erros on slave server refresh: unexpected rcode (NXDOMAIN)
Hi. I have a bind 9 primary server and a bind 9 secondary server, I added a new sub domain to the primary and as a slave zone on the secondary. i have obviously missed something. What does : named[13931]: zone domain.example.com/IN: refresh: unexpected rcode (NXDOMAIN) from master 209.234.97.14#53 (source 0.0.0.0#0) mean ?? As far as the primary server logs goes there is nothing that indicates an issue . Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RESOLVED Re: erros on slave server refresh: unexpected rcode (NXDOMAIN)
Last admin didn't have correct master ip set, put the correct on and all good. On Tue, Jul 24, 2012 at 2:30 PM, Gregory Machin g...@linuxpro.co.za wrote: Hi. I have a bind 9 primary server and a bind 9 secondary server, I added a new sub domain to the primary and as a slave zone on the secondary. i have obviously missed something. What does : named[13931]: zone domain.example.com/IN: refresh: unexpected rcode (NXDOMAIN) from master 209.234.97.14#53 (source 0.0.0.0#0) mean ?? As far as the primary server logs goes there is nothing that indicates an issue . Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ddns 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
Hi I'm running DHCP Server V3.0.1 on Debian 3.2 and BIND 9.7.1-P2 on Ubuntu 10.10 , this is part of a staged migration , hens the old Debian server. When machines request an ip from the dhcp server I see the following in the dhcp server logs : Can't update forward map nzhmlwks0091.et.endace.com to 192.168.69.245: no such RRset And at the same time on the Bind server I see : Feb 28 16:17:11 nzhmlsrv01 named[3363]: client 192.168.64.242#40426: view interenal: updating zone 'et.endace.com/IN': update unsuccessful: nzhmlwks0091.et.endace.com: 'name not in use' prerequisite not satisfied (YXDOMAIN) Feb 28 16:17:11 nzhmlsrv01 named[3363]: client 192.168.64.242#40426: view interenal: updating zone 'et.endace.com/IN': update unsuccessful: nzhmlwks0091.et.endace.com/TXT: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) What are these errors and how do I resolve them ? Thanks Greg ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ddns 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
Thanks for taking time to clarify those errors. Based on the explanation the errors are expected and correct. Thank you. Greg On Tue, Feb 28, 2012 at 5:40 PM, Mark Andrews ma...@isc.org wrote: In message CAJzjPKmwVxMCR6yi4Wq6d6NnaiM=gERkcvfefU=wsrxczus...@mail.gmail.com, Gregory Machin writes: Hi I'm running DHCP Server V3.0.1 on Debian 3.2 and BIND 9.7.1-P2 on Ubuntu 10.10 , this is part of a staged migration , hens the old Debian server. When machines request an ip from the dhcp server I see the following in the dhcp server logs : Can't update forward map nzhmlwks0091.et.endace.com to 192.168.69.245: no such RRset And at the same time on the Bind server I see : Feb 28 16:17:11 nzhmlsrv01 named[3363]: client 192.168.64.242#40426: view interenal: updating zone 'et.endace.com/IN': update unsuccessful: nzhmlwks0091.et.endace.com: 'name not in use' prerequisite not satisfied (YXDOMAIN) The DHCP server said only make this change if there is nothing at the name and there was something at the name. This is done to prevent DHCP overriding static entries. Feb 28 16:17:11 nzhmlsrv01 named[3363]: client 192.168.64.242#40426: view interenal: updating zone 'et.endace.com/IN': update unsuccessful: nzhmlwks0091.et.endace.com/TXT: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) The DHCP server said only make this change if the TXT record that says I did the last change exists and it doesn't. This is done to prevent the DHCP server changing/removing records it didn't add. The TXT record was used to encode what is now encoded in the DHCID record. See http://www.ietf.org/rfc/rfc4701.txt What are these errors and how do I resolve them ? If you are certain that there is not a collision removing all the records at the name will permit DHCP to add new record. dhcp-us...@isc.org would be a good place to discuss what DHCPD is trying to do. Thanks Greg ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
added new name server to zone are missing from the slave
Hi. I have added 2 new name servers ns3 and ns4 to my zone, when I use dig against the master they are shown in the list. When I do a dig against the slave only the original servers ns1 and ns2 are there, I have deleted the slave zones files and even after transferring the zone again I get the same results. Master (ns1): root@ns1:~ # dig @127.0.0.1 mydom.com ; DiG 9.2.4 @127.0.0.1 mydom.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 61847 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;mydom.com. IN A ;; ANSWER SECTION: mydom.com. 86400 IN A x.x.64.254 ;; AUTHORITY SECTION: mydom.com. 86400 IN NS ns4.mydom.com. mydom.com. 86400 IN NS ns1.mydom.com. mydom.com. 86400 IN NS ns2.mydom.com. mydom.com. 86400 IN NS ns3.mydom.com. ;; ADDITIONAL SECTION: ns1.mydom.com. 86400 IN A x.x.64.242 ns2.mydom.com. 86400 IN A x.x.64.254 ns3.mydom.com. 68400 IN A x.x.32.7 ns4.mydom.com. 68400 IN A x.x.32.9 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 20 15:06:52 2011 ;; MSG SIZE rcvd: 183 Slave (ns3): root@ns3:/var/lib/bind# dig @127.0.0.1 mydom.com ; DiG 9.7.1-P2 @127.0.0.1 mydom.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 38068 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;mydom.com. IN A ;; ANSWER SECTION: mydom.com. 86400 IN A x.x.64.254 ;; AUTHORITY SECTION: mydom.com. 86400 IN NS ns1.mydom.com. mydom.com. 86400 IN NS ns2.mydom.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 20 15:06:29 2011 ;; MSG SIZE rcvd: 83 Any suggestions what would cause this ? Thanks G ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND master , Windows 2008 stub zone not transferring
Hi We have a Linux server running bind 9.2.4 and dhcpd in a ddns configuration. We also have a number of windows 2008 R2 servers running AD / DNS / dhcp on other sites. These windows servers have stub zones configured, for the zones on the Linux server. All worked fine up until yesterday. Now none of the zones will transfer to the stub zones on the Windows servers. From the windows servers I can use nslookup to do zone transfers with out any issues. But in DNS mangers , on the stub zone , when I click one reload, or Transfer from Master, or Transfer new copy from zone Master then result is the same Zone Not Loaded by DNS server there is nothing in the bind logs that relate to this server or the zone transfer request. As far a I can see there are no firewall issues or connectivity issues. Any suggestions ? G ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
tool to help clean up dns and dhcp
Hi. I'm started at a new job. The dns / dhcp here is in a bit of a mess, a combination of not clearing out records when machines are removed from the network and miss-configured ddns. I'm looking for a tool that will help me find dead records so that I may know which IP's are free, and which static leases can be deleted from the dhcp config. Is there such a tool ? Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
incorrect dns returned by public servers for our domain
Hi. When I query my dns servers internally and directly from outside I get [macgre@topnz15209-linux ~]$ dig @202.a.x.y mydomain.nz ; DiG 9.7.2-P3-RedHat-9.7.2-1.P3.fc13 @202.a.x.y mydomain.nz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2997 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2 ;; QUESTION SECTION: ;mydomain.nz. IN A ;; ANSWER SECTION: mydomain.nz.86400 IN A 202.a.t.z ;; AUTHORITY SECTION: mydomain.nz.86400 IN NS mcvpdns01.mydomain.nz. mydomain.nz.86400 IN NS drvpdns01.mydomain.nz. ;; ADDITIONAL SECTION: drvpdns01.mydomain.nz. 86400 IN A 202.a.x.z mcvpdns01.mydomain.nz. 86400 IN A 202.a.x.y ;; Query time: 2 msec ;; SERVER: 202.a.x.y#53(202.a.x.y) ;; WHEN: Thu Feb 24 11:39:26 2011 When I query against opendns and google's public servers I get [macgre@topnz15209-linux ~]$ dig @8.8.8.8 mydomain.nz ; DiG 9.7.2-P3-RedHat-9.7.2-1.P3.fc13 @8.8.8.8 mydomain.nz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 45766 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mydomain.nz. IN A ;; ANSWER SECTION: mydomain.nz.61371 IN A 202.a.t.z ;; Query time: 170 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Feb 24 11:41:32 2011 ;; MSG SIZE rcvd: 55 why are ;; AUTHORITY SECTION: mydomain.nz.86400 IN NS mcvpdns01.mydomain.nz. mydomain.nz.86400 IN NS drvpdns01.mydomain.nz. missing ? We a have users complaining that they cant resolve out dns servers, and thus can't do lookups for services. Our version of bind is 9.3.6-4.P1.el5_5.3 Thanks G ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: incorrect dns returned by public servers for our domain
Hi. Thanks for the feedback. I was warned not to provide to much info by the security guy. The domain name in question is openpolytechnic.ac.nz Thanks On Thu, Feb 24, 2011 at 12:36 PM, Anand Buddhdev ana...@ripe.net wrote: On 23/02/2011 23:53, Gregory Machin wrote: Hi Gregory, why are ;; AUTHORITY SECTION: mydomain.nz. 86400 IN NS mcvpdns01.mydomain.nz. mydomain.nz. 86400 IN NS drvpdns01.mydomain.nz. missing ? Google DNS and OpenDNS are meant to be used by end-users, who don't need the extra information in the authority section. The authority section is only needed by recursive resolvers. We a have users complaining that they cant resolve out dns servers, and thus can't do lookups for services. I actually doubt if the difference in response from Google/OpenDNS is responsible for resolution failures. It would be far more helpful if you can actually provide your domain name. Then someone can have a look and see if there's any obvious configuration issue. Without knowing the actual domain name, one can only guess about possible problems. Anand Buddhdev RIPE NCC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: incorrect dns returned by public servers for our domain
Hi. Thanks for the support and assitance. I see that the issue is related to the bogon filter in bind configuration. Where can I get a valid bogon list . Thanks On Thu, Feb 24, 2011 at 3:45 PM, Noel Butler noel.but...@ausics.net wrote: Further to my private message, is your border router using bogon filters? I can actually get your local NS's using a U.S host on an old IP, but not from my connection, this suggests an outdated bogon filter since i'm on 27.x IP range. On Thu, 2011-02-24 at 15:00 +1300, Gregory Machin wrote: Hi. Thanks for the feedback. I was warned not to provide to much info by the security guy. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
out of place mx records.
Hi. I have taken over some dns servers, and the process of doing upgrade, half way through the process.. I have a question about the zone files , as there is some configuration here that I have not seen before and seems out of place. here is an excerpt of the zone file $TTL 14400 @ IN SOA example.com. postmaster.example.com. ( 2010042142 ; Serial 3600; Refresh (1 hours) 1200; Retry (20 minutes) 1728000 ; Expire (20 days) 14400 ; Minimum (4 hours) ) IN NS ns1.example.com. IN NS ns2.example.com. ; IN NS ns1.catalyst.net.nz. IN MX 10 mail01.example.com. IN MX 10 mail02.example.com. ; IN MX 20 mail03.example.com. IN A 202.xx.xx.2 ns1 IN A 192.168.xx.xx ns2 IN A 192.168.xx.xx listservIN A 202.xx.xx.2 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 cache IN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 captaincometIN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 louie IN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 mail01 IN A 192.168.xx.xx IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 mail02 IN A 192.168.xx.xx IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 nelson IN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 My question is why would INMX10mcvpemr01 and INMX 10mcvpemr02 be repeated trough the zone file surely this is redundant ? Thanks Greg ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec updated zone data is not live ??
On Fri, Dec 11, 2009 at 12:22 AM, Kevin Darcy k...@chrysler.com wrote: Gregory Machin wrote: Hi Please can you advise. I's been ages since I have configured dnssec . I used nsupdate (with dnssec) to update a zone file with all the host current ip's so that they are reachable via a host name even when the ip has changed (a dyndns.org type of thing). Everything seems to work fine named accepts the update and writes it to the .jnl file but when it try and ping the updated host name I get ping: unknown host greg.za.protetor.net, and this is one the server running named. yet I the logs show Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': deleting rrset at 'greg.device.example.net' A Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': adding an RR at 'greg.device.example.net' A Which is correct from what I remember the last time I did this. my zone configuration: /etc/named.conf zone device.example.net { type master; file /var/named/device.example.net.db; allow-transfer { any; }; allow-update { key device.example.net; }; }; zone file: $ORIGIN . $TTL 3600 ; 1 hour device.example.net IN SOA ns1.example.net. ns2.example.net. ( 2009120805 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) NS ns1.example.net. NS ns2.example.net. A 205.234.215.112 MX 0 server.example.net. $ORIGIN device.example.net. $TTL 60 ; 1 minute greg A 97.xxx.xxx.127 Running: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 First of all, are you talking about DNSSEC, or just plain Dynamic Update (presumably crypto-authenticated if this is going to be a publically-updateable zone)? I don't see any DNSSEC records in the zone file you posted. Secondly, if you do an AXFR of the zone after the Dynamic Update, does it reflect the change? Thirdly, on the machine which is originating the ping, how is it set up to resolve names? Does it only use DNS? Does it only use *itself* for resolving DNS? Is there some intermediate caching going on (e.g. nscd or equivalent)? If so, have you waited long enough for the entries to expire from that intermediate cache? - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Hi kevin Just plain Dynamic Update with crypto-authenticated keys if I do a dig on r...@server [~]# dig @ns1.example.net device.example.net A +tcp ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 @ns1.example.net device.example.net A +tcp ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44660 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;device.example.net.IN A ;; ANSWER SECTION: device.example.net. 3600IN A 205.xxx.xxx.112 ;; AUTHORITY SECTION: device.example.net. 3600IN NS ns1.example.net. device.example.net. 3600IN NS ns2.example.net. ;; Query time: 1 msec ;; SERVER: 205.234.215.113#53(205.234.215.113) ;; WHEN: Fri Dec 11 03:30:08 2009 ;; MSG SIZE rcvd: 85 There should be an A record for a host greg.device.example.net. IN A 97.xxx.xxx.127 Yet if I cat the zone file there is a record gregA 97.xxx.xxx.127 I'm doing the ping on the dns server that is hosting the device.example.net zone .. Thanks for your assistance .. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec updated zone data is not live ??
Hi Please can you advise. I's been ages since I have configured dnssec . I used nsupdate (with dnssec) to update a zone file with all the host current ip's so that they are reachable via a host name even when the ip has changed (a dyndns.org type of thing). Everything seems to work fine named accepts the update and writes it to the .jnl file but when it try and ping the updated host name I get ping: unknown host greg.za.protetor.net, and this is one the server running named. yet I the logs show Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': deleting rrset at 'greg.device.example.net' A Dec 10 14:47:52 server named[17862]: client 97.xxx.xxx.127#50043: view external: updating zone 'device.example.net/IN': adding an RR at 'greg.device.example.net' A Which is correct from what I remember the last time I did this. my zone configuration: /etc/named.conf zone device.example.net { type master; file /var/named/device.example.net.db; allow-transfer { any; }; allow-update { key device.example.net; }; }; zone file: $ORIGIN . $TTL 3600 ; 1 hour device.example.net IN SOA ns1.example.net. ns2.example.net. ( 2009120805 ; serial 900; refresh (15 minutes) 600; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) NS ns1.example.net. NS ns2.example.net. A 205.234.215.112 MX 0 server.example.net. $ORIGIN device.example.net. $TTL 60 ; 1 minute gregA 97.xxx.xxx.127 Running: BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 any suggestions would be welcome. I have run out of ideas and googles. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users