subject:"RE\: Delegation not working"

Re: Delegation not working from slave.

2019-10-09 Thread Grant Taylor via bind-users


On 10/9/19 8:19 AM, John Robson via bind-users wrote:
But I suspect that we're going to have to redo more of the DNS 
infrastructure than just this at some point fairly soon - so to some 
extent I'll let someone else fix it later... (I know)


If you can, safe the poor future sole, possibly yourself, some headache 
/ heartburn and briefly document what you have recently found / done.


As always, "trust but verify".  But having something to start verifying 
and an overview of what was in place once upon a time is better than 
starting with a blank slate.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation not working from slave.

2019-10-09 Thread John Robson via bind-users

Yep - I know that I've almost certainly kludged it horribly...

But I suspect that we're going to have to redo more of the DNS
infrastructure than just this at some point fairly soon - so to some extent
I'll let someone else fix it later... (I know)

I had added the NS records for the subdomain to it's parent domain, which I
thought was what was required for delegation, but clearly I've missed
something in there.

John

On Tue, 8 Oct 2019 at 13:39, Matus UHLAR - fantomas 
wrote:

> On 04.10.19 17:44, John Robson via bind-users wrote:
> >I think I've missed something very obvious...
>
> apparently
>
> >I don't think that the main DNS server was behaving sensibly in terms of
> >recursive searches.
> >I've now had the main DNS servers also act as slaves, and it's all
> working.
>
> and while you haven't fixed the problem which you didn't even describe
> properly, you have worked aropund it.
> It may return and hit you back, again, even harder.
>
> maybe you should describe it more deeply.
>
> >My understanding (which may have been presented in a confused manner in
> >earlier emails)
> >Master (hosts zone file) Slave (transfers from master)
>
> slave hosts the zone too.
>
> >Delegation - one dns server pointing at the NS for the next subdomain
> down.
>
> no, delegation is not dns server pointing. It's the zone having NS records
> for subzone.
>
> I can guess you failed to do this, so while your master knows where the
> subzone is, slave does not.
>
> >On Fri, 4 Oct 2019 at 03:57, Grant Taylor via bind-users <
> >bind-users@lists.isc.org> wrote:
> >
> >> On 10/2/19 5:45 AM, John Robson via bind-users wrote:
> >> > Again - I am sure I've missed something obvious, but can't see what.
> >>
> >> I'm not completely following what you're doing.  But your wording causes
> >> me to pause, make a comment, and ask for clarification.
> >>
> >> Comment:  slave (and master) is not the same thing as delegation.
> >>
> >> Question:  Is dns.example.org delegating sub.example.org to
> >> myserver.example.org?  Or is myserver.example.org a slave for some zone
> >> (which I can't clearly extract from your message)?
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Windows 2000: 640 MB ought to be enough for anybody
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 

*John Robson*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation not working from slave.

2019-10-08 Thread Matus UHLAR - fantomas


On 04.10.19 17:44, John Robson via bind-users wrote:

I think I've missed something very obvious...


apparently


I don't think that the main DNS server was behaving sensibly in terms of
recursive searches.
I've now had the main DNS servers also act as slaves, and it's all working.


and while you haven't fixed the problem which you didn't even describe
properly, you have worked aropund it.
It may return and hit you back, again, even harder.

maybe you should describe it more deeply. 


My understanding (which may have been presented in a confused manner in
earlier emails)
Master (hosts zone file) Slave (transfers from master)


slave hosts the zone too.


Delegation - one dns server pointing at the NS for the next subdomain down.


no, delegation is not dns server pointing. It's the zone having NS records
for subzone.

I can guess you failed to do this, so while your master knows where the
subzone is, slave does not.


On Fri, 4 Oct 2019 at 03:57, Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:


On 10/2/19 5:45 AM, John Robson via bind-users wrote:
> Again - I am sure I've missed something obvious, but can't see what.

I'm not completely following what you're doing.  But your wording causes
me to pause, make a comment, and ask for clarification.

Comment:  slave (and master) is not the same thing as delegation.

Question:  Is dns.example.org delegating sub.example.org to
myserver.example.org?  Or is myserver.example.org a slave for some zone
(which I can't clearly extract from your message)?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation not working from slave.

2019-10-04 Thread John Robson via bind-users

I think I've missed something very obvious...

I don't think that the main DNS server was behaving sensibly in terms of
recursive searches.
I've now had the main DNS servers also act as slaves, and it's all working.

Cheers,

John

My understanding (which may have been presented in a confused manner in
earlier emails)
Master (hosts zone file) Slave (transfers from master)
Delegation - one dns server pointing at the NS for the next subdomain down.

On Fri, 4 Oct 2019 at 03:57, Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> On 10/2/19 5:45 AM, John Robson via bind-users wrote:
> > Again - I am sure I've missed something obvious, but can't see what.
>
> I'm not completely following what you're doing.  But your wording causes
> me to pause, make a comment, and ask for clarification.
>
> Comment:  slave (and master) is not the same thing as delegation.
>
> Question:  Is dns.example.org delegating sub.example.org to
> myserver.example.org?  Or is myserver.example.org a slave for some zone
> (which I can't clearly extract from your message)?
>
>
>
> --
> Grant. . . .
> unix || die
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

-- 

*John Robson Sr. Customer Support Engineer**, Zenoss
*
jrob...@zenoss.com | *O:*

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation not working from slave.

2019-10-03 Thread Grant Taylor via bind-users


On 10/2/19 5:45 AM, John Robson via bind-users wrote:

Again - I am sure I've missed something obvious, but can't see what.


I'm not completely following what you're doing.  But your wording causes 
me to pause, make a comment, and ask for clarification.


Comment:  slave (and master) is not the same thing as delegation.

Question:  Is dns.example.org delegating sub.example.org to 
myserver.example.org?  Or is myserver.example.org a slave for some zone 
(which I can't clearly extract from your message)?




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

re: Delegation not working from slave.

2019-10-02 Thread Bob McDonald

If I'm reading this correctly, it looks like delegation DOES work from the
slave.

Looking at the zone file for sub.example.org. from the main DNS server, is
the delegation present for dyn.sub.example.org.? (e.g. is there a
dyn.sub.example.org. IN NS dynsub.example.org. in the zone file for
sub.example.com. on the main DNS server?) And does the zone file on the
main have a glue record for dynsub.example.org.?

Regards,

Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation not working

2009-05-07 Thread Mike Bernhardt

Yeah, I pulled that dig request from another post that sounded similar
without taking the time to understand what the arguments meant. I will have
to learn dig properly.

Thanks for the help, I will try that tonight.

-Original Message-
From: Chris Buxton [mailto:cbux...@menandmice.com] 
Sent: Thursday, May 07, 2009 10:17 AM
To: Mike Bernhardt
Cc: bind-users@lists.isc.org
Subject: Re: Delegation not working

On May 7, 2009, at 9:31 AM, Mike Bernhardt wrote:
 I attempted to delegate a subdomain last night, but it didn't work.  
 When I
 slave that subdomain it works fine, so I know that connectivity is  
 not the
 problem. The server is running BIND 9.3.4. Here is the dig response:

 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

Note: no rd flag.

 ;; AUTHORITY SECTION:
 adm.bart.gov.   14400   IN  NS  mrep-02.adm.bart.gov.
 adm.bart.gov.   14400   IN  NS  dhcp-01.adm.bart.gov.

This is a referral, as expected.

 So it seems we are reading the delegation info correctly, but not  
 getting
 answers, or perhaps not asking?

What were you expecting to be different? You sent a non-recursive  
query (+norec) and received a referral to the child zone. It looks  
perfectly normal.

Were you expecting a final answer to the query? If so, then take out  
the +norec from your dig command. You'll also need to edit your  
bart.gov zone statement in named.conf (below).

 Here is my named.conf, and the db records.
 Since I'm using h2n, the delegation info in the db files is actually  
 via
 $include statements pointing at spcl files. I know the $includes are  
 read
 properly because there is other info in them that works.

 We are forwarding for internet names to our outside-facing server. I'm
 wondering if forwarding is the problem?

If you had not used +norec, it would be the problem, yes. But there  
is a simple solution.

 zone bart.gov {
type master;
file db.bart;
 };

Add one more statement inside the zone statement block:

forwarders { };

This will turn off forwarding for the bart.gov domain, which is larger  
than the bart.gov zone. It includes delegated subzones such as  
adm.bart.gov, meaning the server will recurse to the subzone rather  
than forwarding to the outside world.

Chris Buxton
Professional Services
Men  Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation not working

2009-05-07 Thread Mike Bernhardt

I had already tried that to no avail:
dig @athena -x 10.0.2.252

;  DiG 9.3.4  @athena -x 10.0.2.252
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 7310
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;252.2.0.10.in-addr.arpa.   IN  PTR

;; AUTHORITY SECTION:
10.in-addr.arpa.600 IN  SOA athena.bart.gov.
bernhardt.bart.gov. 2009050703 14400 600 864000 600

;; Query time: 0 msec
;; SERVER: 148.165.30.30#53(148.165.30.30)
;; WHEN: Thu May  7 12:21:13 2009
;; MSG SIZE  rcvd: 102



-Original Message-
From: Chris Buxton [mailto:cbux...@menandmice.com] 
Sent: Thursday, May 07, 2009 12:19 PM
To: Mike Bernhardt
Cc: bind-users@lists.isc.org
Subject: Re: Delegation not working

On May 7, 2009, at 12:06 PM, Mike Bernhardt wrote:
 dig -x +trace @athena 10.0.2.252

 ;; QUESTION SECTION:
 ;+trace.in-addr.arpa.   IN  PTR

 ;; QUESTION SECTION:
 ;10.0.2.252.IN  A

You've given dig the wrong arguments. You gave it two queries,  
indicated above, neither of which is what you wanted.

Try this:

dig @athena -x 10.0.2.252

Chris Buxton
Professional Services
Men  Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation not working

2009-05-07 Thread Todd Snyder

+trace forces the server to go to the root.  It doesn't necessarily
represent the path your query would normally take.  If the server you
are querying is authoritative for the zone you are querying, it will
still trace from the root.  This feature is, sadly, not as useful in an
internal DNS configuration, where recursion from the root isn't used.
That seems to be the situation you're in (not able to reach the root)

At least, that is my interpretation of it.

Todd.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mike Bernhardt
Sent: Thursday, May 07, 2009 3:22 PM
To: 'Chris Buxton'
Cc: bind-users@lists.isc.org
Subject: RE: Delegation not working

Reformatting the dig request gives the following:

dig +trace @athena -x 10.0.2.252

;  DiG 9.3.4  +trace @athena -x 10.0.2.252 ; (1 server found) ;;
global options:  printcmd
.   163824  IN  NS  K.ROOT-SERVERS.NET.
.   163824  IN  NS  L.ROOT-SERVERS.NET.
.   163824  IN  NS  M.ROOT-SERVERS.NET.
.   163824  IN  NS  A.ROOT-SERVERS.NET.
.   163824  IN  NS  B.ROOT-SERVERS.NET.
.   163824  IN  NS  C.ROOT-SERVERS.NET.
.   163824  IN  NS  D.ROOT-SERVERS.NET.
.   163824  IN  NS  E.ROOT-SERVERS.NET.
.   163824  IN  NS  F.ROOT-SERVERS.NET.
.   163824  IN  NS  G.ROOT-SERVERS.NET.
.   163824  IN  NS  H.ROOT-SERVERS.NET.
.   163824  IN  NS  I.ROOT-SERVERS.NET.
.   163824  IN  NS  J.ROOT-SERVERS.NET.

;; Received 500 bytes from 148.165.30.30#53(148.165.30.30) in 0 ms

;; connection timed out; no servers could be reached Since this server
can't reach the root servers, this makes sense. But apparently it isn't
following delegation.

-Original Message-
From: Chris Buxton [mailto:cbux...@menandmice.com]
Sent: Thursday, May 07, 2009 12:19 PM
To: Mike Bernhardt
Cc: bind-users@lists.isc.org
Subject: Re: Delegation not working

On May 7, 2009, at 12:06 PM, Mike Bernhardt wrote:
 dig -x +trace @athena 10.0.2.252

 ;; QUESTION SECTION:
 ;+trace.in-addr.arpa.   IN  PTR

 ;; QUESTION SECTION:
 ;10.0.2.252.IN  A

You've given dig the wrong arguments. You gave it two queries, indicated
above, neither of which is what you wanted.

Try this:

dig @athena -x 10.0.2.252

Chris Buxton
Professional Services
Men  Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation not working

2009-05-07 Thread Chris Buxton

Your delegation $GENERATE'd records don't cover this query. You've  
delegated 0.10.10.in-addr.arpa, but not 2.0.10.in-addr.arpa.


Chris Buxton
Professional Services
Men  Mice

On May 7, 2009, at 12:18 PM, Mike Bernhardt wrote:


I had already tried that to no avail:
dig @athena -x 10.0.2.252

;  DiG 9.3.4  @athena -x 10.0.2.252
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 7310
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,  
ADDITIONAL: 0


;; QUESTION SECTION:
;252.2.0.10.in-addr.arpa.   IN  PTR

;; AUTHORITY SECTION:
10.in-addr.arpa.600 IN  SOA athena.bart.gov.
bernhardt.bart.gov. 2009050703 14400 600 864000 600

;; Query time: 0 msec
;; SERVER: 148.165.30.30#53(148.165.30.30)
;; WHEN: Thu May  7 12:21:13 2009
;; MSG SIZE  rcvd: 102



-Original Message-
From: Chris Buxton [mailto:cbux...@menandmice.com]
Sent: Thursday, May 07, 2009 12:19 PM
To: Mike Bernhardt
Cc: bind-users@lists.isc.org
Subject: Re: Delegation not working

On May 7, 2009, at 12:06 PM, Mike Bernhardt wrote:

dig -x +trace @athena 10.0.2.252

;; QUESTION SECTION:
;+trace.in-addr.arpa.   IN  PTR

;; QUESTION SECTION:
;10.0.2.252.IN  A


You've given dig the wrong arguments. You gave it two queries,
indicated above, neither of which is what you wanted.

Try this:

dig @athena -x 10.0.2.252

Chris Buxton
Professional Services
Men  Mice



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation not working

2009-05-07 Thread Mike Bernhardt

OK. I have modified the $GENERATE to this:
$GENERATE   0-127 $ NS  dhcp-01.adm.bart.gov.
$GENERATE   0-127 $ NS  mrep-02.adm.bart.gov.

And dig gives me this:
dig +norec @athena -x 10.0.2.252

;  DiG 9.3.4  +norec @athena -x 10.0.2.252
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 36136
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;252.2.0.10.in-addr.arpa.   IN  PTR

;; AUTHORITY SECTION:
0.10.in-addr.arpa.  14400   IN  NS  mrep-02.adm.bart.gov.
0.10.in-addr.arpa.  14400   IN  NS  dhcp-01.adm.bart.gov.

;; ADDITIONAL SECTION:
dhcp-01.adm.bart.gov.   86400   IN  A   148.165.126.87
mrep-02.adm.bart.gov.   86400   IN  A   10.2.242.222

;; Query time: 0 msec
;; SERVER: 148.165.30.30#53(148.165.30.30)
;; WHEN: Thu May  7 12:38:05 2009
;; MSG SIZE  rcvd: 129

Without +norec, it times out.

-Original Message-
From: Chris Buxton [mailto:cbux...@menandmice.com] 
Sent: Thursday, May 07, 2009 12:29 PM
To: Mike Bernhardt
Cc: bind-users@lists.isc.org
Subject: Re: Delegation not working

Your delegation $GENERATE'd records don't cover this query. You've  
delegated 0.10.10.in-addr.arpa, but not 2.0.10.in-addr.arpa.

Chris Buxton
Professional Services
Men  Mice

On May 7, 2009, at 12:18 PM, Mike Bernhardt wrote:

 I had already tried that to no avail:
 dig @athena -x 10.0.2.252

 ;  DiG 9.3.4  @athena -x 10.0.2.252
 ; (1 server found)
 ;; global options:  printcmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 7310
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,  
 ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;252.2.0.10.in-addr.arpa.   IN  PTR

 ;; AUTHORITY SECTION:
 10.in-addr.arpa.600 IN  SOA athena.bart.gov.
 bernhardt.bart.gov. 2009050703 14400 600 864000 600

 ;; Query time: 0 msec
 ;; SERVER: 148.165.30.30#53(148.165.30.30)
 ;; WHEN: Thu May  7 12:21:13 2009
 ;; MSG SIZE  rcvd: 102



 -Original Message-
 From: Chris Buxton [mailto:cbux...@menandmice.com]
 Sent: Thursday, May 07, 2009 12:19 PM
 To: Mike Bernhardt
 Cc: bind-users@lists.isc.org
 Subject: Re: Delegation not working

 On May 7, 2009, at 12:06 PM, Mike Bernhardt wrote:
 dig -x +trace @athena 10.0.2.252

 ;; QUESTION SECTION:
 ;+trace.in-addr.arpa.   IN  PTR

 ;; QUESTION SECTION:
 ;10.0.2.252.IN  A

 You've given dig the wrong arguments. You gave it two queries,
 indicated above, neither of which is what you wanted.

 Try this:

 dig @athena -x 10.0.2.252

 Chris Buxton
 Professional Services
 Men  Mice


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation not working

2009-05-07 Thread Ben Bridges

Isn't the $GENERATE directive a purely textual substitution without any
semantic processing?  In that case, I believe you have actually
delegated 0.1010.in-addr.arpa, 1.1010.in-addr.arpa, 2.1010.in-addr.arpa,
... , 127.1010.in-addr.arpa instead of 0.10.in-addr.arpa,
1.10.in-addr.arpa, ... , 127.10.in-addr.arpa.  Try changing your
$GENERATE directives to

$GENERATE   0-127 $.10.in-addr.arpa. NS   dhcp-01.adm.bart.gov.
$GENERATE   0-127 $.10.in-addr.arpa. NS   mrep-02.adm.bart.gov.

and see if that works.

Ben Bridges


 -Original Message-
 From: bind-users-boun...@lists.isc.org 
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Chris Buxton
 Sent: Thursday, May 07, 2009 2:29 PM
 To: Mike Bernhardt
 Cc: bind-users@lists.isc.org
 Subject: Re: Delegation not working
 
 Your delegation $GENERATE'd records don't cover this query. 
 You've delegated 0.10.10.in-addr.arpa, but not 2.0.10.in-addr.arpa.
 
 Chris Buxton
 Professional Services
 Men  Mice
 
 On May 7, 2009, at 12:18 PM, Mike Bernhardt wrote:
 
  I had already tried that to no avail:
  dig @athena -x 10.0.2.252
 
  ;  DiG 9.3.4  @athena -x 10.0.2.252 ; (1 server found) ;; 
  global options:  printcmd ;; Got answer:
  ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 7310 
 ;; flags: qr 
  aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
  ADDITIONAL: 0
 
  ;; QUESTION SECTION:
  ;252.2.0.10.in-addr.arpa.   IN  PTR
 
  ;; AUTHORITY SECTION:
  10.in-addr.arpa.600 IN  SOA athena.bart.gov.
  bernhardt.bart.gov. 2009050703 14400 600 864000 600
 
  ;; Query time: 0 msec
  ;; SERVER: 148.165.30.30#53(148.165.30.30) ;; WHEN: Thu May  7 
  12:21:13 2009 ;; MSG SIZE  rcvd: 102
 
 
 
  -Original Message-
  From: Chris Buxton [mailto:cbux...@menandmice.com]
  Sent: Thursday, May 07, 2009 12:19 PM
  To: Mike Bernhardt
  Cc: bind-users@lists.isc.org
  Subject: Re: Delegation not working
 
  On May 7, 2009, at 12:06 PM, Mike Bernhardt wrote:
  dig -x +trace @athena 10.0.2.252
 
  ;; QUESTION SECTION:
  ;+trace.in-addr.arpa.   IN  PTR
 
  ;; QUESTION SECTION:
  ;10.0.2.252.IN  A
 
  You've given dig the wrong arguments. You gave it two queries, 
  indicated above, neither of which is what you wanted.
 
  Try this:
 
  dig @athena -x 10.0.2.252
 
  Chris Buxton
  Professional Services
  Men  Mice
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation not working

2009-05-07 Thread Chris Buxton

You're right that no semantic processing takes place as part of the  
$GENERATE statement, but the original statement said:


$GENERATE 0-127 $.10 NS [...]

This is identical to typing:

0.10 NS [...]
1.10 NS [...]
[...]
127.10 NS [...]

But the origin here is 10.in-addr.arpa. So the origin is applied  
normally to the results of the $GENERATE, and so you get 0.10.10.in- 
addr.arpa, not 0.1010. The extra dot between the first and second  
10's is implied as part of the application of the origin.


Chris Buxton
Professional Services
Men  Mice

On May 7, 2009, at 12:42 PM, Ben Bridges wrote:

Isn't the $GENERATE directive a purely textual substitution without  
any

semantic processing?  In that case, I believe you have actually
delegated 0.1010.in-addr.arpa, 1.1010.in-addr.arpa, 2.1010.in- 
addr.arpa,

... , 127.1010.in-addr.arpa instead of 0.10.in-addr.arpa,
1.10.in-addr.arpa, ... , 127.10.in-addr.arpa.  Try changing your
$GENERATE directives to

$GENERATE   0-127 $.10.in-addr.arpa. NS   dhcp-01.adm.bart.gov.
$GENERATE   0-127 $.10.in-addr.arpa. NS   mrep-02.adm.bart.gov.

and see if that works.

Ben Bridges



-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Chris Buxton
Sent: Thursday, May 07, 2009 2:29 PM
To: Mike Bernhardt
Cc: bind-users@lists.isc.org
Subject: Re: Delegation not working

Your delegation $GENERATE'd records don't cover this query.
You've delegated 0.10.10.in-addr.arpa, but not 2.0.10.in-addr.arpa.

Chris Buxton
Professional Services
Men  Mice

On May 7, 2009, at 12:18 PM, Mike Bernhardt wrote:


I had already tried that to no avail:
dig @athena -x 10.0.2.252

;  DiG 9.3.4  @athena -x 10.0.2.252 ; (1 server found) ;;
global options:  printcmd ;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 7310

;; flags: qr

aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 0

;; QUESTION SECTION:
;252.2.0.10.in-addr.arpa.   IN  PTR

;; AUTHORITY SECTION:
10.in-addr.arpa.600 IN  SOA athena.bart.gov.
bernhardt.bart.gov. 2009050703 14400 600 864000 600

;; Query time: 0 msec
;; SERVER: 148.165.30.30#53(148.165.30.30) ;; WHEN: Thu May  7
12:21:13 2009 ;; MSG SIZE  rcvd: 102



-Original Message-
From: Chris Buxton [mailto:cbux...@menandmice.com]
Sent: Thursday, May 07, 2009 12:19 PM
To: Mike Bernhardt
Cc: bind-users@lists.isc.org
Subject: Re: Delegation not working

On May 7, 2009, at 12:06 PM, Mike Bernhardt wrote:

dig -x +trace @athena 10.0.2.252

;; QUESTION SECTION:
;+trace.in-addr.arpa.   IN  PTR

;; QUESTION SECTION:
;10.0.2.252.IN  A


You've given dig the wrong arguments. You gave it two queries,
indicated above, neither of which is what you wanted.

Try this:

dig @athena -x 10.0.2.252

Chris Buxton
Professional Services
Men  Mice



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation not working

2009-05-07 Thread Ben Bridges

I wasn't thinking straight.  Ignore that.  My apologies.


 -Original Message-
 From: bind-users-boun...@lists.isc.org 
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ben Bridges
 Sent: Thursday, May 07, 2009 2:42 PM
 To: Mike Bernhardt
 Cc: bind-users@lists.isc.org
 Subject: RE: Delegation not working
 
 Isn't the $GENERATE directive a purely textual substitution 
 without any semantic processing?  In that case, I believe you 
 have actually delegated 0.1010.in-addr.arpa, 
 1.1010.in-addr.arpa, 2.1010.in-addr.arpa, ... , 
 127.1010.in-addr.arpa instead of 0.10.in-addr.arpa, 
 1.10.in-addr.arpa, ... , 127.10.in-addr.arpa.  Try changing 
 your $GENERATE directives to
 
 $GENERATE   0-127 $.10.in-addr.arpa. NS   dhcp-01.adm.bart.gov.
 $GENERATE   0-127 $.10.in-addr.arpa. NS   mrep-02.adm.bart.gov.
 
 and see if that works.
 
 Ben Bridges
 
 
  -Original Message-
  From: bind-users-boun...@lists.isc.org 
  [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Chris Buxton
  Sent: Thursday, May 07, 2009 2:29 PM
  To: Mike Bernhardt
  Cc: bind-users@lists.isc.org
  Subject: Re: Delegation not working
  
  Your delegation $GENERATE'd records don't cover this query. 
  You've delegated 0.10.10.in-addr.arpa, but not 2.0.10.in-addr.arpa.
  
  Chris Buxton
  Professional Services
  Men  Mice
  
  On May 7, 2009, at 12:18 PM, Mike Bernhardt wrote:
  
   I had already tried that to no avail:
   dig @athena -x 10.0.2.252
  
   ;  DiG 9.3.4  @athena -x 10.0.2.252 ; (1 server found) ;; 
   global options:  printcmd ;; Got answer:
   ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 7310
  ;; flags: qr
   aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
   ADDITIONAL: 0
  
   ;; QUESTION SECTION:
   ;252.2.0.10.in-addr.arpa.   IN  PTR
  
   ;; AUTHORITY SECTION:
   10.in-addr.arpa.600 IN  SOA athena.bart.gov.
   bernhardt.bart.gov. 2009050703 14400 600 864000 600
  
   ;; Query time: 0 msec
   ;; SERVER: 148.165.30.30#53(148.165.30.30) ;; WHEN: Thu May  7
   12:21:13 2009 ;; MSG SIZE  rcvd: 102
  
  
  
   -Original Message-
   From: Chris Buxton [mailto:cbux...@menandmice.com]
   Sent: Thursday, May 07, 2009 12:19 PM
   To: Mike Bernhardt
   Cc: bind-users@lists.isc.org
   Subject: Re: Delegation not working
  
   On May 7, 2009, at 12:06 PM, Mike Bernhardt wrote:
   dig -x +trace @athena 10.0.2.252
  
   ;; QUESTION SECTION:
   ;+trace.in-addr.arpa.   IN  PTR
  
   ;; QUESTION SECTION:
   ;10.0.2.252.IN  A
  
   You've given dig the wrong arguments. You gave it two queries, 
   indicated above, neither of which is what you wanted.
  
   Try this:
  
   dig @athena -x 10.0.2.252
  
   Chris Buxton
   Professional Services
   Men  Mice
  
  
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
  
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation not working

2009-05-07 Thread Chris Buxton


On May 7, 2009, at 12:37 PM, Mike Bernhardt wrote:

And dig gives me this:
dig +norec @athena -x 10.0.2.252

;; QUESTION SECTION:
;252.2.0.10.in-addr.arpa.   IN  PTR

;; AUTHORITY SECTION:
0.10.in-addr.arpa.  14400   IN  NS  mrep-02.adm.bart.gov.
0.10.in-addr.arpa.  14400   IN  NS  dhcp-01.adm.bart.gov.

;; ADDITIONAL SECTION:
dhcp-01.adm.bart.gov.   86400   IN  A   148.165.126.87
mrep-02.adm.bart.gov.   86400   IN  A   10.2.242.222


That looks perfect.


Without +norec, it times out.



OK, now we're getting somewhere. Why would the server athena have  
trouble querying those two servers? Try this from athena itself:


dig +norec -x 10.0.2.252 @148.165.126.87
dig +norec -x 10.0.2.252 @10.2.242.222

Chris Buxton
Professional Services
Men  Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation not working

2009-05-07 Thread Mike Bernhardt

Do you mean that BIND *COULD* query from a low-numbered random port? I
thought applications that don't source from a specific port always sourced
from  1023?

-Original Message-
From: mark_andr...@isc.org [mailto:mark_andr...@isc.org] 
Sent: Thursday, May 07, 2009 3:33 PM
To: Mike Bernhardt
Cc: 'Chris Buxton'; bind-users@lists.isc.org
Subject: Re: Delegation not working 

In message f43437ad793b466c9f4f93830225f...@netadmin.bart.gov, Mike
Bernhardt writes:
 I found the problem. After the various delegation config issues were
cleared
 and it still didn't work, I started doing some traces. The problem turned
 out to be
 1. We had a query source port of 53 configured that was left over from
some
 old legacy compatibility issues.
 2. The firewall between us and the subdomain authority was only allowing
 queries from high-numbered ports.
 3. The dns rule in the firewall was configured to not log, so the drops
 didn't show up when I looked previously.

 I removed the query source-port option and all is now good. Thank you to
 Chris Buxton for all of his patience. I learned a few things along the
way.

I hope you also fixed the firewall not to care about the
source port of DNS queries.  There is no requirement for
DNS queries to be sourced from any particular port range.

Mark

 Mike

 -Original Message-
 From: Chris Buxton [mailto:cbux...@menandmice.com] 
 Sent: Thursday, May 07, 2009 1:19 PM
 To: Mike Bernhardt
 Cc: bind-users@lists.isc.org
 Subject: Re: Delegation not working

 Mike,

 That was two separate commands.

 dig +norec -x 10.0.2.252 @148.165.126.87

 and

 dig +norec -x 10.0.2.252 @10.2.242.222

 So most of what you sent back is gibberish. However, at the top, there  
 is the message connection timed out; no servers could be reached.  
 There's at least part of your problem.

 Chris Buxton
 Professional Services
 Men  Mice

 On May 7, 2009, at 12:50 PM, Mike Bernhardt wrote:

  That gave me:
  dig +norec -x 10.0.2.252 @148.165.126.87 dig +norec -x 10.0.2.252
  @10.2.242.222
  ;; connection timed out; no servers could be reached
  ;; Got answer:
  ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34563
  ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

  ;; QUESTION SECTION:
  ;dig.   IN  A

  ;; AUTHORITY SECTION:
  .   162058  IN  NS  C.ROOT-SERVERS.NET.
  .   162058  IN  NS  D.ROOT-SERVERS.NET.
  .   162058  IN  NS  E.ROOT-SERVERS.NET.
  .   162058  IN  NS  F.ROOT-SERVERS.NET.
  .   162058  IN  NS  G.ROOT-SERVERS.NET.
  .   162058  IN  NS  H.ROOT-SERVERS.NET.
  .   162058  IN  NS  I.ROOT-SERVERS.NET.
  .   162058  IN  NS  J.ROOT-SERVERS.NET.
  .   162058  IN  NS  K.ROOT-SERVERS.NET.
  .   162058  IN  NS  L.ROOT-SERVERS.NET.
  .   162058  IN  NS  M.ROOT-SERVERS.NET.
  .   162058  IN  NS  A.ROOT-SERVERS.NET.
  .   162058  IN  NS  B.ROOT-SERVERS.NET.

  ;; ADDITIONAL SECTION:
  A.ROOT-SERVERS.NET. 599086  IN  A   198.41.0.4
  A.ROOT-SERVERS.NET. 552012  IN  2001:503:ba3e::2:30
  B.ROOT-SERVERS.NET. 35325   IN  A   192.228.79.201
  C.ROOT-SERVERS.NET. 599099  IN  A   192.33.4.12
  D.ROOT-SERVERS.NET. 599100  IN  A   128.8.10.90
  E.ROOT-SERVERS.NET. 599101  IN  A   192.203.230.10
  F.ROOT-SERVERS.NET. 599102  IN  A   192.5.5.241
  F.ROOT-SERVERS.NET. 552012  IN  2001:500:2f::f
  G.ROOT-SERVERS.NET. 599090  IN  A   192.112.36.4
  H.ROOT-SERVERS.NET. 599091  IN  A   128.63.2.53
  H.ROOT-SERVERS.NET. 552012  IN  2001:500:1::803f:235
  I.ROOT-SERVERS.NET. 599092  IN  A   192.36.148.17
  J.ROOT-SERVERS.NET. 208142  IN  A   192.58.128.30
  J.ROOT-SERVERS.NET. 208142  IN  2001:503:c27::2:30

  ;; Query time: 0 msec
  ;; SERVER: 148.165.30.30#53(148.165.30.30)
  ;; WHEN: Thu May  7 12:52:39 2009
  ;; MSG SIZE  rcvd: 504

  ;  DiG 9.3.4  +norec -x 10.0.2.252 @148.165.126.87 dig  
  +norec -x
  10.0.2.252 @10.2.242.222
  ; (1 server found)
  ;; global options:  printcmd
  ;; connection timed out; no servers could be reached

  -Original Message-
  From: Chris Buxton [mailto:cbux...@menandmice.com]
  Sent: Thursday, May 07, 2009 12:50 PM
  To: Mike Bernhardt
  Cc: bind-users@lists.isc.org
  Subject: Re: Delegation not working

  On May 7, 2009, at 12:37 PM, Mike Bernhardt wrote:
  And dig gives me this:
  dig +norec @athena -x 10.0.2.252

  ;; QUESTION SECTION:
  ;252.2.0.10.in-addr.arpa.   IN  PTR

  ;; AUTHORITY SECTION:
  0.10.in-addr.arpa

Re: Delegation not working

2009-05-07 Thread Mark Andrews


In message 0e6dc7d76aa144a4b068e4b552026...@netadmin.bart.gov, Mike 
Bernhardt writes:
 Do you mean that BIND *COULD* query from a low-numbered random port? I
 thought applications that don't source from a specific port always sourced
 from  1023?

BIND is not the only application that makes queries.  POSIX
is not the only platform that makes queries.  Even if you
have a POSIX box middleware may change the port to something
less than 1024.

When you restrict the source ports to something other than
the entire range you are making lots of assumptions about
the sender and all the middleware involved that actually
don't hold true in many cases.

Your problem was caused by a misconfigured firewall.  That
firewall should be fixed.  It remains a potential source
of problems until it is fixed.

Mark
 
 -Original Message-
 From: mark_andr...@isc.org [mailto:mark_andr...@isc.org] 
 Sent: Thursday, May 07, 2009 3:33 PM
 To: Mike Bernhardt
 Cc: 'Chris Buxton'; bind-users@lists.isc.org
 Subject: Re: Delegation not working 
 
 
 In message f43437ad793b466c9f4f93830225f...@netadmin.bart.gov, Mike
 Bernhardt writes:
  I found the problem. After the various delegation config issues were
 cleared
  and it still didn't work, I started doing some traces. The problem turned
  out to be
  1. We had a query source port of 53 configured that was left over from
 some
  old legacy compatibility issues.
  2. The firewall between us and the subdomain authority was only allowing
  queries from high-numbered ports.
  3. The dns rule in the firewall was configured to not log, so the drops
  didn't show up when I looked previously.
  
  I removed the query source-port option and all is now good. Thank you to
  Chris Buxton for all of his patience. I learned a few things along the
 way.
 
   I hope you also fixed the firewall not to care about the
   source port of DNS queries.  There is no requirement for
   DNS queries to be sourced from any particular port range.
 
   Mark
  
  Mike
  
  -Original Message-
  From: Chris Buxton [mailto:cbux...@menandmice.com] 
  Sent: Thursday, May 07, 2009 1:19 PM
  To: Mike Bernhardt
  Cc: bind-users@lists.isc.org
  Subject: Re: Delegation not working
  
  Mike,
  
  That was two separate commands.
  
  dig +norec -x 10.0.2.252 @148.165.126.87
  
  and
  
  dig +norec -x 10.0.2.252 @10.2.242.222
  
  So most of what you sent back is gibberish. However, at the top, there  
  is the message connection timed out; no servers could be reached.  
  There's at least part of your problem.
  
  Chris Buxton
  Professional Services
  Men  Mice
  
  On May 7, 2009, at 12:50 PM, Mike Bernhardt wrote:
  
   That gave me:
   dig +norec -x 10.0.2.252 @148.165.126.87 dig +norec -x 10.0.2.252
   @10.2.242.222
   ;; connection timed out; no servers could be reached
   ;; Got answer:
   ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34563
   ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
  
   ;; QUESTION SECTION:
   ;dig.   IN  A
  
   ;; AUTHORITY SECTION:
   .   162058  IN  NS  C.ROOT-SERVERS.NET.
   .   162058  IN  NS  D.ROOT-SERVERS.NET.
   .   162058  IN  NS  E.ROOT-SERVERS.NET.
   .   162058  IN  NS  F.ROOT-SERVERS.NET.
   .   162058  IN  NS  G.ROOT-SERVERS.NET.
   .   162058  IN  NS  H.ROOT-SERVERS.NET.
   .   162058  IN  NS  I.ROOT-SERVERS.NET.
   .   162058  IN  NS  J.ROOT-SERVERS.NET.
   .   162058  IN  NS  K.ROOT-SERVERS.NET.
   .   162058  IN  NS  L.ROOT-SERVERS.NET.
   .   162058  IN  NS  M.ROOT-SERVERS.NET.
   .   162058  IN  NS  A.ROOT-SERVERS.NET.
   .   162058  IN  NS  B.ROOT-SERVERS.NET.
  
   ;; ADDITIONAL SECTION:
   A.ROOT-SERVERS.NET. 599086  IN  A   198.41.0.4
   A.ROOT-SERVERS.NET. 552012  IN  2001:503:ba3e::2:30
   B.ROOT-SERVERS.NET. 35325   IN  A   192.228.79.201
   C.ROOT-SERVERS.NET. 599099  IN  A   192.33.4.12
   D.ROOT-SERVERS.NET. 599100  IN  A   128.8.10.90
   E.ROOT-SERVERS.NET. 599101  IN  A   192.203.230.10
   F.ROOT-SERVERS.NET. 599102  IN  A   192.5.5.241
   F.ROOT-SERVERS.NET. 552012  IN  2001:500:2f::f
   G.ROOT-SERVERS.NET. 599090  IN  A   192.112.36.4
   H.ROOT-SERVERS.NET. 599091  IN  A   128.63.2.53
   H.ROOT-SERVERS.NET. 552012  IN  2001:500:1::803f:235
   I.ROOT-SERVERS.NET. 599092  IN  A   192.36.148.17
   J.ROOT-SERVERS.NET. 208142  IN  A   192.58.128.30
   J.ROOT

Re: Delegation not working from slave.

Re: Delegation not working from slave.

Re: Delegation not working from slave.

Re: Delegation not working from slave.

Re: Delegation not working from slave.

re: Delegation not working from slave.

RE: Delegation not working

RE: Delegation not working

RE: Delegation not working

Re: Delegation not working

RE: Delegation not working

RE: Delegation not working

Re: Delegation not working

RE: Delegation not working

Re: Delegation not working

RE: Delegation not working

Re: Delegation not working

17 matches

Site Navigation

Mail list logo

Footer information