Barry Margolin wrote:
In article <mailman.696.1255498841.14796.bind-us...@lists.isc.org>,
Robert Moskowitz <r...@htt-consult.com> wrote:
Barry Margolin wrote:
In article <mailman.693.1255466849.14796.bind-us...@lists.isc.org>,
Robert Moskowitz <r...@htt-consult.com> wrote:
I have been running BIND here on my net for quite a few years time and
run 2 views on my main server, for internal and external users. I also
have a separate BIND server on a test bed that uses a test TLD of htt.
It has worked well for the past year.
Now I have installed an Amahi server (amahi.org) and it is running its
own BIND server with dynamic updates, as it is supporting NetBios
clients. My Amahi server is set up for home.htt and works for systems
on its subnet (it also runs DHCPD). I want access to the various Amahi
apps to other systems here so I first:
Set up my main server to be a slave for my test htt domain in its
internal view.
That is working well and I can get all the DNS information supported
there (both hosts in htt and its sub-zone of mobile.htt). Fine so far.
Then I added a couple records to the zone file in htt to delegate home.htt:
home.htt. IN NS amahi.home.htt.
amahi.home.htt. IN A 192.168.1.2
And nothing.
I am NOT getting any information on the home.htt. sub-zone. If I run
'nslookup - 192.168.1.2' I get all the information in the DNS, but
neither of my internal BIND servers are getting information. Almost as
if the Amahi server is not honoring requests from other BIND servers or
perhaps not on its net.
Are you sure they're sending the queries to it? Have you done a packet
capture to see what's being sent?
Well I did some more testing. Here are some results when host is run on
my main DNS server which is a slave server for htt.
Can you post the named.conf file for the server you're querying, not the
server that hosts the subdomain?
In pieces. First named.conf:
cat named.conf
//
include "/etc/named.acl";
options
{
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
query-source-v6 port 53;
listen-on-v6 {any; };
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
view "internal"
{
match-clients { httnets; };
match-destinations { httnets; };
recursion yes;
//notify no; # disable AA notifies?
// all views must contain the root hints zone:
include "/etc/named.root.hints";
include "/etc/named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
include "/etc/named.internal";
};
/*key ddns_key
*{
* algorithm hmac-md5;
* secret "use /usr/sbin/dns-keygen to generate TSIG keys";
*};
*/
view "external"
{
match-clients { any; };
match-destinations { any; };
recursion no;
// you'd probably want to deny recursion to external clients, so
you don't
// end up providing free DNS service to all takers
// all views must contain the root hints zone:
include "/etc/named.root.hints";
// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:
include "/etc/named.external";
};
include "/etc/rndc.key";
Now comes named.internal (I am ASSUMING that you don't need named.acl or
named.external):
# cat named.internal
zone "htt-consult.com" {
type master;
file "httin-consult.com.zone";
};
zone "128-26.67.83.208.in-addr.arpa" {
type master;
file "128-26.67.83.208.in-addr.arpa.zone";
};
zone "3.0.0.0.8.b.4.f.7.0.6.2.ip6.arpa" {
type master;
file "3.0.0.0.8.b.4.f.7.0.6.2.ip6.arpa.zone";
};
zone "labs.htt-consult.com" {
type master;
file "labs.htt-consult.com.hosts";
};
zone "mobile.htt-consult.com" {
type master;
file "mobile.htt-consult.com.hosts";
};
zone "test.htt-consult.com" {
type master;
file "test.htt-consult.com.hosts";
};
zone "128.168.192.in-addr.arpa" {
type master;
file "128.168.192.in-addr.arpa.zone";
};
zone "0-24.128.168.192.in-addr.arpa" {
type master;
file "0-24.128.168.192.in-addr.arpa.zone";
};
zone "communaljob.com" {
type master;
file "communaljob.com.hosts";
};
zone "htt" {
type slave;
file "slaves/bak.htt";
masters {192.168.128.35;
2607:f4b8:3:11:20c:96ff:fe40:cb63; };
};
BTW, why are you using query source-port 53?
I don't know. It has been in there since forever. Carryover from BIND8?
# host wiki.home.htt
wiki.home.htt has address 192.168.1.2
Host wiki.home.htt not found: 2(SERVFAIL)
Host wiki.home.htt not found: 2(SERVFAIL)
# host search.home.htt
Host search.home.htt not found: 2(SERVFAIL)
The later should also have responded with the same IP address. And why
the two servfails? Here is records from a TCPDUMP of the first host
command:
# grep 1.2 trace.1
23:18:24.142341 IP 208.83.67.148.domain > 192.168.1.2.domain: 9401
[1au] A? wiki.home.htt. (42)
23:18:24.144246 IP 192.168.1.2.domain > 208.83.67.148.domain: 9401*-
1/1/1 A 192.168.128.2 (72)
23:18:24.149357 IP 208.83.67.148.domain > 192.168.1.2.domain: 11640%
[1au] A? home.htt. (37)
23:18:24.149786 IP 208.83.67.148.domain > 192.168.1.2.domain: 46350%
[1au] AAAA? home.htt. (37)
23:18:24.150804 IP 192.168.1.2.domain > 208.83.67.148.domain: 11640*-
0/1/1 (78)
23:18:26.152190 IP 208.83.67.148.domain > 192.168.1.2.domain: 11257%
[1au] AAAA? home.htt. (37)
23:18:26.152635 IP 208.83.67.148.domain > 192.168.1.2.domain: 22505%
[1au] AAAA? hda.home.htt. (41)
23:18:26.153864 IP 192.168.1.2.domain > 208.83.67.148.domain: 11257*-
0/1/1 (78)
23:18:28.154700 IP 208.83.67.148.domain > 192.168.1.2.domain: 49416%
[1au] AAAA? hda.home.htt. (41)
23:18:28.156390 IP 192.168.1.2.domain > 208.83.67.148.domain: 49416*-
0/1/1 (82)
And for the second command there were NO records to 192.168.1.2
And on my notebook that uses 208.83.67.148 as its only nameserver, 'host
search.home.htt' has the following dump:
# tcpdump -n -i eth1 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
01:28:34.615393 IP 208.83.67.158.35220 > 208.83.67.148.domain: 4544+ A?
search.home.htt. (33)
01:28:34.618864 IP 208.83.67.148.domain > 208.83.67.158.35220: 4544
ServFail 0/0/0 (33)
So I am quite perplexed.
Here are the named.conf and zone files:
# automatically generated file by hdactl
options {
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
forward only;
forwarders { 208.67.222.222; 208.67.220.220; };
listen-on port 53 { 192.168.1.2; 127.0.0.1; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
key "ddnskey" {
algorithm hmac-md5;
secret "----------------------";
};
zone "home.htt" IN {
type master;
notify no;
file "dynamic/hda-n2a.conf";
allow-update { key ddnskey; };
check-names ignore;
};
zone "1.168.192.in-addr.arpa" IN {
type master;
notify no;
file "dynamic/hda-a2n.conf";
allow-update { key ddnskey; };
check-names ignore;
};
and dynamic/hda-n2a.conf:
$TTL 86400
@ IN SOA home.htt. root.home.htt. (
0909130103 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS home.htt.
IN MX 10 home.htt.
* IN MX 10 home.htt.
h001 A 192.168.1.1
.
.
.
hda A 192.168.1.2
search A 192.168.1.2
setup A 192.168.1.2
calendar A 192.168.1.2
help A 192.168.1.2
wiki A 192.168.1.2
So any tips on what to look for to get this working?
I shot the day digging, and I can do things with BIND, but I am not all
that skilled...
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
