Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

9.2.3rc2 NS lookups failing

2 views
Skip to first unread message

Dave Lugo

unread,
Sep 17, 2003, 8:52:57 PM9/17/03
to
(reposting into a new thread)

I've built and installed 9.2.3rc2 to workaround the verisign issue.

Wildcards in the root are no longer a problem, however, I'm seeing what
seems (IMVHO) to be incorrect behaviour.

The announcement of the new release states:

"...Briefly, a zone which has been declared "delegation-only" will be
effectively limited to containing NS RRs for subdomains, but no actual
data outside its apex (for example, its SOA RR and apex NS RRset)..."

By my reading of the above, I _should_ be able to do something like:

dig ns $domain_that_exists.[com|net]

...and get an answer. What I am instead seeing is:


root@severe# dig ns grape.com

; <<>> DiG 9.2.2rc1 <<>> ns grape.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44941
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;grape.com. IN NS

;; Query time: 252 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 17 20:48:12 2003
;; MSG SIZE rcvd: 27


...and I see a corresponding "no!" in the logs:

Sep 17 20:48:12 severe named[5167]: enforced delegation-only for 'com'
(grape.com


It seems that the only way to get around this new issue, and get the
entire NS set for domain from the root, is to do a `dig any $domain`
instead:

root@severe# dig any grape.com

; <<>> DiG 9.2.2rc1 <<>> any grape.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13192
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;grape.com. IN ANY

;; ANSWER SECTION:
grape.com. 172800 IN NS gold.sbcidc.com.
grape.com. 172800 IN NS ns.savaii.com.

;; AUTHORITY SECTION:
grape.com. 172800 IN NS gold.sbcidc.com.
grape.com. 172800 IN NS ns.savaii.com.

;; ADDITIONAL SECTION:
ns.savaii.com. 172800 IN A 216.154.253.185
gold.sbcidc.com. 172800 IN A 216.65.209.34

;; Query time: 1270 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 17 20:49:32 2003
;; MSG SIZE rcvd: 137

Is this the desired behaviour of `delegation-only`? I'm very pleased
that the new zonetype stops wildcards, but I'm somewhat concerned that
something else may have been broken.

Thanks,

Dave

--
--------------------------------------------------------
Dave Lugo dl...@etherboy.com LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.


0 new messages