Problem resolving CNAME in BIND 9.8.0 and 9.8.0-P2

[Per-Olof Axelsson]

When I run the following dig command below I sometimes get different answers, 
generally 20-30 minutes after restarting BIND.
It doesn't matter if I run dig from a remote host or locally on the problematic 
DNS server.
The two servers in question run on entirely different hardware and operating 
systems. One server runs a compiled version of BIND (on Redhat) whilst the 
other runs an installed package version (SLES11 SP1).

The problem can occur on one DNS server whilst the other remains unaffected, 
and vice-versa. Incorrect replies often come in small groups mixed with correct 
replies, generally over a period of a few seconds before returning to returning 
the correct answer. 

Specifiying localhost (127.0.0.1) as the server however results in the problem 
never occuring.

I turned on debug level 5 in BIND and searched the logs for any errors but 
didnt find anything.
I tried tcpdump but that didn't give anything either.

To solve the problem I downgraded BIND to version 9.7.3.

The following are the outputs I'm seeing:

Correct answer.

[root@mayday named]# dig @193.10.166.35 ldap.hb.se

; <<>> DiG 9.8.0-P2 <<>> @193.10.166.35 ldap.hb.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12728
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 2

;; QUESTION SECTION:
;ldap.hb.se.IN  A

;; ANSWER SECTION:
ldap.hb.se. 3600IN  CNAME   vm-nldap-n1.hb.se.
vm-nldap-n1.hb.se.  3600IN  A   193.10.166.191

;; AUTHORITY SECTION:
hb.se.  3600IN  NS  dns2.hb.se.
hb.se.  3600IN  NS  hb-ns.server.hv.se.
hb.se.  3600IN  NS  ns2.chalmers.se.
hb.se.  3600IN  NS  mayday.hb.se.

;; ADDITIONAL SECTION:
dns2.hb.se. 3600IN  A   193.10.166.35
mayday.hb.se.   3600IN  A   193.10.166.34

;; Query time: 2 msec
;; SERVER: 193.10.166.35#53(193.10.166.35)
;; WHEN: Thu Jun  9 12:49:17 2011
;; MSG SIZE  rcvd: 199
---

Wrong answer.
---
[root@mayday named]# dig @193.10.166.35 ldap.hb.se

; <<>> DiG 9.8.0-P2 <<>> @193.10.166.35 ldap.hb.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61784
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ldap.hb.se.IN  A

;; ANSWER SECTION:
ldap.hb.se. 3600IN  CNAME   vm-nldap-n1.hb.se.

;; Query time: 1 msec
;; SERVER: 193.10.166.35#53(193.10.166.35)
;; WHEN: Thu Jun  9 12:49:17 2011
;; MSG SIZE  rcvd: 54
---

Why is ANSWER SECTION, AUTHORITY SECTION and ADDITIONAL SECTION different?

Any ideas??

/Per-Olof Axelsson 


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC Next key event

[Per-Olof Axelsson]

Hi, 

I have a question about DNSSEC and "Next key event".

I have created 4 keys (ZSK) in advance. Every key has an active period
of 3 month and are published 3 days before 
activation time and inactivated 3 days after. 
I have set the following options in named.conf
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
key-directory "/var/named/dyn/keys";
.
.
zone "domain.com" {
  type master;
  file "dyn/zone.domain.com";
  update-policy local;
  auto-dnssec maintain;
};

In earlier version of BIND (9.8.0-P4) I would see the following
messages in /var/log/messages when I reloaded BIND.

Dec 28 14:04:38 mumin named[18046]: zone domain.com/IN: next key event:
25-Feb-2012 13:30:00.000


The date and time for the next key event, in this case, would be the
publication time for the next key. 


Now, in BIND version 9.8.1-P1, the following is reported in the
logfile.
--
Jan  5 07:39:33 mumin named[2320]: zone domain.com/IN: next key event:
05-Jan-2012 08:39:33.840
Jan  5 08:39:33 mumin named[2320]: zone domain.com/IN: next key event:
05-Jan-2012 09:39:33.842
Jan  5 09:39:33 mumin named[2320]: zone domain.com/IN: next key event:
05-Jan-2012 10:39:33.845
--

Next key event is every next hour and NOT when the "real" key change
occur.
Is this correct? 


Per-Olof Axelsson
IT-Department
University of Borås, Sweden

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users