parent dns answers the ARR of child dns

2009-12-03 Thread Tech W. 
Hello,

Firstly thanks for any helps I have got on this list for our DNS setup in 
university environment.

Now I meet another problem, please see this dig:

# dig smartip.gduf.edu.cn ns +short
dtone1.gduf.edu.cn.

That means smartip.gduf.edu.cn is a zone whose NS is dtone1.gduf.edu.cn.


I have setuped the www ARR in this zone, ie,

# dig www.smartip.gduf.edu.cn  +short
121.8.235.88


That seems correct, and www.smartip.gduf.edu.cn should be responsed by 
dtone1.gduf.edu.cn. 


OK after that I dig with trace:

# dig www.smartip.gduf.edu.cn +trace 

; <<>> DiG 9.5.0-P2 <<>> www.smartip.gduf.edu.cn +trace
;; global options:  printcmd
.   475868  IN  NS  F.ROOT-SERVERS.NET.
.   475868  IN  NS  E.ROOT-SERVERS.NET.
.   475868  IN  NS  D.ROOT-SERVERS.NET.
.   475868  IN  NS  M.ROOT-SERVERS.NET.
.   475868  IN  NS  L.ROOT-SERVERS.NET.
.   475868  IN  NS  J.ROOT-SERVERS.NET.
.   475868  IN  NS  C.ROOT-SERVERS.NET.
.   475868  IN  NS  H.ROOT-SERVERS.NET.
.   475868  IN  NS  A.ROOT-SERVERS.NET.
.   475868  IN  NS  K.ROOT-SERVERS.NET.
.   475868  IN  NS  I.ROOT-SERVERS.NET.
.   475868  IN  NS  B.ROOT-SERVERS.NET.
.   475868  IN  NS  G.ROOT-SERVERS.NET.
;; Received 512 bytes from 202.96.128.86#53(202.96.128.86) in 4 ms

cn. 172800  IN  NS  B.DNS.cn.
cn. 172800  IN  NS  NS.CERNET.NET.
cn. 172800  IN  NS  A.DNS.cn.
cn. 172800  IN  NS  E.DNS.cn.
cn. 172800  IN  NS  C.DNS.cn.
cn. 172800  IN  NS  D.DNS.cn.
;; Received 304 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 165 ms

edu.cn. 172800  IN  NS  ns2.cernet.net.
edu.cn. 172800  IN  NS  dns2.edu.cn.
edu.cn. 172800  IN  NS  deneb.dfn.de.
edu.cn. 172800  IN  NS  dns.edu.cn.
edu.cn. 172800  IN  NS  ns2.cuhk.hk.
;; Received 189 bytes from 203.119.28.1#53(D.DNS.cn) in 243 ms

gduf.edu.cn.172800  IN  NS  OAR.gduf.edu.cn.
gduf.edu.cn.172800  IN  NS  DNS.gduf.edu.cn.
;; Received 109 bytes from 137.189.6.21#53(ns2.cuhk.hk) in 29 ms

www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.4
www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.10
www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.3
;; Received 89 bytes from 218.192.12.6#53(DNS.gduf.edu.cn) in 106 ms



Please see above info, www.smartip.gduf.edu.cn is now responsed by 
gduf.edu.cn's auth-DNS directly (dns.gduf.edu.cn), not by dtone1.gduf.edu.cn 
(the child zone's dns). But what I want is that it should be answered by the 
dns of the child zone.

Why this happens and how to fixup it?
Please help, thank you.

Regards,
Wah.



  
__
See what's on at the movies in your area. Find out now: 
http://au.movies.yahoo.com/session-times/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Peter Andreev 
Search in arm by keyword "blackhole" will save father of russian democracy
:-)

2009/12/3 Dmitry Rybin 

> Barry Margolin wrote:
>
>> In article ,
>>  Dmitry Rybin  wrote:
>>
>>  Hello!
>>>
>>> I can't find in docs how disable answer (Refused), if recursion for IP is
>>> not allowed?
>>>
>>
>> What do you expect it to do instead? Not respond at all?
>>
>>
> Drop not allowed request.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Dmitry Rybin 

Give me parabellum :)

This is not answer. I wont to disable Refused answers for not allowed 
client in recursion.


Peter Andreev wrote:
Search in arm by keyword "blackhole" will save father of russian 
democracy :-)


2009/12/3 Dmitry Rybin mailto:kirg...@corbina.net>>

Barry Margolin wrote:

In article
mailto:mailman.1159.1259764844.14796.bind-us...@lists.isc.org>>,
 Dmitry Rybin mailto:kirg...@corbina.net>>
wrote:

Hello!

I can't find in docs how disable answer (Refused), if
recursion for IP is not allowed?


What do you expect it to do instead? Not respond at all?


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Peter Andreev 
Are you want to disable refused answers for recursion and allow any answers
for authoritative information in the same time?

2009/12/3 Dmitry Rybin 

> Give me parabellum :)
>
> This is not answer. I wont to disable Refused answers for not allowed
> client in recursion.
>
> Peter Andreev wrote:
>
>> Search in arm by keyword "blackhole" will save father of russian democracy
>> :-)
>>
>> 2009/12/3 Dmitry Rybin mailto:kirg...@corbina.net>>
>>
>>
>>Barry Margolin wrote:
>>
>>In article
>>>>,
>> Dmitry Rybin mailto:kirg...@corbina.net>>
>>
>>wrote:
>>
>>Hello!
>>
>>I can't find in docs how disable answer (Refused), if
>>recursion for IP is not allowed?
>>
>>
>>What do you expect it to do instead? Not respond at all?
>>
>>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Kevin Darcy 

Dmitry Rybin wrote:

Barry Margolin wrote:

In article ,
Dmitry Rybin  wrote:


Hello!

I can't find in docs how disable answer (Refused), if recursion for 
IP is not allowed?


What do you expect it to do instead? Not respond at all?



Drop not allowed request.

This is not compatible with the DNS protocol, as defined:

RFC 1034, Section 4.3.1:

---

If recursive service is requested and available, the recursive response
to a query will be one of the following:

  - The answer to the query, possibly preface by one or more CNAME
RRs that specify aliases encountered on the way to an answer.

  - A name error indicating that the name does not exist.  This
may include CNAME RRs that indicate that the original query
name was an alias for a name which does not exist.

  - A temporary error indication.

If recursive service is not requested or is not available, the non-
recursive response will be one of the following:

  - An authoritative name error indicating that the name does not
exist.

  - A temporary error indication.

  - Some combination of:

RRs that answer the question, together with an indication
whether the data comes from a zone or is cached.

A referral to name servers which have zones which are closer
ancestors to the name than the server sending the reply.

  - RRs that the name server thinks will prove useful to the
requester.

---

Note that "no response" is not one of the options.

You should probably implement this outside of DNS and BIND, e.g. a stateful 
firewall which would, by policy, drop incoming DNS query packets from certain 
source-address ranges, which have the RD bit set in the DNS query packet header.

- Kevin






___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: parent dns answers the ARR of child dns

2009-12-03 Thread Chris Buxton 
On Dec 3, 2009, at 3:38 AM, Tech W. wrote:
> # dig smartip.gduf.edu.cn ns +short
> dtone1.gduf.edu.cn.
> 
> # dig www.smartip.gduf.edu.cn  +short
> 121.8.235.88
> 
> # dig www.smartip.gduf.edu.cn +trace 

[...]

> www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.4
> www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.10
> www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.3
> ;; Received 89 bytes from 218.192.12.6#53(DNS.gduf.edu.cn) in 106 ms

DNS.gduf.edu.cn is open to recursive queries from anyone. Is it possible you 
were seeing a cached answer?

A DNS server that is authoritative for a zone that has subzones that are 
delegated to other DNS servers should not be performing recursion. Not for 
anyone. It leads to confusing results.

$ dig www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22315
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn.   IN  A

;; AUTHORITY SECTION:
smartip.gduf.edu.cn.3600IN  NS  dtone1.gduf.edu.cn.

;; ADDITIONAL SECTION:
dtone1.gduf.edu.cn. 3600IN  A   218.192.12.233

;; Query time: 398 msec
;; SERVER: 218.192.12.6#53(218.192.12.6)
;; WHEN: Thu Dec  3 08:43:50 2009
;; MSG SIZE  rcvd: 97

$ dig www.smartip.gduf.edu.cn +norec @dtone1.gduf.edu.cn

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.smartip.gduf.edu.cn +norec 
@dtone1.gduf.edu.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47739
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn.   IN  A

;; ANSWER SECTION:
www.smartip.gduf.edu.cn. 30 IN  A   121.8.235.88

;; AUTHORITY SECTION:
smartip.gduf.edu.cn.3600IN  NS  dtone1.gduf.edu.cn.

;; Query time: 396 msec
;; SERVER: 218.192.12.233#53(218.192.12.233)
;; WHEN: Thu Dec  3 08:44:17 2009
;; MSG SIZE  rcvd: 78

Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Chris Buxton 
On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:

> Hello!
> 
> I can't find in docs how disable answer (Refused), if recursion for IP is not 
> allowed?

Something like this should work:
_

options {
directory "/var/named";
};

acl authorized-clients {
192.0.2.1;
};

view caching-server {
match-recursive-only yes;
blackhole { ! authorized-clients; any; };
// any other resolution configuration goes here
};

view auth-server {
// zones go here
};
_

Note that there is no need to use the allow-query-cache, allow-query, 
allow-recursion, or recursion statements in either view. All recursive queries 
will be caught by the first view, which will drop queries by unauthorized 
clients - no refusal will be sent.

If an authorized client sends a recursive query to the server for local 
authoritative data, as long as the NS records are configured correctly 
(possibly along with stub zone statements in the caching-server view), the 
server will query itself (iteratively, so hitting the auth-server view) and 
find the data.

The only way in which this differs from what you want is, if someone sends a 
recursive query for your authoritative zone data from an unauthorized IP, the 
query will be dropped. But this will probably only happen in testing with dig 
or nslookup, and it can be worked around (by the user) by turning off the RD 
flag in the request.

Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: parent dns answers the ARR of child dns

2009-12-03 Thread Kevin Darcy 
Not only that, but DNS.gduf.edu.cn is performing recursion, while not 
setting RA in, and not copying RD into, the header of the response.


% dig www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn

; <<>> DiG 9.3.0 <<>> www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 593
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn. IN A

;; ANSWER SECTION:
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.3
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.4
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.10

I suspect this is YABDLBD (Yet Another Brain-Damaged Load-Balancer 
Device). Or a defective DNS proxy.


While the cache is populated with these records, even *non-recursive* 
queries will be given this answer directly, instead of a referral. Once 
the records time out, referrals are given again.


But, why do you (the original poster) care? If the caching of these 
records by this server is a problem, surely it's a more *general* 
problem of the records being cached by resolvers everywhere. Either set 
the TTLs accordingly, or abandon whatever plans you have to make the 
responses completely "dynamic", or ordered in any particular way...


DNS isn't, and never was intended to be, a comprehensive load-balancing 
or failover mechanism. Maybe it can become that, if SRV records were 
used as a matter of course, but we haven't achieved that yet. Not by a 
long shot.


Since the addresses all appear to be in the same subnet, you might want 
to look into front-ending them with some sort of dedicated "local" 
load-balancer, either implemented in hardware or software.


- Kevin



Chris Buxton wrote:

On Dec 3, 2009, at 3:38 AM, Tech W. wrote:
  

# dig smartip.gduf.edu.cn ns +short
dtone1.gduf.edu.cn.

# dig www.smartip.gduf.edu.cn  +short
121.8.235.88

# dig www.smartip.gduf.edu.cn +trace 



[...]

  

www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.4
www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.10
www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.3
;; Received 89 bytes from 218.192.12.6#53(DNS.gduf.edu.cn) in 106 ms



DNS.gduf.edu.cn is open to recursive queries from anyone. Is it possible you 
were seeing a cached answer?

A DNS server that is authoritative for a zone that has subzones that are 
delegated to other DNS servers should not be performing recursion. Not for 
anyone. It leads to confusing results.

$ dig www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22315
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn.   IN  A

;; AUTHORITY SECTION:
smartip.gduf.edu.cn.3600IN  NS  dtone1.gduf.edu.cn.

;; ADDITIONAL SECTION:
dtone1.gduf.edu.cn. 3600IN  A   218.192.12.233

;; Query time: 398 msec
;; SERVER: 218.192.12.6#53(218.192.12.6)
;; WHEN: Thu Dec  3 08:43:50 2009
;; MSG SIZE  rcvd: 97

$ dig www.smartip.gduf.edu.cn +norec @dtone1.gduf.edu.cn

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.smartip.gduf.edu.cn +norec 
@dtone1.gduf.edu.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47739
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn.   IN  A

;; ANSWER SECTION:
www.smartip.gduf.edu.cn. 30 IN  A   121.8.235.88

;; AUTHORITY SECTION:
smartip.gduf.edu.cn.3600IN  NS  dtone1.gduf.edu.cn.

;; Query time: 396 msec
;; SERVER: 218.192.12.233#53(218.192.12.233)
;; WHEN: Thu Dec  3 08:44:17 2009
;; MSG SIZE  rcvd: 78

Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Kevin Darcy 

Chris Buxton wrote:

On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:

  

Hello!

I can't find in docs how disable answer (Refused), if recursion for IP is not 
allowed?



Something like this should work:
_

options {
directory "/var/named";
};

acl authorized-clients {
192.0.2.1;
};

view caching-server {
match-recursive-only yes;
blackhole { ! authorized-clients; any; };
// any other resolution configuration goes here
};

view auth-server {
// zones go here
};
  
"This should work" <--- one of the scariest phrases in the computing 
field :-)


Unfortunately, "blackhole" can only appear the (global) "options" clause:

% cat /tmp/buxton.example
options {
directory "/tmp";
};

acl authorized-clients {
192.0.2.1;
};

view caching-server {
match-recursive-only yes;
// any other resolution configuration goes here
blackhole { ! authorized-clients; any; };
};

% ./named-checkconf /tmp/buxton.example
/tmp/buxton.example:12: unknown option 'blackhole'
% ed /tmp/buxton.example
218
12m2
1,$p
options {
directory "/tmp";
blackhole { ! authorized-clients; any; };
};

acl authorized-clients {
192.0.2.1;
};

view caching-server {
match-recursive-only yes;
// any other resolution configuration goes here
};
w
218
q
% ./named-checkconf /tmp/buxton.example
%

- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Chris Buxton 
On Dec 3, 2009, at 10:16 AM, Kevin Darcy wrote:
> Chris Buxton wrote:
>> On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:
>>> Hello!
>>> 
>>> I can't find in docs how disable answer (Refused), if recursion for IP is 
>>> not allowed?
>> 
>> 
>> Something like this should work:
>> _
>> 
>> view caching-server {
>>  match-recursive-only yes;
>>  blackhole { ! authorized-clients; any; };
>>  // any other resolution configuration goes here
>> };
>> 
> 
> "This should work" <--- one of the scariest phrases in the computing field :-)

True, true. It means, of course, "The docs suggest this will work, but I 
haven't actually tested it."

> Unfortunately, "blackhole" can only appear the (global) "options" clause:

I'm happy to be corrected. You'd never know this from reading the BIND ARM.

>From the description of the view statement:

Many of the options given in the options statement can also be used
within a view statement, and then apply only when resolving queries
with that view.

There is no definitive list of the options that can or can not be used in a 
view. Likewise, the description of the blackhole statement makes no mention of 
the fact that it's not valid inside a view.

So, to the original poster, we're back to "it can't be done with BIND 
configuration." Of course, you could hack the BIND source code...

Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Mark Andrews 

In message , Chris Buxton 
writes:
> On Dec 3, 2009, at 10:16 AM, Kevin Darcy wrote:
> > Chris Buxton wrote:
> >> On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:
> >>> Hello!
> >>> 
> >>> I can't find in docs how disable answer (Refused), if recursion for IP is
>  not allowed?
> >> 
> >> 
> >> Something like this should work:
> >> _
> >> 
> >> view caching-server {
> >>match-recursive-only yes;
> >>blackhole { ! authorized-clients; any; };
> >>// any other resolution configuration goes here
> >> };
> >> 
> > 
> > "This should work" <--- one of the scariest phrases in the computing field 
> :-)
> 
> True, true. It means, of course, "The docs suggest this will work, but I have
> n't actually tested it."
> 
> > Unfortunately, "blackhole" can only appear the (global) "options" clause:
> 
> I'm happy to be corrected. You'd never know this from reading the BIND ARM.
> 
> >From the description of the view statement:
> 
>   Many of the options given in the options statement can also be used
>   within a view statement, and then apply only when resolving queries
>   with that view.
> 
> There is no definitive list of the options that can or can not be used in a v
> iew. Likewise, the description of the blackhole statement makes no mention of
>  the fact that it's not valid inside a view.

doc/misc/options gives a definitive list.  It is built from the parser.

> So, to the original poster, we're back to "it can't be done with BIND configu
> ration." Of course, you could hack the BIND source code...
> 
> Chris Buxton
> Professional Services
> Men & Mice
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Bill Larson 
Chris Buxton  said:

> There is no definitive list of the options that can or can not be used in 
a view. Likewise, the description of the blackhole statement makes no 
mention of the fact that it's not valid inside a view.

There is the "doc/misc/options" file in the BIND sources that lists the many 
possible items that can be inside a "view", along with 
the "options", "server", "zone", etc.

There is the "doc/misc/options" file in the BIND sources that lists the many 
possible configuration items available and what section of the configuration 
that can be used.  The "view" section can include many different items, 
but "blackhole" isn't one of them.

This also identifies "blackhole" as only being part of the "options" 
clause.  Also, the ARM mentions "blackhole" as part of the "options" section 
and not in the "view" section.

> So, to the original poster, we're back to "it can't be done with BIND 
configuration." Of course, you could hack the BIND source code...

Yes, we are back to that.  Another "can't get there from here".

Then again, I've never been sure what the original requester was asking 
for.  If he didn't want to give an answer out to someone on a particular 
network, then the "blackhole" option would seem to be a perfect solution in 
the first place.

Thanks for your help on this list,

Bill Larson
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: parent dns answers the ARR of child dns

2009-12-03 Thread Tech W. 


--- On Fri, 4/12/09, Kevin Darcy  wrote:

> From: Kevin Darcy 
> Subject: Re: parent dns answers the ARR of child dns
> To: bind-users@lists.isc.org
> Received: Friday, 4 December, 2009, 1:56 AM
> Not only that, but DNS.gduf.edu.cn is
> performing recursion, while not 
> setting RA in, and not copying RD into, the header of the
> response.
> 
> % dig www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
> 
> ; <<>> DiG 9.3.0 <<>>
> www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
> id: 593
> ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1,
> ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.smartip.gduf.edu.cn. IN A
> 
> ;; ANSWER SECTION:
> www.smartip.gduf.edu.cn. 30 IN A 218.192.12.3
> www.smartip.gduf.edu.cn. 30 IN A 218.192.12.4
> www.smartip.gduf.edu.cn. 30 IN A 218.192.12.10
> 
> I suspect this is YABDLBD (Yet Another Brain-Damaged
> Load-Balancer 
> Device). Or a defective DNS proxy.

Thanks for your answers.
But DNS.gduf.edu.cn is a Windows DNS Server running on MS Advanced Server,
not a proxy or load-balancer.

> 
> While the cache is populated with these records, even
> *non-recursive* 
> queries will be given this answer directly, instead of a
> referral. Once 
> the records time out, referrals are given again.
> 

Yes I am also confused by this behavior.
So do you have any suggestion how to resolve it?
I want, any query to the subzone should be answered by subzone's NS server, not 
by the parent one.


Thanks again.
Regards.



  
__
Win 1 of 4 Sony home entertainment packs thanks to Yahoo!7.
Enter now: http://au.docs.yahoo.com/homepageset/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users