Hey Mark, Looks like it might be a bug, *BUT* a client utils bug, so I think his server is likely fine, he's panicking over what's reported not what's actually going on, I'm sure its not the intended response to display so I've just added bug rep on it, if you disagree, you can always nuke it :)
from here, dig answers REFUSED , but host and nslookup answer NXDOMAIN
noel@tardis:~$ dig www.undernet.org @ns1.ausics.net
; <<>> DiG 9.9.4rc1 <<>> www.undernet.org @ns1.ausics.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9347
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.undernet.org. IN A
;; Query time: 366 msec
;; SERVER: 62.113.243.167#53(62.113.243.167)
;; WHEN: Thu Aug 29 11:29:35 EST 2013
;; MSG SIZE rcvd: 45
noel@tardis:~$ host www.undernet.org ns1.ausics.net
Using domain server:
Name: ns1.ausics.net
Address: 62.113.243.167#53
Aliases:
Host www.undernet.org not found: 3(NXDOMAIN)
noel@tardis:~$ nslookup www.undernet.org ns1.ausics.net
Server: ns1.ausics.net
Address: 62.113.243.167#53
** server can't find www.undernet.org: NXDOMAIN
On Thu, 2013-08-29 at 10:20 +1000, Mark Andrews wrote:
> In message
> <CAMD-=VK7MtwDoUv8uRTL5WR=1ouMHbmzKMPp=uk5pqevo10...@mail.gmail.com>
> , Nick Edwards writes:
> > Mark,
> >
> > On 8/29/13, Mark Andrews <ma...@isc.org> wrote:
> > >
> > > In message
> > > <CAMD-=VKA_dftLRqtJMs=egmepzhu82q06+p_j8rmbgzxvvg...@mail.gmail.com>
> > > , Nick Edwards writes:
> > >> The typos was more of how I came about my request, forget the typo as
> > >> such, it the actual answer, to use a more common well known name, if
> > >> I type
> > >>
> > >> ~$ host www.undernet.org ns1
> > >> Using domain server:
> > >> Name: ns1
> > >>
> > >> Host www.undernet.org not found: 3(NXDOMAIN)
> > >>
> > >> Above should be, and I'm darn sure used to be, REFUSED - not NXDOMAIN
> > >>
> > >> perhaps I should also include my options in my original post, that was
> > >> remiss of me
> > >>
> > >> acl trust contains localhost and the servers actual IP addresses,
> > >> nowhere does it permit the IP range I tried from
> > >>
> > >> options {
> > >> directory "/var/named";
> > >> allow-query { trust; };
> > >> allow-transfer { localhost; };
> > >> blackhole { bogon; };
> > >> recursive-clients 2000;
> > >> clients-per-query 40;
> > >> tcp-clients 100;
> > >> recursion no;
> > >> additional-from-cache no;
> > >> transfer-format many-answers;
> > >> masterfile-format text;
> > >> interface-interval 0;
> > >> dnssec-enable yes;
> > >> dnssec-validation yes;
> > >> };
> > >
> > > Given www.undernet.org exists on the Internet (so you wouldn't be
> > > getting NXDOMAIN if it was recursing to the Internet) and you havn't
> > > shown the entire configuration we can't tell if it is a lack of
> > > understanding about your configuration or a bug.
> > >
> >
> > The only other components to our pure authoratitive only server
> > configuration are
> >
> > The bogon acl from team cymru
> >
> > include "/var/named/root_trusted_key";
> >
> > logging {
> > category lame-servers { null; };
> > category edns-disabled { null; };
> > category client { null; };
> > };
> >
> > zone "." {
> > type hint;
> > file "root.hints";
> > };
> >
> >
> > zone "127.in-addr.arpa" {
> > type master;
> > file "localhost.rev";
> > notify no;
> > };
> >
> > zone "localhost" {
> > type master;
> > file "localhost.zone";
> > notify no;
> > };
> >
> > zone "somedomain.org" {
> > type master;
> > allow-transfer { slave.ip; };
> > file "somedomain.org.signed";
> > allow-query { any; };
> > allow-update { none; };
> > };
> >
> >
> > zone "xxxx.in-addr.arpa" {
> > type master;
> > allow-transfer { sec.IP; };
> > file "00v4.zone";
> > allow-query { any; };
> > allow-update { none; };
> > }
> >
> > zone "xxxxxxx.ip6.arpa" {
> > type master;
> > allow-transfer { sec.IP; };
> > file "00v6.zone";
> > allow-query { any; };
> > allow-update { none; };
> > };
> >
> > zone "xxxx" {
> > type slave;
> > masters { x.x.x.x; };
> > file "xxxxxx.signed";
> > allow-query { any; };
> > };
> >
> >
> > there are 27 more master/slave zones, but they all are in identical
> > format as above and
> > we certainly do not host undernet :-)
> >
> > and with no customer IP ranges included in any ACL since these are
> > not caching servers), and, having friends trying from different ISP's,
> > we get NXDOMAIN, be it undernet, or google Host www.google.com not
> > found: 3(NXDOMAIN) or whateve else it is not configured for, yes, it
> > does respond correctly to domains it is supposed too
> >
> > in the end because of this config, I expect to see REFUSED here, like
> > we have in the past, not sure when this changed.
> >
> > Both our ns1 ans ns2 respond in same
>
> You still havn't provided enough information to workout whether
> there is a bug or not.
>
> Why don't you post the complete response to the dig request unaltered.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
<<attachment: face-smile.png>>
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
