Ian Masters wrote: > Hello > > I'm trying to test my local dns with dnswalk (newest version, v 2.0.2) > and I'm confused about the output. I've read the dnswalk man page and > searched the list archives but I'm none the wiser. > > The output of dnswalk looks like this: > > [EMAIL PROTECTED] slaves]# dnswalk xx.yyyyy.co.jp. > Checking xx.yyyyy.co.jp. > Getting zone transfer of xx.yyyyy.co.jp. from dev-gw.xx.yyyyy.co.jp...done. > SOA=dev-gw.xx.yyyyy.co.jp contact=root.xx.yyyyy.co.jp > BAD: xx.yyyyy.co.jp NS mail.xx.yyyyy.co.jp: CNAME (to mail) > WARN: xx.yyyyy.co.jp MX mail.xx.yyyyy.co.jp: CNAME (to mail) > 0 failures, 1 warnings, 1 errors. > > And here is my zone file: > > [EMAIL PROTECTED] named]# cat db.xx.yyyyy.co.jp > > $ORIGIN . > $TTL 86400 ; 1 day > xx.yyyyy.co.jp IN SOA dev-gw.xx.yyyyy.co.jp. > root.xx.yyyyy.co.jp. ( > 2008100905 ; serial > 10800 ; refresh (3 hours) > 3600 ; retry (1 hour) > 604800 ; expire (1 week) > 86400 ; minimum (1 day) > ) > NS dev-gw.xx.yyyyy.co.jp. > NS mail.xx.yyyyy.co.jp. > MX 10 mail.xx.yyyyy.co.jp. > $ORIGIN xx.yyyyy.co.jp. > mail A 172.16.252.110 > dev-gw A 172.16.252.104 > > If dnswalk is still a reliable tool, could someone help with deciphering > its report please. > > For NS records, "dnswalk" compares the RDATA of the record with the results of a gethostbyname() on the same name, and assumes that if the two are different, that the NS record is pointed at an alias (which is illegal).
However, gethostbyname() can return a different name if another source of naming information has precedence over DNS, e.g. one has "hosts: files dns" in /etc/nsswitch.conf on Solaris, and that other source of naming information has a different form of the same name, e.g. the short form. I think that's what's happening to you. gethostbyname() is finding the name "mail" in (probably) /etc/hosts, and since it doesn't match the FQDN "mail.xx.yyyyy.co.jp", it assumes your NS is pointed at an alias. I consider this a bug in dnswalk. The same faulty logic also appears in the MX-record check. At the very least, it should check the "aliases" variable which is returned by gethostbyname() to see if the name resolved via and alias or not. Does this crude logic make the utility "unreliable"? Can't really say, since I haven't played around with it enough to see if there are other bugs. It drew my attention to some "problem spots" in the one zone I ran it on, so I'd say it still, despite its imperfections, has some value... - Kevin
