and as of > now the bug database is entirely private; that will be changing soon, > but if you ask them, ISC will keep your bug report private.) > Good to know, we may go ahead and file a report if we can't figure this out. Thanks! Maria ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Tue, Jun 20, 2017 at 09:29:59AM -0500, /dev/rob0 wrote: > On Tue, Jun 20, 2017 at 09:17:58AM -0400, Maria Iano wrote: > > Thanks for your answer. There are no other records with that name > > in the zone, and an ANY query comes back empty but still with > > status of NOERROR. Unfortunately, I can't provide the query and > > zone data, and I do understand that prevents you from helping. > > > > I was hoping someone else had come across this at some point. > > I can continue to waste our time with guesses, however. :) > I really appreciate that! :) > Have you tried directed queries to an authoritative nameserver? > Today's guess is that you might be seeing some kind of caching issue. > A directed query like this: > > $ dig sample.example.com. any @ > > should return the wildcard if all records at "sample.example.com" > have been removed. The queries are being directed at an authoritative server, exactly as you describe above. This issue applies to some records that were deleted on June 18th. I can't recreate it. I have deleted other records and found that the wildcard immediately takes over. As far as I can tell this only applies to the particular set of records deleted on the 18th. I'm told they were deleted in the same way we always do. We also pay for a secondary dns provider who pulls our zones from the same authoritative servers of ours which have this issue. The wildcard works when we send the query to one of our secondary provider's name servers. Here is the answer from one of the secondary provider's servers: ; <<>> DiG 9.10.2-P3 <<>> @ any ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13930 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ; IN ANY ;; ANSWER SECTION: 300 IN CNAME ;; Query time: 29 msec ;; SERVER: ;; WHEN: Tue Jun 20 10:40:18 EDT 2017 ;; MSG SIZE rcvd: 82 > > If in fact you were querying a caching resolver, is that BIND? Is > the authoritative nameserver BIND? Our servers are running bind. Thanks, Maria ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Tue, Jun 20, 2017 at 09:29:59AM -0500, /dev/rob0 wrote: > On Tue, Jun 20, 2017 at 09:17:58AM -0400, Maria Iano wrote: > > Thanks for your answer. There are no other records with that name > > in the zone, and an ANY query comes back empty but still with > > status of NOERROR. Unfortunately, I can't provide the query and > > zone data, and I do understand that prevents you from helping. > > > > I was hoping someone else had come across this at some point. > > I can continue to waste our time with guesses, however. :) > > Have you tried directed queries to an authoritative nameserver? > Today's guess is that you might be seeing some kind of caching > issue. Today's guess retracted, I just saw your followup. :) > Is the authoritative nameserver BIND? If so, what version? You might need to file a bug report (and as of now the bug database is entirely private; that will be changing soon, but if you ask them, ISC will keep your bug report private.) Of course, if the server in question is *not* BIND, you're in the wrong place to ask. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Tue, Jun 20, 2017 at 09:17:58AM -0400, Maria Iano wrote: > Thanks for your answer. There are no other records with that name > in the zone, and an ANY query comes back empty but still with > status of NOERROR. Unfortunately, I can't provide the query and > zone data, and I do understand that prevents you from helping. > > I was hoping someone else had come across this at some point. I can continue to waste our time with guesses, however. :) Have you tried directed queries to an authoritative nameserver? Today's guess is that you might be seeing some kind of caching issue. A directed query like this: $ dig sample.example.com. any @ should return the wildcard if all records at "sample.example.com" have been removed. If in fact you were querying a caching resolver, is that BIND? Is the authoritative nameserver BIND? -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Tue, Jun 20, 2017 at 10:02:04AM -0400, wbr...@e1b.org wrote: > > Thanks for your answer. There are no other records with that name in the > > zone, and an ANY query comes back empty but still with status of > > NOERROR. Unfortunately, I can't provide the query and zone data, and I > > do understand that prevents you from helping. > > Not even an SOA record? > There is an SOA record under the AUTHORITY SECTION. There is no ANSWER SECTION. Here is what comes back from a dig command, and I apologize for having to remove the names: ; <<>> DiG 9.10.2-P3 <<>> @ any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19780 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ; IN ANY ;; AUTHORITY SECTION: 300 IN SOA 2017062002 1200 600 604800 300 ;; Query time: 59 msec ;; SERVER: ;; WHEN: Tue Jun 20 10:14:58 EDT 2017 ;; MSG SIZE rcvd: 108 That is the entire output from the dig command! Thanks, Maria ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
> Thanks for your answer. There are no other records with that name in the > zone, and an ANY query comes back empty but still with status of > NOERROR. Unfortunately, I can't provide the query and zone data, and I > do understand that prevents you from helping. Not even an SOA record? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Mon, Jun 19, 2017 at 09:08:33PM -0500, /dev/rob0 wrote: > On Mon, Jun 19, 2017 at 06:19:31PM -0400, Maria Iano wrote: > > We have a group of users that need to use a wildcard record in > > their zone. Their wildcard works in general, but they have a > > situation where it isn't working. They had some records that they > > deleted, and expected the wildcard to take over, but it hasn't. If > > we query a record that doesn't exist and never has in the zone, > > then we get the answer from the wildcard. If we query a record that > > used to exist but was deleted and now doesn't exist, then we get no > > answer. We don't get NXDOMAIN, we get > > NXDOMAIN means there is no data of any type for the queried owner > name. > > > status: NOERROR > > > > and no answer. > > NOERROR means the query completed successfully, with no error. It > might mean in your case that there is other data with that owner > name, but no RRset of the requested type. > > IOW, when you have a TXT and A record with the same owner: > > sample7200IN A 192.0.2.53 > sample7200IN TXT "This is a sample." > * 7200IN A 192.0.2.101 > > If you delete the A record, the TXT is still there, and your wildcard > A record in the zone would not be used for that name. > > > Has anyone else come across this? > > That's the best guess I can come up with without seeing the query and > the zone data. If you need more help you will have to share that > information. Thanks for your answer. There are no other records with that name in the zone, and an ANY query comes back empty but still with status of NOERROR. Unfortunately, I can't provide the query and zone data, and I do understand that prevents you from helping. I was hoping someone else had come across this at some point. Thanks again, Maria ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
On Mon, Jun 19, 2017 at 06:19:31PM -0400, Maria Iano wrote: > We have a group of users that need to use a wildcard record in > their zone. Their wildcard works in general, but they have a > situation where it isn't working. They had some records that they > deleted, and expected the wildcard to take over, but it hasn't. If > we query a record that doesn't exist and never has in the zone, > then we get the answer from the wildcard. If we query a record that > used to exist but was deleted and now doesn't exist, then we get no > answer. We don't get NXDOMAIN, we get NXDOMAIN means there is no data of any type for the queried owner name. > status: NOERROR > > and no answer. NOERROR means the query completed successfully, with no error. It might mean in your case that there is other data with that owner name, but no RRset of the requested type. IOW, when you have a TXT and A record with the same owner: sample 7200IN A 192.0.2.53 sample 7200IN TXT "This is a sample." * 7200IN A 192.0.2.101 If you delete the A record, the TXT is still there, and your wildcard A record in the zone would not be used for that name. > Has anyone else come across this? That's the best guess I can come up with without seeing the query and the zone data. If you need more help you will have to share that information. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
wildcard not working after record deleted
We have a group of users that need to use a wildcard record in their zone. Their wildcard works in general, but they have a situation where it isn't working. They had some records that they deleted, and expected the wildcard to take over, but it hasn't. If we query a record that doesn't exist and never has in the zone, then we get the answer from the wildcard. If we query a record that used to exist but was deleted and now doesn't exist, then we get no answer. We don't get NXDOMAIN, we get status: NOERROR and no answer. Has anyone else come across this? Thanks, Maria ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users