Problems with nic.it

2011-09-20 Thread Lucio Crusca 
Hello *,

I'm new here though I've been using bind for about 10 years. I've just 
transferred a domain under the .it TLD for the first time.

Here in Italy we have nic.it that regulates the .it domain names registrations 
and transfers.

The domain transfer went ok, and now I have access to the control panel of the 
domain where I can set the NS records. I'd like to set those NS records to a 
Linux box running bind9 (9.7.0.dfsg.P1-1ubuntu0.3).

However nic.it is refusing to change the NS records, because the new receiving 
nameservers are failing some automatic checks nic.it performs before changing 
the NS records. My hosting provider (the one where I transferred the domain) 
should tell me exactly what checks are failing, but, being the first time I 
have such problems, I don't know how long they will take to give me those 
informations. I've waited for 4 days until now. Hence I wonder if there 
existed any public DNS checker that could check a DNS which is not the NS 
pointed server yet, so that I could check the new DNS myself before submitting 
a new NS record change and going through the hassle of waiting nic.it 
automated checks, eventual failure and assistance from my hosting provider.

Is there such a thing?

TIA
Lucio.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with nic.it

2011-09-20 Thread Matthew Seaman 
On 20/09/2011 08:20, Lucio Crusca wrote:
> Hence I wonder if there existed any public DNS checker that could
> check a DNS which is not the NS pointed server yet,

http://dnscheck.iis.se/ has an 'undelegated domain test'

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with nic.it

2011-09-20 Thread Stephane Bortzmeyer 
On Tue, Sep 20, 2011 at 09:20:12AM +0200,
 Lucio Crusca  wrote 
 a message of 33 lines which said:

> the new receiving nameservers are failing some automatic checks
> nic.it performs before changing the NS records. My hosting provider
> (the one where I transferred the domain) should tell me exactly what
> checks are failing, but, being the first time I have such problems,
> I don't know how long they will take to give me those informations.

That's incredibly poor service. You obviously cannot debug anything
without such information.

> Hence I wonder if there existed any public DNS checker that could
> check a DNS which is not the NS pointed server yet,

All the serious ones have such a
possibility. 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with nic.it

2011-09-20 Thread Niall O'Reilly 
[Not really a BIND matter, but ...]

On 20 Sep 2011, at 08:20, Lucio Crusca wrote:

>  Hence I wonder if there 
> existed any public DNS checker that could check a DNS which is not the NS 
> pointed server yet, so that I could check the new DNS myself before 
> submitting 
> a new NS record change and going through the hassle of waiting nic.it 
> automated checks, eventual failure and assistance from my hosting provider.
> 
> Is there such a thing?

I think the checking tool at
http://dnscheck.iis.se/?test=undelegated
may be what you need.

You may find it useful to read the explanation at
http://dnscheck.iis.se/?faq=1&test=undelegated#f16
before running a test.

Another good checking tool may be found at www.zonecheck.fr,
but it's less obvious (to me) how to use it for your immediate
purpose.


I hope this helps.

Best regards,
Niall O'Reilly

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with nic.it

2011-09-20 Thread Stephane Bortzmeyer 
On Tue, Sep 20, 2011 at 08:58:34AM +0100,
 Niall O'Reilly  wrote 
 a message of 36 lines which said:

>   Another good checking tool may be found at www.zonecheck.fr,
>   but it's less obvious (to me) how to use it for your immediate
>   purpose.

1) Go to 
2) Type the zone name in "Zone" and the name servers' names in
"Primary" and "Secondary" (yes, poor terminology)
3) If and only if the name servers are in the zone, type also their IP
addresses
4) Click "Check!"
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS-cache with custom gTLDs

2011-09-20 Thread Drunkard Zhang 
I got 4 DNSs doing recursive resolution, which splited into 2 groups,
and a couple of dns caches. Each group of recursion DNS using their
own net link, which is different.

Here's problem: I want a dns-cache to use one group of recursion DNS
as their forwarders, and use another group as backup. ( I have to,
because 2 groups of recursion DNS get different results, and sometimes
one of them can't resolves, while another can. ) All solution I can
find out is "forward first" to one group, and use all 2 groups as
gTLDs, is this __safe__?

Is there any other solution I can hack?


Another problem: there's a lot of resolution on dns-cache querying
a.root-servers.net, is it safe that i hijack a.root-servers.net to my
own DNS? If it's safe, I can cut down queries to a.root-servers.net by
millions of times per hour.

Look forwarding to your kind responses :-)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL

2011-09-20 Thread kshitij mali 
I have again started servfail error for the some domain

Regards,
kshitij

On Mon, Sep 19, 2011 at 5:34 PM, kshitij mali  wrote:

> What is did now is i have update the named.root file from internic website
> and restarted the named service , and the domain completefreight.net.au
> started resolving imediately i will monitor the resolv failuer error and
> update the status to u all
>
>
> Regards,
> Kshitij
>
>
> On Fri, Sep 16, 2011 at 12:53 AM, Stuart Gall  wrote:
>
>> Due to the fact that IPV4 addresses have run out, many addresses that were
>> reserved have been un-reserved and used on the internet.
>> Is it possible that you have a bogon filter file that is blocking this IP
>> ?
>>
>>
>> On 15 Sep, 2011, at 2:14 PM, kshitij mali wrote:
>>
>> Hello ALL,
>>
>>
>> I repeated see domain lookup issue for the certain domain give an error
>> :SERVFAIL . my server is configured for simple caching nameserver for the
>> email delivery
>>
>> please find the error example below
>> =
>>
>> dig completefreight.net.au
>>
>>
>> ; <<>> DiG 9.2.4 <<>> completefreight.net.au ;; global options:  printcmd
>> ;; Got answer:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59604 ;; flags: qr rd
>> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>>
>> ;; QUESTION SECTION:
>>
>> ;completefreight.net.au.IN  A
>>
>>
>> ;; Query time: 7 msec
>>
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>
>> ;; WHEN: Wed Sep 14 09:49:31 2011
>>
>> ;; MSG SIZE  rcvd: 40
>> ==
>> 
>>
>> Regards
>> Kshitij
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>>  --
>> Stuart Gall
>> --
>> All of your mail are belong to us
>>
>>
>>
>>
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Delegation check failed

2011-09-20 Thread Lightner, Jeff 
Can someone give me a better explanation of why this is saying my delegation 
failed than the FAQ does?

In a separate thread I saw this recommendation to another user:

I think the checking tool at
  http://dnscheck.iis.se/?test=undelegated
  may be what you need.

  You may find it useful to read the explanation at
  http://dnscheck.iis.se/?faq=1&test=undelegated#f16
  before running a test.

  Another good checking tool may be found at www.zonecheck.fr,
  but it's less obvious (to me) how to use it for your immediate
  purpose.

On going there and testing water.com domain I see:
Delegation

· Nameserver dswadns1.water.com is listed for zone water.com without 
address information.

· Nameserver dswadns2.water.com is listed for zone water.com without 
address information.
However, it clearly found the IPs of these name servers.The IPs were 
entered at the registrar some years ago lookups of our domains work fine.   
Additionally whois shows the correct IPs for the above name servers being 
returned by the Registrar.   My zone file has A records with the correct IPs as 
shown below.:

IN NS   dswadns1.water.com.
IN NS   dswadns2.water.com.
dswadns1IN A12.44.84.213
dswadns2IN A12.44.84.214

So I’m curious what exactly the above delegation messages are trying to tell 
me.   The description in the FAQ doesn’t really seem illuminating to me.






__
Jeffrey C. Lightner
Sr. UNIX Administrator

DS Waters of America, Inc.
5660 New Northside Drive NW
Suite 250
Atlanta, GA  30328

P: 678-486-3516
C: 678-772-0018
F: 770-937-7360
E: jlight...@water.com







Proud partner. Susan G. Komen for the Cure.

 Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with nic.it

2011-09-20 Thread Lyle Giese 

On 09/20/11 02:20, Lucio Crusca wrote:

Hello *,

I'm new here though I've been using bind for about 10 years. I've just
transferred a domain under the .it TLD for the first time.

Here in Italy we have nic.it that regulates the .it domain names registrations
and transfers.

The domain transfer went ok, and now I have access to the control panel of the
domain where I can set the NS records. I'd like to set those NS records to a
Linux box running bind9 (9.7.0.dfsg.P1-1ubuntu0.3).

However nic.it is refusing to change the NS records, because the new receiving
nameservers are failing some automatic checks nic.it performs before changing
the NS records. My hosting provider (the one where I transferred the domain)
should tell me exactly what checks are failing, but, being the first time I
have such problems, I don't know how long they will take to give me those
informations. I've waited for 4 days until now. Hence I wonder if there
existed any public DNS checker that could check a DNS which is not the NS
pointed server yet, so that I could check the new DNS myself before submitting
a new NS record change and going through the hassle of waiting nic.it
automated checks, eventual failure and assistance from my hosting provider.

Is there such a thing?

TIA
Lucio.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Just a quick question, have you registered your name servers with your 
domain registrar?


nic.it may be looking for the necessary glue records.

Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation check failed

2011-09-20 Thread Lucio Crusca 
In data martedì 20 settembre 2011 15:25:03, Lightner, Jeff ha scritto:
> Can someone give me a better explanation of why this is saying my
> delegation failed than the FAQ does?
> 
> In a separate thread I saw this recommendation to another user:

I'm the other user :)

> On going there and testing water.com domain I see:
> Delegation
> 
> · Nameserver dswadns1..com is listed for zone xxx.com
> without address information.
> 
> · Nameserver dswadns2..com is listed for zone .com
> without address information. However, it clearly found the IPs of these
> name servers.The IPs were entered at the registrar some years ago
> lookups of our domains work fine.   Additionally whois shows the correct
> IPs for the above name servers being returned by the Registrar.   My zone
> file has A records with the correct IPs as shown below.:
> 

I'm facing exactly the same problem, and privately mailed Matthew Seaman about 
it, because he was the one to give advice about http://dnscheck.iis.se/ and I 
didn't want my domain to be publicly listed in the ML archives.

I now suspect it's something related to missing IPv6 () records, but I'm 
not sure.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problems with nic.it

2011-09-20 Thread Torsten Segner 
Am Tue, 20 Sep 2011 09:20:12 +0200
schrieb Lucio Crusca :

> Hello *,
> 
> I'm new here though I've been using bind for about 10 years. I've just 
> transferred a domain under the .it TLD for the first time.
> 
> Here in Italy we have nic.it that regulates the .it domain names 
> registrations 
> and transfers.
> 
> The domain transfer went ok, and now I have access to the control panel of 
> the 
> domain where I can set the NS records. I'd like to set those NS records to a 
> Linux box running bind9 (9.7.0.dfsg.P1-1ubuntu0.3).
> 
> However nic.it is refusing to change the NS records, because the new 
> receiving 
> nameservers are failing some automatic checks nic.it performs before changing 
> the NS records. My hosting provider (the one where I transferred the domain) 
> should tell me exactly what checks are failing, but, being the first time I 
> have such problems, I don't know how long they will take to give me those 
> informations. I've waited for 4 days until now. Hence I wonder if there 
> existed any public DNS checker that could check a DNS which is not the NS 
> pointed server yet, so that I could check the new DNS myself before 
> submitting 
> a new NS record change and going through the hassle of waiting nic.it 
> automated checks, eventual failure and assistance from my hosting provider.
> 


Hi Lucio,

Registry dns checks can be somewhat tricky at time.
These are the tests performed by Registro.it


3.1.2.6 Checking the functionality of the nameserver
The verification phase of the configuration of the nameservers associated with 
the domain
name takes place after the registration of the domain name itself in the 
Registry Database.
The procedure for the control of nameservers analyzes the hosts associated with 
domain
names registered in the Registry Database that are in inactive/dnsHold and 
executes the
appropriate query (i.e. queries to the nameserver) to verify that it is 
actually operative. In
particular:

- there must be at least 2 (two) authoritative nameservers for the domain name, 
and
they must correspond exactly to those found in the registration of the domain 
name;

- the IP addresses of hosts in the registration of the domain name must 
correspond to
those actually associated with them in the DNS;

- the domain name cannot be associated with a CNAME record;

- the name of the nameserver specified in the SOA record for the domain name 
cannot
be a CNAME;

- the names of the authoritative nameservers for the domain name cannot be
CNAMEs;

- if there is an MX registration it cannot be associated with a CNAME;

- if, during the checking procedure, at least one nameserver returns the 
following
responses:
o Not responding
o Not reachable
o Not running
o Non-existent domain
o Host not found
o Server failure
o Query failed
the procedure returns an error;

- all hosts in the registration must be authoritative for the domain name 
registered.



Hopefully this will help.


Ciao
Torsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation check failed

2011-09-20 Thread Matthew Seaman 
On 20/09/2011 14:25, Lightner, Jeff wrote:
> On going there and testing water.com domain I see:
> Delegation
> 
> · Nameserver dswadns1.water.com is listed for zone water.com without 
> address information.
> 
> · Nameserver dswadns2.water.com is listed for zone water.com without 
> address information.
> However, it clearly found the IPs of these name servers.The IPs were 
> entered at the registrar some years ago lookups of our domains work fine.   
> Additionally whois shows the correct IPs for the above name servers being 
> returned by the Registrar.   My zone file has A records with the correct IPs 
> as shown below.:
> 
> IN NS   dswadns1.water.com.
> IN NS   dswadns2.water.com.
> dswadns1IN A12.44.84.213
> dswadns2IN A12.44.84.214
> 
> So I’m curious what exactly the above delegation messages are trying to tell 
> me.   The description in the FAQ doesn’t really seem illuminating to me.
> 

This is the www.zonecheck.fr checking tool?  Like it says quite clearly
in the instructions, where the nameservers are part of the domain being
checked then you need to give IP numbers too.  If you do that, then the
water.com domain passes the test albeit with a few warnings about
everything being on the same network segment / same AS number.

Yes, if you're checking a live domain correctly registered and with the
right glue records in place, then zonecheck can find your nameservers
without external prompting.  If you're trying to check an unregistered
domain, then zonecheck will definitely need those IP numbers.  That's
really all those messages are trying to tell you.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation check failed

2011-09-20 Thread Lightner, Jeff 
I didn't specify the IPs but it found them - that is to say when I input my 
first DNS server it automatically populated the IP address field.  This was on 
the iis.se site as I noted in my original post.

My read of "glue records" is that they are A records within a zone file for DNS 
servers that are part of the same domain as the zone being described.

Based on that my glue records in water.com zone file for domain water.com in 
zone file water.com do exist as shown in my original post:
dswadns1IN A12.44.84.213
dswadns2IN A12.44.84.214

Also it seems Glue records are only necessary for subdomains and I'm not using 
a subdomain here - I'm not trying to delegate to any subdomain.

So both my Registrar and I have things associating dswadns1.water.com with IP 
12.44.84.213 and dswadns2.water.com with 12.44.84.214.   I'm still mystified as 
to what the delegation message is trying to tell me.





-Original Message-
From: Matthew Seaman [mailto:m.sea...@infracaninophile.co.uk]
Sent: Tuesday, September 20, 2011 11:52 AM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: Re: Delegation check failed

On 20/09/2011 14:25, Lightner, Jeff wrote:
> On going there and testing water.com domain I see:
> Delegation
>
> * Nameserver dswadns1.water.com is listed for zone water.com without 
> address information.
>
> * Nameserver dswadns2.water.com is listed for zone water.com without 
> address information.
> However, it clearly found the IPs of these name servers.The IPs were 
> entered at the registrar some years ago lookups of our domains work fine.   
> Additionally whois shows the correct IPs for the above name servers being 
> returned by the Registrar.   My zone file has A records with the correct IPs 
> as shown below.:
>
> IN NS   dswadns1.water.com.
> IN NS   dswadns2.water.com.
> dswadns1IN A12.44.84.213
> dswadns2IN A12.44.84.214
>
> So I'm curious what exactly the above delegation messages are trying to tell 
> me.   The description in the FAQ doesn't really seem illuminating to me.
>

This is the www.zonecheck.fr checking tool?  Like it says quite clearly
in the instructions, where the nameservers are part of the domain being
checked then you need to give IP numbers too.  If you do that, then the
water.com domain passes the test albeit with a few warnings about
everything being on the same network segment / same AS number.

Yes, if you're checking a live domain correctly registered and with the
right glue records in place, then zonecheck can find your nameservers
without external prompting.  If you're trying to check an unregistered
domain, then zonecheck will definitely need those IP numbers.  That's
really all those messages are trying to tell you.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW




Proud partner. Susan G. Komen for the Cure.


Please consider our environment before printing this e-mail or attachments.

--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation check failed

2011-09-20 Thread Chris Buxton 

On Sep 20, 2011, at 11:37 AM, Lightner, Jeff wrote:

> I didn't specify the IPs but it found them - that is to say when I input my 
> first DNS server it automatically populated the IP address field.  This was 
> on the iis.se site as I noted in my original post.
> 
> My read of "glue records" is that they are A records within a zone file for 
> DNS servers that are part of the same domain as the zone being described.

No. Glue exists in the parent zone, 'com' in your case.

Your glue records are correct. Not sure why it would be throwing an error.

$ dig water.com ns @g.gtld-servers.net

; <<>> DiG 9.8.0-P4 <<>> water.com ns @g.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29994
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;water.com. IN  NS

;; AUTHORITY SECTION:
water.com.  172800  IN  NS  dswadns1.water.com.
water.com.  172800  IN  NS  dswadns2.water.com.

;; ADDITIONAL SECTION:
dswadns1.water.com. 172800  IN  A   12.44.84.213
dswadns2.water.com. 172800  IN  A   12.44.84.214

;; Query time: 22 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Tue Sep 20 13:21:28 2011
;; MSG SIZE  rcvd: 105

Regards,
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation check failed

2011-09-20 Thread Kevin Oberman 
On Tue, Sep 20, 2011 at 1:23 PM, Chris Buxton  wrote:
>
> On Sep 20, 2011, at 11:37 AM, Lightner, Jeff wrote:
>
>> I didn't specify the IPs but it found them - that is to say when I input my 
>> first DNS server it automatically populated the IP address field.  This was 
>> on the iis.se site as I noted in my original post.
>>
>> My read of "glue records" is that they are A records within a zone file for 
>> DNS servers that are part of the same domain as the zone being described.
>
> No. Glue exists in the parent zone, 'com' in your case.
>
> Your glue records are correct. Not sure why it would be throwing an error.
>
> $ dig water.com ns @g.gtld-servers.net
>
> ; <<>> DiG 9.8.0-P4 <<>> water.com ns @g.gtld-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29994
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;water.com.                     IN      NS
>
> ;; AUTHORITY SECTION:
> water.com.              172800  IN      NS      dswadns1.water.com.
> water.com.              172800  IN      NS      dswadns2.water.com.
>
> ;; ADDITIONAL SECTION:
> dswadns1.water.com.     172800  IN      A       12.44.84.213
> dswadns2.water.com.     172800  IN      A       12.44.84.214
>
> ;; Query time: 22 msec
> ;; SERVER: 192.42.93.30#53(192.42.93.30)
> ;; WHEN: Tue Sep 20 13:21:28 2011
> ;; MSG SIZE  rcvd: 105
>
> Regards,
> Chris Buxton
> BlueCat Networks

I just did some checks and I think dnscheck is broken. I get the same error for
several different domains that I am pretty confident are NOT broken and have
confirmed the glue for all of them is correct.
-- 
R. Kevin Oberman, Network Engineer - Retired
E-mail: kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation check failed

2011-09-20 Thread Lyle Giese 

On 09/20/11 13:37, Lightner, Jeff wrote:

I didn't specify the IPs but it found them - that is to say when I input my 
first DNS server it automatically populated the IP address field.  This was on 
the iis.se site as I noted in my original post.

My read of "glue records" is that they are A records within a zone file for DNS 
servers that are part of the same domain as the zone being described.

Based on that my glue records in water.com zone file for domain water.com in 
zone file water.com do exist as shown in my original post:
dswadns1IN A12.44.84.213
dswadns2IN A12.44.84.214

Also it seems Glue records are only necessary for subdomains and I'm not using 
a subdomain here - I'm not trying to delegate to any subdomain.

So both my Registrar and I have things associating dswadns1.water.com with IP 
12.44.84.213 and dswadns2.water.com with 12.44.84.214.   I'm still mystified as 
to what the delegation message is trying to tell me.


This is NOT the defination of glue records.

See RFC 1033 and http://en.wikipedia.org/wiki/Domain_Name_System for 
more information.


Glue records need to exist in the delegating zone servers.  In this case 
.com needs to know the ip address for the DNS servers for water.com. 
These records that need to exist in .com are called glue records.  .com 
needs to know where dswadns1.water.com and dswadns2.water.com and this 
is done via glue records.


This is what I meant by registering your name servers.  Then the .com 
servers know the ip address of the dns servers for waters.com.


Lyle Giese
LCR Computer Services, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

A few (too) simple questions about DNS records

2011-09-20 Thread Yanek 
Hello list,

These questions are a bit too obvious, still my searches and queries
gave me various results. Please bear with me.

1/ What is the bind record format for the zone itself? So far, I thought
it was something like:

mydomain.tld. IN  A   1.2.3.4

Am I wrong?

2/ What is the bind format for a SPF record, eg:

mydomain.tld. IN  SPF "any text
policy here, like: v=spf1 a mx ptr -all"
or
mydomain.tld. IN  TXT "any text
policy here, like: v=spf1 a mx ptr -all"

or anything else?

3/ What is the bind format for a DKIM record, eg:

_domainkey.mydomain.tld.  IN  TXT "any text
policy here, like: o=~;r=u...@mydomain.tld"
selector._domainkey.mydomain.tld.   IN  TXT
"v=DKIM1;p=SoMEveRyLongKey;"

or something else?

Thanks by advance :)




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation check failed

2011-09-20 Thread Kevin Oberman 
On Sep 20, 2011 3:48 PM, "Lyle Giese"  wrote:
>
> On 09/20/11 13:37, Lightner, Jeff wrote:
>>
>> I didn't specify the IPs but it found them - that is to say when I input
my first DNS server it automatically populated the IP address field.  This
was on the iis.se site as I noted in my original post.
>>
>> My read of "glue records" is that they are A records within a zone file
for DNS servers that are part of the same domain as the zone being
described.
>>
>> Based on that my glue records in water.com zone file for domain water.comin 
>> zone file
water.com do exist as shown in my original post:
>> dswadns1IN A12.44.84.213
>> dswadns2IN A12.44.84.214
>>
>> Also it seems Glue records are only necessary for subdomains and I'm not
using a subdomain here - I'm not trying to delegate to any subdomain.
>>
>> So both my Registrar and I have things associating dswadns1.water.comwith IP 
>> 12.44.84.213 and
dswadns2.water.com with 12.44.84.214.   I'm still mystified as to what the
delegation message is trying to tell me.
>
>
> This is NOT the defination of glue records.
>
> See RFC 1033 and http://en.wikipedia.org/wiki/Domain_Name_System for more
information.
>
> Glue records need to exist in the delegating zone servers.  In this case
.com needs to know the ip address for the DNS servers for water.com. These
records that need to exist in .com are called glue records.  .com needs to
know where dswadns1.water.com and dswadns2.water.com and this is done via
glue records.
>
> This is what I meant by registering your name servers.  Then the .com
servers know the ip address of the dns servers for waters.com.
>
> Lyle Giese

The problem is that .com has the records. In the real world you provide glue
to your registrar and they provide the glue to the delegating zone.

dig confirms that .com had the glue for water.com.

R. Kevin Oberman, Network Engineer
Retired
kob6...@gmail.com> LCR Computer Services, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few (too) simple questions about DNS records

2011-09-20 Thread Stephane Bortzmeyer 
On Wed, Sep 21, 2011 at 02:55:08AM +0200,
 Yanek  wrote 
 a message of 42 lines which said:

> 1/ What is the bind record format for the zone itself?

Strictly speaking, it is not the BIND format but the standard format
(RFC 1035, section 5). However, not all name servers follow it
(standardizing the input file format is regarded as a bad idea, today)
and, anyway, it is underspecified so problems occur even when name
servers try to follow it.

> mydomain.tld. IN  A   1.2.3.4
> 
> Am I wrong?

This line is correct.

> 2/ What is the bind format for a SPF record, eg:

Again, this is standard, not BIND-specific. RFC 4408:

3.1.1.  DNS Resource Record Types

   This document defines a new DNS RR of type SPF, code 99.  The format
   of this type is identical to the TXT RR [RFC1035]. 

> 3/ What is the bind format for a DKIM record, eg:

RFC 4871, section 3.6.2.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users