[dns-operations] CNAME into a delegated zone goes wrong.... any ideas?
Steven Carr
sjcarr at gmail.com
Sun Jun 12 22:31:02 UTC 2011
On 12 June 2011 23:15, Jeroen Massar <jeroen at unfix.org> wrote:
> I agree, but why does 'dig' not go forward and ask nsX.sixxs.net for the
> final answer then? Authoritive servers (eg the root ones) are not
> recursive either, they also, just like the nsX.paphosting.net ones just
> return a referral to the NS that does have the answer. the paphosting
> NS's don't claim authority for ntp.sixxs.net thus it is not a final...
Because dig is a lookup tool, not a recursive nameserver.
>> Querying 8.8.8.8 normally returns the correct list...
>
> Yep, and I assume that that is because the google DNS servers are
> non-BIND, as with unbound recursors it also works, but if I use anything
> which builds upon BIND-based tech it fails...
Because there is an error in the zone configuration, the logs on my
BIND server show:
12-Jun-2011 23:23:07.419 DNS format error from 62.220.146.194#53
resolving ntp.us.sixxs.net/A for client 172.16.0.20#62548: multiple NS
RRsets in authority section
12-Jun-2011 23:23:07.502 DNS format error from 94.142.245.3#53
resolving ntp.us.sixxs.net/A for client 172.16.0.20#62548: multiple NS
RRsets in authority section
The authority records that come back from a "dig @ns.paphosting.net
ntp.us.sixxs.net" show...
;; AUTHORITY SECTION:
ntp.sixxs.net. 3600 IN NS ns1.sixxs.net.
ntp.sixxs.net. 3600 IN NS ns2.sixxs.net.
ntp.sixxs.net. 3600 IN NS ns3.sixxs.net.
sixxs.net. 3600 IN NS ns.paphosting.net.
sixxs.net. 3600 IN NS ns.paphosting.nl.
sixxs.net. 3600 IN NS ns.paphosting.eu.
...therefore BIND doesn't know who to query and drops it - the
sixxs.net. servers should not be being returned in the Authority,
there is no real need to return them at all, but if it does then they
should be in the Additional section.
Steve
--
Indigo Solutions Europe Limited
www.indigo-solutions.eu
More information about the dns-operations
mailing list