bind resolver zone delegation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

bind resolver zone delegation

Frank Patzig
Hi,

my bind is 9.14-1.

I check the zone

dig @NS-EAST.CERF.NET any  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @NS-EAST.CERF.NET any
vpn.smiths.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47937
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vpn.smiths.com.                        IN      ANY

;; AUTHORITY SECTION:
vpn.smiths.com.         86400   IN      NS      resolve01.sslra.com.
vpn.smiths.com.         86400   IN      NS      resolve02.sslra.com.

;; Query time: 119 msec
;; SERVER: 2001:1890:1ff:9f1:99:99:99:136#53(2001:1890:1ff:9f1:99:99:99:136)
;; WHEN: Mi Mai 15 13:42:26 CEST 2019
;; MSG SIZE  rcvd: 97

this is fine


dig @resolve01.sslra.com any  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @resolve01.sslra.com any
vpn.smiths.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22398
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vpn.smiths.com.                        IN      ANY

;; ANSWER SECTION:
vpn.smiths.com.         30      IN      A       194.105.113.242

;; AUTHORITY SECTION:
smiths.com.             500     IN      NS      resolve01.sslvpndemo.com.

;; Query time: 171 msec
;; SERVER: 216.132.83.124#53(216.132.83.124)
;; WHEN: Mi Mai 15 13:43:04 CEST 2019
;; MSG SIZE  rcvd: 94

OK

dig @resolve01.sslra.com MX  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @resolve01.sslra.com MX
vpn.smiths.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21258
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vpn.smiths.com.                        IN      MX

;; AUTHORITY SECTION:
smiths.com.             60      IN      SOA     resolve01.sslvpndemo.com.
hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60

;; Query time: 169 msec
;; SERVER: 216.132.83.124#53(216.132.83.124)
;; WHEN: Mi Mai 15 13:44:04 CEST 2019
;; MSG SIZE  rcvd: 111

-----------------------------------------------------------------------


I check my bind:

dig @localhost  any  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @localhost any vpn.smiths.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27551
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vpn.smiths.com.                        IN      ANY

;; ANSWER SECTION:
vpn.smiths.com.         30      IN      A       194.105.113.242
vpn.smiths.com.         1583    IN      NS      resolve01.sslra.com.
vpn.smiths.com.         1583    IN      NS      resolve02.sslra.com.

;; AUTHORITY SECTION:
vpn.smiths.com.         1583    IN      NS      resolve01.sslra.com.
vpn.smiths.com.         1583    IN      NS      resolve02.sslra.com.

;; ADDITIONAL SECTION:
resolve01.sslra.com.    506     IN      A       216.132.83.124
resolve02.sslra.com.    258     IN      A       64.7.11.138

;; Query time: 172 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mi Mai 15 13:44:38 CEST 2019
;; MSG SIZE  rcvd: 173


dig @localhost  MX  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @localhost MX vpn.smiths.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8396
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vpn.smiths.com.                        IN      MX

;; Query time: 272 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mi Mai 15 13:45:34 CEST 2019
;; MSG SIZE  rcvd: 43


In status is SERVFAIL

In my log

DNS format error from 64.7.11.138#53 resolving vpn.smiths.com/MX for
client 127.0.0.1#47512: Name smiths.com (SOA) not subdomain of zone
vpn.smiths.com -- invalid response

What is the problem.


Test with Google is OK:

dig @8.8.8.8  MX  vpn.smiths.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @8.8.8.8 MX vpn.smiths.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21066
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vpn.smiths.com.                        IN      MX

;; AUTHORITY SECTION:
smiths.com.             59      IN      SOA
resolve01.sslvpndemo.com. hostmaster.resolve01.sslvpndemo.com. 5 10800
3600 604800 60

;; Query time: 180 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mi Mai 15 15:26:28 CEST 2019
;; MSG SIZE  rcvd: 111


Can i help you.

Regards
--
Frank

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: bind resolver zone delegation

Mukund Sivaraman-2
On Wed, May 15, 2019 at 03:27:14PM +0200, Frank Patzig wrote:
> In my log
>
> DNS format error from 64.7.11.138#53 resolving vpn.smiths.com/MX for client
> 127.0.0.1#47512: Name smiths.com (SOA) not subdomain of zone vpn.smiths.com
> -- invalid response
>
> What is the problem.

> ;; AUTHORITY SECTION:
> smiths.com.             59      IN      SOA resolve01.sslvpndemo.com.
> hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60

SOA belongs to smiths.com, whereas the resolver is expecting an answer
from zone vpn.smiths.com following the delegation for it. Instead, from
your own paste, vpn.smiths.com/A looks to be an address record in zone
smiths.com (in any case, vpn.smiths.com/MX is missing and the resolver
will reject the negative answer because it has an unexpected SOA owner
name from the smiths.com zone).

Have you setup the "vpn.smiths.com" zone on resolve01.sslra.com and
resolve02.sslra.com?

                Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: bind resolver zone delegation

Mark Andrews
In reply to this post by Frank Patzig
The servers for vpn.smiths.com are misconfigured. The zone vpn.smiths.com
is delegated to them but they are configured to serve smiths.com.  Just
because Google ignores the delegation error, it doesn’t make the configuration
correct.

Mark

smiths.com. 172800 IN NS ns-east.cerf.net.
smiths.com. 172800 IN NS ns-west.cerf.net.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190519044441 20190512033441 3800 com. UJTuCBjwehBYdQKMgLo6SxdAh/FU4WTYNgzupGJmnQsZGe7py+NRotht wgTN9V0A8RqzUBsgdxvK6h4R+e+K7ISgBK/Bb65N07BnnSyFQxowIXi2 lnhEEpDiIDDx/Ca1aA9kVK+2Tn51tR7ZVZeMtkIesqZTOANCfmec9wea V9s=
L9MECSI4V5NQE1C3N2DNCJ6USFQA1C4H.com. 86400 IN NSEC3 1 1 0 - L9MGE0KHV110F24LIONHR6F2508ITI97 NS DS RRSIG
L9MECSI4V5NQE1C3N2DNCJ6USFQA1C4H.com. 86400 IN RRSIG NSEC3 8 2 86400 20190521045234 20190514034234 3800 com. fWfPYqFE88diYC8Pil3ZDm38TaCS7i4o7qLXRZ6dLUF8daWX3cfjm7iq ueuIW4b1k4jtjfwpLCxvWRHcVrheFDtw9ED7g2tIbmj9Fxdq1bML1YYS D+yZceUk/JYN7wv5M3CCeroKfwS0/1LjldXVUvvjG95vczoRVDYOrE8F 8Pg=
;; Received 580 bytes from 192.5.6.30#53(a.gtld-servers.net) in 13 ms

vpn.smiths.com. 86400 IN NS resolve02.sslra.com.
vpn.smiths.com. 86400 IN NS resolve01.sslra.com.
;; Received 97 bytes from 2001:1890:1ff:9f1:99:99:99:136#53(ns-east.cerf.net) in 320 ms

smiths.com. 60 IN SOA resolve01.sslvpndemo.com. hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60
;; Received 111 bytes from 216.132.83.124#53(resolve01.sslra.com) in 174 ms


> On 15 May 2019, at 11:27 pm, Frank Patzig <[hidden email]> wrote:
>
> Hi,
>
> my bind is 9.14-1.
>
> I check the zone
>
> dig @NS-EAST.CERF.NET any  vpn.smiths.com
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @NS-EAST.CERF.NET any
> vpn.smiths.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47937
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      ANY
>
> ;; AUTHORITY SECTION:
> vpn.smiths.com.         86400   IN      NS      resolve01.sslra.com.
> vpn.smiths.com.         86400   IN      NS      resolve02.sslra.com.
>
> ;; Query time: 119 msec
> ;; SERVER: 2001:1890:1ff:9f1:99:99:99:136#53(2001:1890:1ff:9f1:99:99:99:136)
> ;; WHEN: Mi Mai 15 13:42:26 CEST 2019
> ;; MSG SIZE  rcvd: 97
>
> this is fine
>
>
> dig @resolve01.sslra.com any  vpn.smiths.com
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @resolve01.sslra.com any
> vpn.smiths.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22398
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      ANY
>
> ;; ANSWER SECTION:
> vpn.smiths.com.         30      IN      A       194.105.113.242
>
> ;; AUTHORITY SECTION:
> smiths.com.             500     IN      NS      resolve01.sslvpndemo.com.
>
> ;; Query time: 171 msec
> ;; SERVER: 216.132.83.124#53(216.132.83.124)
> ;; WHEN: Mi Mai 15 13:43:04 CEST 2019
> ;; MSG SIZE  rcvd: 94
>
> OK
>
> dig @resolve01.sslra.com MX  vpn.smiths.com
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @resolve01.sslra.com MX
> vpn.smiths.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21258
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      MX
>
> ;; AUTHORITY SECTION:
> smiths.com.             60      IN      SOA     resolve01.sslvpndemo.com.
> hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60
>
> ;; Query time: 169 msec
> ;; SERVER: 216.132.83.124#53(216.132.83.124)
> ;; WHEN: Mi Mai 15 13:44:04 CEST 2019
> ;; MSG SIZE  rcvd: 111
>
> -----------------------------------------------------------------------
>
>
> I check my bind:
>
> dig @localhost  any  vpn.smiths.com
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @localhost any vpn.smiths.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27551
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      ANY
>
> ;; ANSWER SECTION:
> vpn.smiths.com.         30      IN      A       194.105.113.242
> vpn.smiths.com.         1583    IN      NS      resolve01.sslra.com.
> vpn.smiths.com.         1583    IN      NS      resolve02.sslra.com.
>
> ;; AUTHORITY SECTION:
> vpn.smiths.com.         1583    IN      NS      resolve01.sslra.com.
> vpn.smiths.com.         1583    IN      NS      resolve02.sslra.com.
>
> ;; ADDITIONAL SECTION:
> resolve01.sslra.com.    506     IN      A       216.132.83.124
> resolve02.sslra.com.    258     IN      A       64.7.11.138
>
> ;; Query time: 172 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Mi Mai 15 13:44:38 CEST 2019
> ;; MSG SIZE  rcvd: 173
>
>
> dig @localhost  MX  vpn.smiths.com
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @localhost MX vpn.smiths.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8396
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      MX
>
> ;; Query time: 272 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Mi Mai 15 13:45:34 CEST 2019
> ;; MSG SIZE  rcvd: 43
>
>
> In status is SERVFAIL
>
> In my log
>
> DNS format error from 64.7.11.138#53 resolving vpn.smiths.com/MX for client 127.0.0.1#47512: Name smiths.com (SOA) not subdomain of zone vpn.smiths.com -- invalid response
>
> What is the problem.
>
>
> Test with Google is OK:
>
> dig @8.8.8.8  MX  vpn.smiths.com
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @8.8.8.8 MX vpn.smiths.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21066
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;vpn.smiths.com.                        IN      MX
>
> ;; AUTHORITY SECTION:
> smiths.com.             59      IN      SOA resolve01.sslvpndemo.com. hostmaster.resolve01.sslvpndemo.com. 5 10800 3600 604800 60
>
> ;; Query time: 180 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Mi Mai 15 15:26:28 CEST 2019
> ;; MSG SIZE  rcvd: 111
>
>
> Can i help you.
>
> Regards
> --
> Frank
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users