RE: Zone name conflicts / overlapping

[Philippe.Simonet]

Hi

maybe named-checkzone can help you, with -i full, it makes some NS checks : 

>>   Mode "full" checks that delegation NS records refer to A or  
>> record (both in-zone and out-of-zone hostnames). It also checks that glue 
>> address
>>   records in the zone match those advertised by the child. Mode 
>> "local" only checks NS records which refer to in-zone hostnames or that some 
>> required glue
>>   exists, that is when the nameserver is in a child zone.

Philippe

> -Original Message-
> From: bind-users-bounces+philippe.simonet=swisscom@lists.isc.org
> [mailto:bind-users-bounces+philippe.simonet=swisscom@lists.isc.org]
> On Behalf Of Ben C.
> Sent: Monday, September 19, 2011 7:46 AM
> To: bind-users@lists.isc.org
> Subject: Zone name conflicts / overlapping
> 
> Hello all,
> 
> This is my first post to bind-users, so I would like to first of all
> say hello, and thanks to everyone who takes their time to read and
> respond to any mailing list post. =)
> 
> I have a fairly complex situation where I have a pDNS server and a ISC
> BIND server, both containing unique zones.  I'm trying to make them
> "sync" to each other so that the end result is they both contain the
> same list of zones, and update the opposite's zone files regularly.  I
> am doing my best in designing it so that it *shouldn't* have the
> possibility of a zone conflict, where server A says something about
> zone "foo.com", and server B contains it's own unique record, so when
> they sync, .. well ...
> 
> I noticed with BIND, what I expected happens if the situation occurs:
> 
> zone "foo.com" {
>   type master;
>   file "/path/to/some.file";
> };
> 
> // .. some stuff
> zone "foo.com" {
>   type master;
>   file "/path/to/some.other.file";
>   // ^^ They can be the same file, too ..
> };
> 
> -- BIND simply refuses to start, which is great because it allows me
> to /see/ the error a little easier.
> 
> However, the situation got interesting when the following occurs:
> 
> zone "ns1.foo.com" {
>   type master;
>   file "/path/to/ns1.foo.com";
> };
> 
> zone "foo.com" {
>   type master;
>   file "/path/to/foo.com";
> };
> 
> Where ns1.foo.com's zone file would obviously contain an A record for
> itself (ns1.foo.com.) and then foo.com's zone file contains an A
> record for the same zone / hostname, ns1.foo.com.
> 
> It appears to me, BIND sees the conflict / overlap but does not care
> about the order they are in, nor cares to exit (or even tell anybody
> about it), but simply use the more "specific" zone file which would be
> "ns1.foo.com".  I'm pretty sure this is intended behavior. Although
> for my specific and very individual circumstance, this is not ideal
> for me, but I'm by no means saying this is a bug, or "bad" behavior.
> 
> I'm simply trying to figure out (1) if this is indeed the correct
> assumption, that BIND will always use the more "specific" zone,  ...
> (2) if there are ways to modify the behavior (short of editing the way
> BIND, or even DNS works) ...  (3) if there is a way to at least
> identify this kind of behavior in logs (error/warning message? maybe
> I'm missing it..) .. (4) a link or referral to any kind of relevant
> information would be useful -- documentation, mailing lists, anything
> -- I did a _lot_ of googling and even peeked around on IRC asking
> around, but either I'm not asking the question correctly, or it's not
> a very common thing :)
> 
> Thanks for your time,
> Ben
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone name conflicts / overlapping

[david klein]

I don't know from Power DNS, but BIND expects to have one master where all
changes are initiated, and all other servers receive replication from the
single master, via incremental zone transfers. This is how conflicts and
race conditions are prevented. You would do better to designate one of the
two boxes as master, migrate all of the zones to that box, and have the
other box only receive replication from the first.

If you want multi-master replication (not recommended, because it introduces
a lot of strange behavior in edge cases), you would need to use something
like DLZ and move your zone management out of the nameserver itself, and
into an application that would feed DLZ. Note, this is nontrivial, and will
add a lot of complexity and processing overhead.

A best design would be to make both of your current servers consume
replication and add a third server, which does not have NS record, and which
is not in SOA, but which is designated the master and provides replication
to the other two. This way you decouple where you make the changes from
where you serve the data to the final consumers, and may be able to put it
in a secure walled-garden, with only connectivity allowed to the DNS servers
(which one presumes would be Internet facing).

HTH,

 -DTK



On Mon, Sep 19, 2011 at 12:45 AM, Ben C.  wrote:

> Hello all,
>
> This is my first post to bind-users, so I would like to first of all
> say hello, and thanks to everyone who takes their time to read and
> respond to any mailing list post. =)
>
> I have a fairly complex situation where I have a pDNS server and a ISC
> BIND server, both containing unique zones.  I'm trying to make them
> "sync" to each other so that the end result is they both contain the
> same list of zones, and update the opposite's zone files regularly.  I
> am doing my best in designing it so that it *shouldn't* have the
> possibility of a zone conflict, where server A says something about
> zone "foo.com", and server B contains it's own unique record, so when
> they sync, .. well ...
>
> I noticed with BIND, what I expected happens if the situation occurs:
>
> zone "foo.com" {
>  type master;
>  file "/path/to/some.file";
> };
>
> // .. some stuff
> zone "foo.com" {
>  type master;
>  file "/path/to/some.other.file";
>  // ^^ They can be the same file, too ..
> };
>
> -- BIND simply refuses to start, which is great because it allows me
> to /see/ the error a little easier.
>
> However, the situation got interesting when the following occurs:
>
> zone "ns1.foo.com" {
>  type master;
>  file "/path/to/ns1.foo.com";
> };
>
> zone "foo.com" {
>  type master;
>  file "/path/to/foo.com";
> };
>
> Where ns1.foo.com's zone file would obviously contain an A record for
> itself (ns1.foo.com.) and then foo.com's zone file contains an A
> record for the same zone / hostname, ns1.foo.com.
>
> It appears to me, BIND sees the conflict / overlap but does not care
> about the order they are in, nor cares to exit (or even tell anybody
> about it), but simply use the more "specific" zone file which would be
> "ns1.foo.com".  I'm pretty sure this is intended behavior. Although
> for my specific and very individual circumstance, this is not ideal
> for me, but I'm by no means saying this is a bug, or "bad" behavior.
>
> I'm simply trying to figure out (1) if this is indeed the correct
> assumption, that BIND will always use the more "specific" zone,  ...
> (2) if there are ways to modify the behavior (short of editing the way
> BIND, or even DNS works) ...  (3) if there is a way to at least
> identify this kind of behavior in logs (error/warning message? maybe
> I'm missing it..) .. (4) a link or referral to any kind of relevant
> information would be useful -- documentation, mailing lists, anything
> -- I did a _lot_ of googling and even peeked around on IRC asking
> around, but either I'm not asking the question correctly, or it's not
> a very common thing :)
>
> Thanks for your time,
> Ben
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Correct SRV configuration

[Piotr Pawlowski]

Dear Kevin and all,

Thank you for a tip, it looks like I made a mistake in domain zone. I put whole 
subdomain record and it started to work.
Thanks again.

Best Regards
--
Piotr Pawlowski

Od: bind-users-bounces+piotr.pawlowski=goyello@lists.isc.org 
[bind-users-bounces+piotr.pawlowski=goyello@lists.isc.org] w imieniu Kevin 
Darcy [k...@chrysler.com]
Wysłano: 18 września 2011 17:14
Do: bind-users@lists.isc.org
Temat: Re: Correct SRV configuration

The name "goyello.com" *itself* owns no SRV records. You never added any with 
that name.

"host" doesn't have any special knowledge of SRV records, and, besides, you 
didn't tell it what service and protocol, so it didn't even have enough 
information to construct the appropriate name to look up.

You have to treat the names of SRV records like any other DNS names, and spell 
them out completely. Look up _sip._tls.goyello.com and 
_sipfederationtls._tcp.goyello.com and you should find the relevant SRV records 
in the appropriate places.

Example lookups can be found at http://en.wikipedia.org/wiki/SRV_record



- Kevin

P.S. 9.2.4 is really old. Upgrade.

On 9/18/2011 10:46 AM, Piotr Pawlowski wrote:
Dear all,

I have named 9.2.4 . Everything is working fine. Unfortunately yesterday I 
faced issue with setting up SRV record.
Below is how I tried to configure it for MS Lync service:
_sip._tls3600INSRV100 1 443 sipdir.online.lync.com.
_sipfederationtls._tcp3600INSRV100 1 5061 
sipfed.online.lync.com.
Everything looks like it is described in RFC2782:

Here is the format of the SRV RR, whose DNS type code is 33:
_Service._Proto.Name TTL Class SRV Priority Weight Port Target

The point is, that when I ask domain for SRV  record I receive:
$ host -t SRV goyello.com
goyello.com has no SRV record

Does anybody know where I made a mistake?
Thank you in advance for a help and tips.

Best Regards
--
Piotr Pawlowski


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone name conflicts / overlapping

[Doug Barton]

On 09/18/2011 22:45, Ben C. wrote:
> Hello all,
> 
> This is my first post to bind-users, so I would like to first of all
> say hello, and thanks to everyone who takes their time to read and
> respond to any mailing list post. =)
> 
> I have a fairly complex situation

Step 1, simplify wherever possible. Doing DNS well is hard enough as it
is without adding extra drama where it's not absolutely necessary.

> where I have a pDNS server and a ISC
> BIND server, both containing unique zones.  I'm trying to make them
> "sync" to each other so that the end result is they both contain the
> same list of zones,

... good so far.

> and update the opposite's zone files regularly. 

I'm assuming what you mean here is that for the zones that server is
slave for that they get downloaded from the master when there are
updates. If you mean something else, please clarify.

> I am doing my best in designing it so that it *shouldn't* have the
> possibility of a zone conflict, where server A says something about
> zone "foo.com", and server B contains it's own unique record, so when
> they sync, .. well ...

Given masters on 2 different hosts you are going to have be 100%
responsible for systematically ensuring that conflicting records don't
get created.

> However, the situation got interesting when the following occurs:
> 
> zone "ns1.foo.com" {
>   type master;
>   file "/path/to/ns1.foo.com";
> };
> 
> zone "foo.com" {
>   type master;
>   file "/path/to/foo.com";
> };
> 
> Where ns1.foo.com's zone file would obviously contain an A record for
> itself (ns1.foo.com.) and then foo.com's zone file contains an A
> record for the same zone / hostname, ns1.foo.com.

Actually neither of those are "obvious." Further, given your specific
example the only requirement is that there be a delegation in the
foo.com zone to the ns1.foo.com zone. Absent a specific delegation, in
the scenario you describe, BIND will assume one; which may introduce
even more confusion/complexity in your situation.

> It appears to me, BIND sees the conflict / overlap but does not care
> about the order they are in, nor cares to exit (or even tell anybody
> about it), but simply use the more "specific" zone file which would be
> "ns1.foo.com".  I'm pretty sure this is intended behavior. Although
> for my specific and very individual circumstance, this is not ideal
> for me, but I'm by no means saying this is a bug, or "bad" behavior.
> 
> I'm simply trying to figure out (1) if this is indeed the correct
> assumption, that BIND will always use the more "specific" zone,  ...

In the general case that is almost certainly true, however in your
specific example, assuming that there is a delegation record in foo.com
to ns1.foo.com, any A/ record for that hostname in foo.com _will_ be
overridden by a corresponding record in the ns1.foo.com zone by design.
Records in delegated zones always take precedence over the same record
in the parent zone.

> (2) if there are ways to modify the behavior (short of editing the way
> BIND, or even DNS works) ...

No.

> (3) if there is a way to at least
> identify this kind of behavior in logs (error/warning message? maybe
> I'm missing it..) ..

No.

> (4) a link or referral to any kind of relevant
> information would be useful -- documentation, mailing lists, anything
> -- I did a _lot_ of googling and even peeked around on IRC asking
> around, but either I'm not asking the question correctly, or it's not
> a very common thing :)

No, it's more that it's such a fundamental issue that documenting it
outside of a manual is unlikely.


hth,

Doug

-- 

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL

[kshitij mali]

What is did now is i have update the named.root file from internic website
and restarted the named service , and the domain completefreight.net.au
started resolving imediately i will monitor the resolv failuer error and
update the status to u all


Regards,
Kshitij

On Fri, Sep 16, 2011 at 12:53 AM, Stuart Gall  wrote:

> Due to the fact that IPV4 addresses have run out, many addresses that were
> reserved have been un-reserved and used on the internet.
> Is it possible that you have a bogon filter file that is blocking this IP ?
>
>
> On 15 Sep, 2011, at 2:14 PM, kshitij mali wrote:
>
> Hello ALL,
>
>
> I repeated see domain lookup issue for the certain domain give an error
> :SERVFAIL . my server is configured for simple caching nameserver for the
> email delivery
>
> please find the error example below
> =
>
> dig completefreight.net.au
>
>
> ; <<>> DiG 9.2.4 <<>> completefreight.net.au ;; global options:  printcmd
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59604 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>
> ;; QUESTION SECTION:
>
> ;completefreight.net.au.IN  A
>
>
> ;; Query time: 7 msec
>
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>
> ;; WHEN: Wed Sep 14 09:49:31 2011
>
> ;; MSG SIZE  rcvd: 40
> ==
> 
>
> Regards
> Kshitij
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>  --
> Stuart Gall
> --
> All of your mail are belong to us
>
>
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to add NS record in Windows DNS?

[michoski]

On 9/17/11 2:56 AM, "babu dheen"  wrote:
>  I know that this forum is not meant for windows DNS environement. but if you
> can let me know some website or guide to add customer NS record in windows DNS
> environement, will be much helpful.

It's been many years since I administered AD, but I recall following a GUI
process similar to this:

http://technet.microsoft.com/en-us/library/bb727018.aspx

Google is your friend...mostly.

-- 
By nature, men are nearly alike;
by practice, they get to be wide apart.
-- Confucius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users