> Does it matter? Not really, I was just being too picky - wasn't expecting bind to look for authority for forward zones and then got into a red herring with root NS' cached on just two servers when all four are heavily utilised (but turns out our mail servers are only using the first two).
Thanks anyway :-) - Paul On Mon, Jun 15, 2009 at 9:01 PM, Kevin Darcy <k...@chrysler.com> wrote: > Does it matter? Two of the servers happened to have root NS records cached. > You could verify this with rndc dumpdb -cache. The other two servers, > apparently, had no root NS records cached. > > But if the client is just a stub resolver, or set up to forward, it doesn't > care about the NS records in the Authority Section. It only cares about the > Answer, which is the same in both cases. > > > - Kevin > > Paul Sherratt wrote: > >> >> I have 4 bind cache servers running with config close to what is listed at >> the bottom of this post. >> >> All 4 servers have identical bind configuration, running same bind version >> (9.5.1-P1), almost identical system layouts. >> >> The issue is that on two of the four servers, requests for records in the >> 'dnsbl' zone return root hints if the forwarded request comes back positive! >> If the forwarded request returns NXDOMAIN there are no root hints returned, >> expected as it is configured 'forward only'. >> >> >> Am I missing something obvious or anyone have an idea what might be going >> on? Again, the configs _are_ the same, I don't have any other options like >> minimal-responses etc set on the two servers that are working as expected! >> >> >> Regards, >> >> Paul >> >> >> >> *$ dig 2.0.0.127.sbl.dnsbl @dns[12]* >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31470 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2 >> >> ;; QUESTION SECTION: >> ;2.0.0.127.sbl.dnsbl. IN A >> >> ;; ANSWER SECTION: >> 2.0.0.127.sbl.dnsbl. 300 IN A 127.0.0.2 >> >> ;; AUTHORITY SECTION: >> . 516796 IN NS J.ROOT-SERVERS.NET < >> http://J.ROOT-SERVERS.NET>. >> . 516796 IN NS K.ROOT-SERVERS.NET < >> http://K.ROOT-SERVERS.NET>. >> ... >> >> ;; ADDITIONAL SECTION: >> J.ROOT-SERVERS.NET <http://J.ROOT-SERVERS.NET>. 603196 IN A >> 192.58.128.30 >> J.ROOT-SERVERS.NET <http://J.ROOT-SERVERS.NET>. 603196 IN AAAA >> 2001:503:c27::2:30 >> >> ;; Query time: 8 msec >> ;; SERVER: x.x.x.x#53(x.x.x.x) >> ;; WHEN: Mon Jun 15 20:05:44 2009 >> ;; MSG SIZE rcvd: 308 >> >> >> >> *$ dig 2.0.0.127.sbl.dnsbl @dns[34]* >> >> ; <<>> DiG 9.4.2 <<>> 2.0.0.127.sbl.dnsbl @tch-cache1.dns >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41117 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;2.0.0.127.sbl.dnsbl. IN A >> >> ;; ANSWER SECTION: >> 2.0.0.127.sbl.dnsbl. 300 IN A 127.0.0.2 >> >> ;; Query time: 8 msec >> ;; SERVER: x.x.x.x#53(x.x.x.x) >> ;; WHEN: Mon Jun 15 20:06:56 2009 >> ;; MSG SIZE rcvd: 53 >> >> >> >> --8<---------------- >> >> acl good-mx-nets { 1.1.2.16/29 <http://1.1.2.16/29>; ... }; >> acl good-nets { 1.1.1.0/19 <http://1.1.1.0/19>; ... }; >> >> view good-mx-view { >> match-clients { good-mail-servers; }; >> zone "dnsbl" { type forward; forward only; forwarders { 1.1.1.10; }; }; >> }; >> >> view good { >> match-clients { good-nets; }; >> allow-recursion { good-nets; }; >> >> zone "." { type hint; file "/etc/bind/db.root"; }; >> zone "com" { type delegation-only; }; >> zone "net" { type delegation-only; }; >> >> // RFC 1912 zones >> zone "localhost" { type master; file "/etc/bind/db.local"; }; >> zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; >> zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; >> zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; >> }; >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
