Re: Delegation question!

2010-01-25 Thread Peter Andreev 
Have you requested delegation?

2010/1/25 Alans 

> Hello,
>
> When I check our dns ip from external server for ptr records it shows
> nothing but
> 93.in-addr.arpa.6562IN  SOA ns-pri.ripe.net.
> dns-help.ripe.net. 2010012534 3600 7200 1209600 7200
> We bought 93.x.x.0/x from RIPE, does that mean that RIPE didn't delegate
> 93.x.x.0/x to us?
>
> Regards,
> Alans
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation question!

2010-01-25 Thread Alans 
I'm new with this ISP, but I don't think they requested that.

Your point is RIPE won't give delegations without request, right?

 

Regards,

Alans

 

From: bind-users-bounces+batpower83=yahoo.co...@lists.isc.org
[mailto:bind-users-bounces+batpower83=yahoo.co...@lists.isc.org] On Behalf
Of Peter Andreev
Sent: Monday, January 25, 2010 12:15 PM
To: BIND Users Mailing List
Subject: Re: Delegation question!

 

Have you requested delegation?

2010/1/25 Alans 

Hello,

When I check our dns ip from external server for ptr records it shows
nothing but
93.in-addr.arpa.6562IN  SOA ns-pri.ripe.net.
dns-help.ripe.net. 2010012534 3600 7200 1209600 7200
We bought 93.x.x.0/x from RIPE, does that mean that RIPE didn't delegate
93.x.x.0/x to us?

Regards,
Alans

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question!

2010-01-25 Thread Peter Andreev 
Yes, of course, at least they needs to know nameservers for that zone.

http://ripe.net/rs/reverse/reverse_howto.html

2010/1/25 Alans 

>  I’m new with this ISP, but I don’t think they requested that.
>
> Your point is RIPE won’t give delegations without request, right?
>
>
>
> Regards,
>
> Alans
>
>
>
> *From:* bind-users-bounces+batpower83=yahoo.co...@lists.isc.org [mailto:
> bind-users-bounces+batpower83 =
> yahoo.co...@lists.isc.org] *On Behalf Of *Peter Andreev
> *Sent:* Monday, January 25, 2010 12:15 PM
> *To:* BIND Users Mailing List
> *Subject:* Re: Delegation question!
>
>
>
> Have you requested delegation?
>
> 2010/1/25 Alans 
>
> Hello,
>
> When I check our dns ip from external server for ptr records it shows
> nothing but
> 93.in-addr.arpa.6562IN  SOA ns-pri.ripe.net.
> dns-help.ripe.net. 2010012534 3600 7200 1209600 7200
> We bought 93.x.x.0/x from RIPE, does that mean that RIPE didn't delegate
> 93.x.x.0/x to us?
>
> Regards,
> Alans
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question!

2010-01-26 Thread Mark Andrews 

Also you did not *buy* the addresses from RIPE as RIPE does not *sell*
addresses.  You leased the addressed from RIPE.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Stephane Bortzmeyer 
On Fri, Feb 04, 2011 at 09:55:07PM +1100,
 Jean-Yves Avenard  wrote 
 a message of 112 lines which said:

> Now if I uncomment the NS ad.domain.com. mel.domain.com will not
> resolve anymore:

General rule with Unix daemons: always read the log. You'll find the
error message.

BIND-specific rule: test your zone with named-checkzone.

Here, I suggest you will get a "Out of zone data" error (once there is
a delegation, the A record for the same name is probably a mistake).
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Jean-Yves Avenard 
Hi

On 4 February 2011 22:15, Stephane Bortzmeyer  wrote:
> General rule with Unix daemons: always read the log. You'll find the
> error message.
>
> BIND-specific rule: test your zone with named-checkzone.

no errors of any kind are reported, in the log nor by named-checkzone

>
> Here, I suggest you will get a "Out of zone data" error (once there is
> a delegation, the A record for the same name is probably a mistake).
>
hum...
named-checkzone domain.com /etc/namedb/sp/db.domain.com
zone domain.com/IN: loaded serial 2011020401
OK


Actually I just found what caused it not to work ; I have forwarders
set ; If I comment-out the forwarders line ; then everything work as
it should

Can't delegation works if forwarders are enabled ?

Thanks
Jean-Yves
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Jean-Yves Avenard 
I changed:

zone "domain.com" {
type master;
file "internal/db.domain.com";
check-names ignore;
notify TRUE;
allow-update { key "rndc-key"; };
};

to:
zone "domain.com" {
type master;
file "internal/db.domain.com";
check-names ignore;
notify TRUE;
allow-update { key "rndc-key"; };
// Cancel the forwarding for this authoritative domain.
forwarders {
};
};

and it's working !
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Balder 
Just re read that message and it didn't make too much sense so will try again

as there is no full stop at the end of the following line
; NS ad.domain.com
it would end up looking like this
;domain.com   NS ad.domain.com.domain.com
if you put a full stop at the end of this line see below it should work
 NS ad.domain.com.
ad  A   192.168.0.3
you could also do this
 NS ad
ad  A   192.168.0.3
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Eivind Olsen 
> Actually I just found what caused it not to work ; I have forwarders
> set ; If I comment-out the forwarders line ; then everything work as
> it should
> Can't delegation works if forwarders are enabled ?

Unless I'm misunderstanding something, it should work. Here's an extract
from the BIND 9.7 ARM, section 6.2.16.2:

"Forwarding occurs only on those queries for which the server is not
authoritative and does not have the answer in its cache."

How exactly had you configured forwarding in your named.conf file?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Jean-Yves Avenard 
On 4 February 2011 22:51, Balder  wrote:
> not sure how forwarders fixed this but looking at your zone it is
> because you have reset your ORIGIN and not put a fuul stop at the end
> of the ad record
> ;=as there is no dit at the end of ad.domain.com this will
> become.  put a full stop at the end of the record and it should work
> ;domain.com       NS ad.domain.com.domain.com
> ;                         NS ad.domain.com

My bad...

I improperly copied it; it should have read:
NS ad.domain.com.

and that's how i had it set up here.

If I do not have the forwarders disabled for that particular zone ; it
fails ... it's puzzling
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Eivind Olsen 
> mel  A  192.168.0.3
> ; NS ad.domain.com

You are already defining an A record for "mel". I'd try commenting that
one out when you put the NS line back in (and make sure to give that NS
line a name of its own then, since it can then no longer piggyback off the
previous line you've just commented out). You didn't mention whether you
already were commenting out the A record or not.

Check your logs to see if BIND complains about anything. Also try pushing
your zonefile through named-checkzone.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Jean-Yves Avenard 
Hi

On 4 February 2011 22:54, Eivind Olsen  wrote:

> Unless I'm misunderstanding something, it should work. Here's an extract
> from the BIND 9.7 ARM, section 6.2.16.2:
>
> "Forwarding occurs only on those queries for which the server is not
> authoritative and does not have the answer in its cache."
>
> How exactly had you configured forwarding in your named.conf file?

I use bind that comes with mac os 10.6 server (9.6.0-APPLE-P2);

named.conf at the beginning includes a file options.conf.apple like so:
options  {
include "/etc/dns/options.conf.apple";
};

options.conf.apple contains:
directory "/var/named";

forwarders { 203.59.24.3; 203.0.178.191; 203.134.24.70; };

allow-transfer { none; };

in named.conf I then have:
include "/etc/dns/privateView.conf";

which contains:
view "intranet_view" {

match-clients { 127.0.0.0/8; 192.168.0.0/23; };

allow-recursion { "internal"; };

zone "." {
type hint;
file "named.ca";
};

zone "domain.com" {
type master;
file "internal/db.domain.com";
check-names ignore;
notify TRUE;
allow-update { key "rndc-key"; };
// Cancel the forwarding for this authoritative domain.
forwarders {
};
};

On the other hand ; is the server authoritative for the sub-domain
mel.domain.com provided I added the delegation ?
digg shows something like:
;; AUTHORITY SECTION:
mel.domain.com. 7200IN  NS  ad.domain.com.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Balder 
On 4 February 2011 12:28, Jean-Yves Avenard  wrote:
> I changed:
not sure how forwarders fixed this but looking at your zone it is
because you have reset your ORIGIN and not put a fuul stop at the end
of the ad record

domain.com. IN SOA  m.domain.com. domainmaster.domain.com. (
   2011020405 ; serial
   7200   ; refresh (2 hours)
   1800   ; retry (30 minutes)
   1209600; expire (2 weeks)
   86400  ; minimum (1 day)
   )
   NS  m.domain.com.
   MX  0 mail.domain.com.

$ORIGIN domain.com.
   A   192.168.0.2
; glue record
m   A   192.168.0.2
mel  A  192.168.0.3

;=as there is no dit at the end of ad.domain.com this will
become.  put a full stop at the end of the record and it should work
;domain.com   NS ad.domain.com.domain.com
; NS ad.domain.com

ad  A   192.168.0.3
---
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Torinthiel 
Dnia 2011-02-04 23:16 Jean-Yves Avenard napisał(a):

>Hi
>
>On 4 February 2011 22:54, Eivind Olsen  wrote:
>
>> Unless I'm misunderstanding something, it should work. Here's an extract
>> from the BIND 9.7 ARM, section 6.2.16.2:
>>
>> "Forwarding occurs only on those queries for which the server is not
>> authoritative and does not have the answer in its cache."
>>
>> How exactly had you configured forwarding in your named.conf file?
>
>I use bind that comes with mac os 10.6 server (9.6.0-APPLE-P2);
>
>named.conf at the beginning includes a file options.conf.apple like so:
>options  {
>include "/etc/dns/options.conf.apple";
>};
>
>options.conf.apple contains:
>directory "/var/named";
>
>forwarders { 203.59.24.3; 203.0.178.191; 203.134.24.70; };
>
>allow-transfer { none; };
>
>in named.conf I then have:
>include "/etc/dns/privateView.conf";
>
>which contains:
>view "intranet_view" {
>
>match-clients { 127.0.0.0/8; 192.168.0.0/23; };
>
>   allow-recursion { "internal"; };
>
>zone "." {
>type hint;
>   file "named.ca";
>};
>
>zone "domain.com" {
>type master;
>   file "internal/db.domain.com";
>   check-names ignore;
>notify TRUE;
>   allow-update { key "rndc-key"; };
>// Cancel the forwarding for this authoritative domain.
>forwarders {
>};
>};
>
>On the other hand ; is the server authoritative for the sub-domain
>mel.domain.com provided I added the delegation ?
>digg shows something like:
>;; AUTHORITY SECTION:
>mel.domain.com.7200IN  NS  ad.domain.com.

This answer is not stating that it's authorative, but only that authorities 
are below.
My wild guess ont what's happening, and why disabling forwarders fix this:
without NS m.domain.com is authorative for mel.domain.com, so it answers for 
A mel.domain.com without issues.
Now, with NS, it's not authorative, as you've just set up a delegation. So, 
when it receives the question it forwards it to one of three forwarding 
servers. And they probably don't know how to access ad.domain.com (as it has 
private IP adress, and these are public - that's one part of guess), they 
end up not resolving the name.

Can verify that 203.59.24.3; 203.0.178.191; 203.134.24.70; can call 
192.168.0.3, on that address?

Also, keep in mind that normally you should not use only one NS per 
delegation, but a minimum of two. Here, for a testing environment (I guess) 
it'll work, but don't do it on production environment.

Torinthiel

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Chris Buxton 

On Feb 4, 2011, at 3:25 AM, Jean-Yves Avenard wrote:
> Actually I just found what caused it not to work ; I have forwarders
> set ; If I comment-out the forwarders line ; then everything work as
> it should
> 
> Can't delegation works if forwarders are enabled ?

Only if either (a) the forwarders can resolve the name, or (b) you disable 
forwarding for either the authoritative zone or the delegated child zone.

What you are seeing is the expected behavior.

Keep in mind, a BIND server does two quite different jobs: authoritatively 
answering queries about local zones and recursive/caching resolution of remote 
zones. Mixing the two services in one named.conf can be confusing and can lead 
to complex interplay between their configurations. It can also cause problems 
for DNSSEC. You should strive to avoid it.

Chris Buxton
BlueCat Networks

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Joseph S D Yao 
On Fri, Feb 04, 2011 at 09:55:07PM +1100, Jean-Yves Avenard wrote:
> Hi there..
> 
> I'm trying to create a delegation to a sub-domain ; for some reasons
> I'm getting no-where
> 
> I have a domain.com zone ; I'd like to delegate mel.domain.com to
> another dns server (windows server DNS fwiw)
> Here is my zone file:
...
> domain.com. IN SOA  m.domain.com. domainmaster.domain.com. (
...
> )
> NS  m.domain.com.
> MX  0 mail.domain.com.
...
> A   192.168.0.2
> ; glue record
> m   A   192.168.0.2
> mel  A  192.168.0.3
> ; NS ad.domain.com
> ad  A   192.168.0.3
> ---
> 
> when NS ad.domain.com line is commented out ; querying for
> mel.domain.com is properly resolved:
> 
> bash-3.2# dig @192.168.0.2  mel.domain.com
> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @192.168.0.2 mel.domain.com
...
> ;; ANSWER SECTION:
> mel.domain.com.   7200IN  A   192.168.0.3
...
> Now if I uncomment the NS ad.domain.com. mel.domain.com will not
> resolve anymore:
> 
> bash-3.2# dig @192.168.0.2  mel.domain.com
> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @192.168.0.2 mel.domain.com
...
> For what it's worth; ad.domain.com (the other dns server) properly
> answer the query:
> bash-3.2# dig @192.168.0.3  mel.domain.com
> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @192.168.0.3 mel.domain.com
...
> ;; ANSWER SECTION:
> mel.domain.com.   600 IN  A   192.168.0.3
...


As someone else mentioned, the main problem was the lack of a period
('.') at the end of the delegating server name.

I don't remember anyone saying outright that, once you have delegated
the domain, any records intended for that domain in the delegating
domain are completely ignored.  [It was hinted at.]  In other words,
the "A" record for "mel" above gets ignored when delegation is on.  [So
I always put the delegated domain name explicitly in front of a
delegating NS record line.]

Also, you have a pair of completely useless $ORIGIN lines in your file.
I find it very rare that $ORIGIN lines are actually useful in master
copies of zone files.  Mostly they confuse, especially if they are
sufficiently far away from where one is focused in the file that one is
not aware how the domain has changed.  [In machine-generated files such
as slaved copies of zone files, it's not expected that humans will be
reading the file, so confusion is not a consideration.]

Teaching texts should use comments rather than $ORIGIN lines to indicate
what the domain is at given points in a zone file.

IMHO, of course.


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation question

2011-02-04 Thread Barry Margolin 
In article ,
 Jean-Yves Avenard  wrote:

> Actually I just found what caused it not to work ; I have forwarders
> set ; If I comment-out the forwarders line ; then everything work as
> it should
> 
> Can't delegation works if forwarders are enabled ?

No.  When you have forwarders configured, it means "When you need to 
recurse to answer a query, forward the query to the forwarders instead 
of following delegation records."

Why did you configure forwarders in the first place if your server can 
follow delegations?  Do you think there's a difference between 
delegations from your own zone (you want to follow) and delegations from 
the root (you want to use the forwarders)?

You can override the general forwarders option by configuring a 
forwarding zone:

zone "mel.domain.com" {
  type forward;
  forwarders {};
};

The empty forwarders clause in here disables forwarders, so it follows 
delegations.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users