named-checkzone ignoring flags?
Alexei Tenitski
I have a strange problem with named-checkzone & named-compilezone
ignoring value of some of the flag.
Given this zone:
example.com. 3600 IN SOA example.net. root.example.net.
1196631861 3600 3600 3600 3600
@ 3600 IN NS ns1.example.net.
@ 3600 IN NS ns3
@ 3600 IN MX 10 www
www 3600 IN CNAME @
and this bind version:
# /usr/local/sbin/named-checkzone -v
9.4.1-P1
When i run check with flag "-M fail" (MX -> CNAME) it picks it up and
does FAIL as i asked:
# /usr/local/sbin/named-checkzone -M fail example.com. example.com.zone
example.com.zone:3: using RFC1035 TTL semantics
zone example.com/IN: NS 'ns3.example.com' has no address records (A or AAAA)
zone example.com/IN: example.com/MX 'www.example.com' is a CNAME (illegal)
However if i try to make it fail on things like -n or -m (no A record
for NS or MX) it just ignores those flags and uses mode WARN as usually:
# /usr/local/sbin/named-checkzone -n fail -m fail example.com.
example.com.zone
example.com.zone:3: using RFC1035 TTL semantics
zone example.com/IN: NS 'ns3.example.com' has no address records (A or AAAA)
zone example.com/IN: example.com/MX 'www.example.com' is a CNAME (illegal)
zone example.com/IN: loaded serial 1196631861
OK
Also, seems that flag -i does not change anything in check/compile
behavior at all...
Does anyone have any idea? I've tried all i could think of, googled and
googled and googled but still have not idea what is going on here... :(
Regards,
Alexei
Alexander Ottl
> Hi
>
> I have a strange problem with named-checkzone & named-compilezone
> ignoring value of some of the flag.
>
> Given this zone:
>
> example.com. 3600 IN SOA example.net. root.example.net.
> 1196631861 3600 3600 3600 3600
> @ 3600 IN NS ns1.example.net.
> @ 3600 IN NS ns3
> @ 3600 IN MX 10 www
> www 3600 IN CNAME @
>
> and this bind version:
>
> # /usr/local/sbin/named-checkzone -v
> 9.4.1-P1
>
>
> When i run check with flag "-M fail" (MX -> CNAME) it picks it up and
> does FAIL as i asked:
>
> # /usr/local/sbin/named-checkzone -M fail example.com. example.com.zone
> example.com.zone:3: using RFC1035 TTL semantics
> zone example.com/IN: NS 'ns3.example.com' has no address records (A or AAAA)
> zone example.com/IN: example.com/MX 'www.example.com' is a CNAME (illegal)
>
>
> However if i try to make it fail on things like -n or -m (no A record
> for NS or MX) it just ignores those flags and uses mode WARN as usually:
Those flags do not influence the check for missing A record. They check for an NS or MX
record that look like an IP address instead of a hostname. The man page says so.
Try "@ IN NS 10.10.10.10." in your zone file and you'll see. The check for missing A
record on the other hand is special. It is always performed and is always only a
warning. (OK, with one exception: If you turn off integrity checks you don't get MX with
missing A warnings)
>
> # /usr/local/sbin/named-checkzone -n fail -m fail example.com.
> example.com.zone
> example.com.zone:3: using RFC1035 TTL semantics
> zone example.com/IN: NS 'ns3.example.com' has no address records (A or AAAA)
> zone example.com/IN: example.com/MX 'www.example.com' is a CNAME (illegal)
> zone example.com/IN: loaded serial 1196631861
> OK
>
>
> Also, seems that flag -i does not change anything in check/compile
> behavior at all...
The -i flag determines if and how the integrity checks (see -M and -S) are performed.
Illegal CNAMES and missing A records will either be found only in-zone (mode local) or
out-of-zone (mode full). The man page might not make that entirely clear. The sibling
options are a bit harder to explain :-)
>
> Does anyone have any idea? I've tried all i could think of, googled and
> googled and googled but still have not idea what is going on here... :(
>
> Regards,
> Alexei
Regards,
Alexander Ottl
Alexei Tenitski
Thanks for your response.
I'm sort of disappointed those flags are not as useful as i hoped,
looks like i'll have to do more checks in my code rather then leveraging
it to bind.
Alexei