named-checkzone with multiple $ORIGIN

[Bernard Fay]

Hi,

I took control of a DNS based on Bind 9.9.  One of the zone files have multiple $ORIGIN for example:

$ORIGIN example.com
...
$ORIGIN sub1.example.com
...
$ORIGIN sub2.example.com
...
$ORIGIN sub3.example.com
...

While checking the zone file with:
named-checkzone example.com example.com.zone

[Bernard Fay]

Sorry keyboard problem...

named-checkzone returns ok for the first $ORIGIN.

But doing

named-checkzone sub1.example.com example.com.zone
named-checkzone sub2.example.com example.com.zone
named-checkzone sub3.example.com example.com.zone

named-checkzone reports many "ignoring out-of-zone data (....example.com)"

Using multiple $ORIGIN in a single zone file works but named-checkzone does not seem to like the idea.

Is there something wrong by using multiple $ORIGIN in a single zone file or my understanding of named-checkzone is wrong?

Thanks,

Bernard

[Reindl Harald]

Am 05.06.2017 um 14:36 schrieb Bernard Fay:
> Sorry keyboard problem...
>
>
> I took control of a DNS based on Bind 9.9. One of the zone files have
> multiple $ORIGIN for example:
>
> $ORIGIN example.com
> ...
> $ORIGIN sub1.example.com
> ...

> $ORIGIN sub2.example.com <http://sub2.example.com>
> ...
> $ORIGIN sub3.example.com <http://sub3.example.com>

> ...
>
>
> While checking the zone file with:

> named-checkzone example.com <http://example.com> example.com.zone

> named-checkzone returns ok for the first $ORIGIN.
>
> But doing

> named-checkzone sub1.example.com <http://example.com> example.com.zone
> named-checkzone sub2.example.com <http://example.com> example.com.zone
> named-checkzone sub3.example.com <http://example.com> example.com.zone

> named-checkzone reports many "ignoring out-of-zone data (....example.com

> <http://example.com>)"

>
> Using multiple $ORIGIN in a single zone file works but named-checkzone
> does not seem to like the idea.
>
> Is there something wrong by using multiple $ORIGIN in a single zone file
> or my understanding of named-checkzone is wrong?

you strip way too much from your config as well as input/output of
named-checkzone and the mess in the quoting above is the result of HTML
converted to sane plaintext as typically encouraged on lists

what is the purpose of obfuscate 'DNS DATA* that much?

[Tony Finch]

Bernard Fay <berna...@gmail.com> wrote:
>
> I took control of a DNS based on Bind 9.9. One of the zone files have
> multiple $ORIGIN for example:

The key thing to understand is that $ORIGIN just controls how unqualified
domain names are expanded into fully-qualified domain names. In
particular, $ORIGIN is completely independent of zone boundaries.

So in the master file you sketched out,

> $ORIGIN example.com
> ...
> $ORIGIN sub1.example.com
> ...
> $ORIGIN sub2.example.com

> ...
> $ORIGIN sub3.example.com
> ...

The person who wrote the file is using $ORIGIN in order to abbreviate
unqualified names in subdomains, but the subdomains are all part of the
same zone.

The other thing to be aware of is that it is possible to write a zone file
without any fuly-qualified names, which is why you have to specify the
zone name when loading the file. (This feature is useful for empty zones,
for example, but it's usually not a good idea for normal zones.) The zone
name is used to set the default $ORIGIN and for the zone sanity checks.

So, this works...

> While checking the zone file with:

> named-checkzone example.com example.com.zone

> named-checkzone returns ok for the first $ORIGIN.

...because the zone name you specified on the command line matches the
contents of the master file.

However,

> named-checkzone sub1.example.com example.com.zone
> named-checkzone sub2.example.com example.com.zone

> named-checkzone sub3.example.com example.com.zone
> named-checkzone reports many "ignoring out-of-zone data (....example.com)"

this doesn't make sense. The master file is one single whole complete
zone. The subdomains are not separate zones, and you can't load or check
part of the file.

So the error message is saying that the SOA record and the apex NS records
at example.com and loads of other records are not subdomains of the zone
name that you gave on the commamnd line. I usually encounter this error
when I have accidentally got my zone name and master file name muddled
up, and once you get used to the error message it's a useful consistency
check.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Fitzroy: Southwesterly, veering northwesterly, 6 to gale 8, decreasing 5 later
in southwest. Moderate or rough. Rain at first. Moderate or good.

[Mark Andrews]

In message <CAH3AE4Yn4zHM3SBV60pQr+46...@mail.gmail.com>
, Bernard Fay writes:
> Sorry keyboard problem...

>
>
> I took control of a DNS based on Bind 9.9. One of the zone files have
> multiple $ORIGIN for example:
>

> $ORIGIN example.com
> ...
> $ORIGIN sub1.example.com
> ...
> $ORIGIN sub2.example.com
> ...
> $ORIGIN sub3.example.com
> ...
>
>

> While checking the zone file with:
> named-checkzone example.com example.com.zone
> named-checkzone returns ok for the first $ORIGIN.
>

> But doing

> named-checkzone sub1.example.com example.com.zone
> named-checkzone sub2.example.com example.com.zone
> named-checkzone sub3.example.com example.com.zone
> named-checkzone reports many "ignoring out-of-zone data (....example.com)"
>

> Using multiple $ORIGIN in a single zone file works but named-checkzone does
> not seem to like the idea.
>
> Is there something wrong by using multiple $ORIGIN in a single zone file or
> my understanding of named-checkzone is wrong?

Your understanding of what $ORIGIN does in a master file is wrong.
It is a way to reduce the amount of typing you do by setting the
suffix to be appended to non absolute names though over use will
defeat that.

$ORIGIN example.com.
@ SOA ns hostmaster 0 0 0 0 0
@ NS ns
ns A 1.1.1.1
$ORIGIN sub1.example.com.
@ A 1.2.3.4
$ORIGIN sub2.example.com.
@ A 1.2.3.8

expanded is

example.com. SOA ns.example.com. hostmaster.example.com. 0 0 0 0 0
example.com. NS ns
ns.example.com. A 1.1.1.1
sub1.example.com. A 1.2.3.4
sub2.example.com. A 1.2.3.8

$ORIGIN doesn't mean start of a zone though every zone has a implict
$ORIGIN set when it is being loaded.

> Thanks,
> Bernard
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

[Bernard Fay]

I understand what $ORIGIN is doing by reducing the typing and making it easier to maintain the zone files.

To Tony, should I understand while using named-checkzone I need to enter only the top domain and named-checkzone will understand the subdomains defined by the multiple $ORIGIN in the zone file?

Thanks,

Bernard

On Mon, Jun 5, 2017 at 9:18 AM, Tony Finch <d...@dotat.at> wrote:

Bernard Fay <berna...@gmail.com> wrote:
>
> I took control of a DNS based on Bind 9.9.  One of the zone files have
> multiple $ORIGIN for example:

The key thing to understand is that $ORIGIN just controls how unqualified
domain names are expanded into fully-qualified domain names. In
particular, $ORIGIN is completely independent of zone boundaries.

So in the master file you sketched out,

> $ORIGIN example.com
> ...
> $ORIGIN sub1.example.com
> ...
> $ORIGIN sub2.example.com
> ...
> $ORIGIN sub3.example.com
> ...

The person who wrote the file is using $ORIGIN in order to abbreviate
unqualified names in subdomains, but the subdomains are all part of the
same zone.

The other thing to be aware of is that it is possible to write a zone file
without any fuly-qualified names, which is why you have to specify the
zone name when loading the file. (This feature is useful for empty zones,
for example, but it's usually not a good idea for normal zones.) The zone
name is used to set the default $ORIGIN and for the zone sanity checks.

So, this works...

> While checking the zone file with:
> named-checkzone example.com example.com.zone
> named-checkzone returns ok for the first $ORIGIN.

...because the zone name you specified on the command line matches the
contents of the master file.

However,

> named-checkzone sub1.example.com example.com.zone
> named-checkzone sub2.example.com example.com.zone
> named-checkzone sub3.example.com example.com.zone
> named-checkzone reports many "ignoring out-of-zone data (....example.com)"

[Tony Finch]

Bernard Fay <berna...@gmail.com> wrote:
>
> should I understand while using named-checkzone I need to enter *only*

> the top domain and named-checkzone will understand the subdomains
> defined by the multiple $ORIGIN in the zone file?

Yes, named-checkzone basically just loads the zone file (the whole thing)
as if it were being loaded by named.

You don't have to have a zone boundary for every subdomain - your zone
file has lots of subdomains all in one zone, and this is completely
normal.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode

Irish Sea: Cyclonic 6, becoming northwest 6 to gale 8 later. Moderate or
rough. Rain, showers later. Good occasionally poor.

[Mark Elkins]

Most certainly - Yes.

You have a single zone here, thus only:

     named-checkzone example.com example.com.zone

...should work.

Wait till you play with a reverse IPv6 zone - where I personally use many $ORIGIN statements - saves hours of typing and makes reading the Zones so much easier.

Tony.
--
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode

Fitzroy: Southwesterly, veering northwesterly, 6 to gale 8, decreasing 5 later
in southwest. Moderate or rough. Rain at first. Moderate or good.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

[Bernard Fay]

Ok that was my misunderstanding of named-checkzone. I though I had to check for all $ORIGINs.

I haven't played with IPv6 yet.  I hope I'll have a chance to do it eventually.

Thanks for your time guys!