Issue with delegating subdomain

Rodnower · 08-27-2010, 07:49 PM

Hello, I use bind 9.3.4 on RedHat 5.3, and I try to create some simple DNS related scenario.

I have two DNS servers. One of them serves rodnower.org. zone and an other service web.rodnower.org. zone.
The parent has glue record to child.
I sussessfully query all rodnower.org. records, but failed to get data from subdomain.
So here relevant data from namd.conf of parent zone:

Code:

view "main" {
        ...
        zone "rodnower.org" IN {
                type master;
                file "rodnower.org.zone";
        };
        ...  
};

Here relevant records from rodnower.org.zone file:

Code:

$TTL    86400
@                    IN      SOA    nameserver.rodnower.org.      root (
                                           2; 10M; 15M; 1W; 1D)
@                    IN      NS     nameserver.rodnower.org.
@                    IN      MX 10  mailserver.rodnower.org.
web.rodnower.org.    IN      NS              ns.web.rodnower.org.
ns.web.rodnower.org. IN      A               192.168.2.150
nameserver           IN      A               192.168.2.200

Here is bad response for NS record of web.rodnower.org. subdomain:

Code:

; <<>> DiG 9.3.4-P1 <<>> -t ns web.rodnower.org.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50927
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;web.rodnower.org.              IN      NS

;; Query time: 93 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 28 03:45:50 2010
;; MSG SIZE  rcvd: 34

And here is proof that all other thing works normally:

Code:

; <<>> DiG 9.3.4-P1 <<>> -t ns rodnower.org.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36502
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;rodnower.org.                  IN      NS

;; ANSWER SECTION:
rodnower.org.           86400   IN      NS      nameserver.rodnower.org.

;; ADDITIONAL SECTION:
nameserver.rodnower.org. 86400  IN      A       192.168.3.200
nameserver.rodnower.org. 86400  IN      A       192.168.2.200

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 28 03:47:28 2010
;; MSG SIZE  rcvd: 87

What are wrong in my configurations?

Thank you for ahead.

bathory · 08-28-2010, 03:15 AM

Hi,

Have you setup ns.web.rodnower.org. as authoritative for web.rodnower.org?
Because from the 1st query flags:

Quote:

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

it looks like, your main dns server (at localhost) knows it's not authoritative and asked further to get an answer.

What gives?

Code:

dig ns web.rodnower.org @192.168.2.150

Rodnower · 08-28-2010, 07:39 AM

You mean to add SOA record of web.rodnower.org to zone file rodnower.org.zone of parent domain?
If I do so I get error during startup:

Code:

rodnower.org.zone:8: SOA record not at top of zone (web.rodnower.org)

Actually I set ns.web.rodnower.org. as authority for web.rodnower.org:
In rodnower.org.zone:

Code:

web.rodnower.org.    IN      NS              ns.web.rodnower.org.

Here the result of quering subdomain authority like you say:

Code:

[root@nameserver ~]# dig ns web.rodnower.org @192.168.2.150

; <<>> DiG 9.3.4-P1 <<>> ns web.rodnower.org @192.168.2.150
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61094
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;web.rodnower.org.              IN      NS

;; ANSWER SECTION:
web.rodnower.org.       86400   IN      NS      ns.web.rodnower.org.

;; ADDITIONAL SECTION:
ns.web.rodnower.org.    86400   IN      A       192.168.2.150

;; Query time: 4 msec
;; SERVER: 192.168.2.150#53(192.168.2.150)
;; WHEN: Sat Aug 28 15:32:20 2010
;; MSG SIZE  rcvd: 67

bathory · 08-28-2010, 09:08 AM

OK, from the dig output 192.168.2.150 (ns.web.rodnower.org) knows it's authoritative for subdomain web.rodnower.org
There should be an error in your zone file, that I cannot spot right now. Could you try this variation:

Code:

$TTL    86400
$ORIGIN rodnower.org.
@                    IN      SOA    nameserver.rodnower.org. root (
                                    3; 
                                    10M;
                                    15M;
                                    1W;
                                    1D)
@                    IN      NS     nameserver.rodnower.org.
@                    IN      MX 10  mailserver.rodnower.org.
nameserver           IN      A      192.168.2.200

$ORIGIN web.rodnower.org.
                     IN      NS     ns.web.rodnower.org.
ns.web.rodnower.org. IN      A      192.168.2.150

Don't forget to increase the serial before reloading zone

Rodnower · 08-28-2010, 09:40 AM

So I tried this, but I have the same result.
I only added the @ to one before last line. Without it I get "CNAME and other data" error (becouse I have CNAME declaration just before second $ORIGIN.
So now all zone look like this:

Code:

$TTL    86400
$ORIGIN rodnower.org.
@                     IN      SOA       nameserver.rodnower.org.      root (
                                          5       ; serial (d. adams)
                                          10M     ; refresh
                                          15M     ; retry
                                          1W      ; expiry
                                          1D )    ; minimum
@                     IN      NS        nameserver.rodnower.org.
@                     IN      MX     10 mailserver.rodnower.org.
nameserver            IN      A         192.168.2.200
nameserver            IN      A         192.168.3.200
webserver             IN      A         192.168.2.150
webserver             IN      A         192.168.3.150
ftpserver             IN      A         192.168.2.150
dom0                  IN      A         192.168.2.100
mailserver            IN      A         192.168.2.50
router                IN      A         192.168.2.1
dns                  IN      CNAME     nameserver
mail                 IN      CNAME     mailserver
www                  IN      CNAME     webserver
ftp                  IN      CNAME     ftpserver

$ORIGIN web.rodnower.org.
@                     IN      NS        ns.web.rodnower.org.
ns.web.rodnower.org.  IN      A         192.168.2.150

bathory · 08-28-2010, 10:38 AM

Quote:

I only added the @ to one before last line. Without it I get "CNAME and other data" error (becouse I have CNAME declaration just before second $ORIGIN.

Huh. There must be an error somewhere, as the CNAME you mention is commented out and bind shouldn't complain.
I've also tried the last zone file and it worked for me (using different IPs for the ns RRs)

Code:

dig ns web.rodnower.org

; <<>> DiG 9.7.1-P2 <<>> ns web.rodnower.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7898
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;web.rodnower.org.              IN      NS

;; ANSWER SECTION:
web.rodnower.org.       86400   IN      NS      ns.web.rodnower.org.

;; ADDITIONAL SECTION:
ns.web.rodnower.org.    86234   IN      A       192.168.0.77

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 28 18:34:32 2010
;; MSG SIZE  rcvd: 67

Rodnower · 08-28-2010, 11:30 AM

Sorry, I forgot to remove comments just in the post, in real there are no comments at CNAMEs. Also becouse I added @ I have no errors now at all during sturtup (like I yet mentioned it before).

May you please let me see your named.conf file or at least relevant part of it? May be it is becouse I use view?

bathory · 08-28-2010, 11:47 AM

I don't think named.conf is the probl. I've also put it inside a view for my internal network, but here you go:

Quote:

view "internal" {
match-clients { internal; };

zone "rodnower.org" {
type master;
file "rod";
};
};

The error is in the zone file, but I cannot see it. What give the following 2 commands:

Code:

named-checkzone -D rodnower.org /path/to/rodnower.org.zone
dig soa web.rodnower.org

The dig output I get is:

Code:

dig soa web.rodnower.org

; <<>> DiG 9.7.1-P2 <<>> soa web.rodnower.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46702
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;web.rodnower.org.              IN      SOA

;; ANSWER SECTION:
web.rodnower.org.       82742   IN      SOA     nameserver.rodnower.org. root.web.rodnower.org. 2 600 900 604800 86400

;; AUTHORITY SECTION:
web.rodnower.org.       82446   IN      NS      ns.web.rodnower.org.

;; ADDITIONAL SECTION:
ns.web.rodnower.org.    82446   IN      A       192.168.0.77

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 28 19:43:04 2010
;; MSG SIZE  rcvd: 119

Rodnower · 08-28-2010, 12:05 PM

So named-checkzone actually validate the zone file:

Code:

[root@nameserver named]# named-checkzone -D rodnower.org /named/var/named/rodnower.org.zone 
zone rodnower.org/IN: loaded serial 5
rodnower.org.                                 86400 IN SOA      nameserver.rodnower.org. root.rodnower.org. 5 600 900 604800 86400
rodnower.org.                                 86400 IN NS       nameserver.rodnower.org.
rodnower.org.                                 86400 IN MX       10 mailserver.rodnower.org.
dns.rodnower.org.                             86400 IN CNAME    nameserver.rodnower.org.
dom0.rodnower.org.                            86400 IN A        192.168.2.100
ftp.rodnower.org.                             86400 IN CNAME    ftpserver.rodnower.org.
ftpserver.rodnower.org.                       86400 IN A        192.168.2.150
mail.rodnower.org.                            86400 IN CNAME    mailserver.rodnower.org.
mailserver.rodnower.org.                      86400 IN A        192.168.2.50
nameserver.rodnower.org.                      86400 IN A        192.168.2.200
nameserver.rodnower.org.                      86400 IN A        192.168.3.200
router.rodnower.org.                          86400 IN A        192.168.2.1
web.rodnower.org.                             86400 IN NS       ns.web.rodnower.org.
ns.web.rodnower.org.                          86400 IN A        192.168.2.150
webserver.rodnower.org.                       86400 IN A        192.168.2.150
webserver.rodnower.org.                       86400 IN A        192.168.3.150
www.rodnower.org.                             86400 IN CNAME    webserver.rodnower.org.
OK

This is dig output:

Code:

[root@nameserver named]# dig soa web.rodnower.org

; <<>> DiG 9.3.4-P1 <<>> soa web.rodnower.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2306
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;web.rodnower.org.              IN      SOA

;; Query time: 109 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 28 20:06:26 2010
;; MSG SIZE  rcvd: 34

bathory · 08-28-2010, 12:12 PM

Could you post named.conf and the the zonefile of web.rodnower.org at ns.web.rodnower.org?

Rodnower · 08-28-2010, 01:45 PM

Sure:

named.conf of parent

Code:

acl "untrusted" 	{ 192.168.3.0/24; };
acl "trusted" 		{ localhost; 192.168.2.0/24; };
acl "secondaries"	{ 192.168.2.100; };

options {
	listen-on port 53 { trusted; };
	// listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"data/cache_dump.db";
        statistics-file "data/named_stats.txt";
        memstatistics-file "data/named_mem_stats.txt";

	// Those options should be used carefully because they disable port
	// randomization
	// query-source    port 53;	
	// query-source-v6 port 53;

	allow-query     { !untrusted; trusted; };
	allow-recursion	{ !untrusted; trusted; };
	allow-transfer	{ secondaries; };
	forwarders { 192.168.2.1; };
	forward only;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

view "main" {
	match-clients		{ !untrusted; trusted; };
	match-destinations	{ !untrusted; trusted; };
	recursion yes;

	//include "/etc/named.root.hints";
	include "/etc/named.rfc1912.zones";

	zone "rodnower.org" IN {
		type master;
		file "rodnower.org.zone";
	};

	zone "168.192.in-addr.arpa" IN {
		type master;
		file "168.192.in-addr.arpa.zone";
	};
};

named.conf on subdomain:

Code:

acl "untrusted" { 192.168.3.0/24; };
acl "trusted"   { localhost; 192.168.2.0/24; };
acl "dom0"      { 192.168.2.100; };
acl "secondary" { 192.168.2.100; };

//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
// its manual.
//
options
{
	listen-on port 53 { !untrusted; trusted; };

        // Those options should be used carefully because they disable port
        // randomization
	// query-source    port 53;	
	// query-source-v6 port 53;


	// Put files that named is allowed to write in the data/ directory:
	directory "/var/named"; // the default
	dump-file 		"data/cache_dump.db";
        statistics-file 	"data/named_stats.txt";
        memstatistics-file 	"data/named_mem_stats.txt";

	allow-query { !untrusted; trusted; };
	allow-recursion { !untrusted; trusted;  };
	allow-transfer { localhost; secondary; };
	forwarders {192.168.2.200; 192.168.2.1; };
	forward only;

};
logging 
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :*/
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

view "main" {
	match-clients		{ !untrusted; trusted; };
	match-destinations	{ !untrusted; trusted; };
	recursion yes;

	include "/etc/named.root.hints";
	include "/etc/named.rfc1912.zones";

	zone "web.rodnower.org" IN {
		type master;
		file "web.rodnower.org.zone";
	};
};

Zone file of subdomain:

Code:

$TTL	86400
@				IN	SOA		web.rodnower.org. root (
								1
								3H
								15M
								1W
								1D )
@				IN	NS		ns.web.rodnower.org.
ns				IN	A		192.168.2.150
webserver			IN	A		192.168.2.150
www				IN	A		192.168.2.150
mail				IN	A		192.168.2.150
dns				IN	A		192.168.2.150
apache				IN	A		192.168.2.150
printers			IN	A		192.168.2.100

bathory · 08-28-2010, 03:09 PM

OK, comment out:

Quote:

forwarders {192.168.2.200; 192.168.2.1; };
forward only;

because using these, the server ns.web.rodnower.org forwards the query to 192.168.2.200 and don't answer it itself.

BTW a minor error:

Quote:

$TTL 86400
@ IN SOA web.rodnower.org. root (

You have the wrong ns in the SOA record. You should use:

Code:

@				IN	SOA	ns.web.rodnower.org. root (

Rodnower · 08-28-2010, 04:56 PM

No. It is not helps...
More of this: locally, on subdomain's server I get resolution of subdomain record (you may see in first post). So I guess problem some where in the main server.
What version of your bind? I use: 9.3.4.

bathory · 08-29-2010, 03:27 AM

Quote:

No. It is not helps...

Are you sure? Did you restart bind? And maybe flush the cache of 192.168.2.200.
You don't need "forward" and "forwarders". The dns at 192.168.2.150 has to answer authoritatively for the subdomain web.rodnower.org and not forward the queries back to 192.168.2.200.

Quote:

So I guess problem some where in the main server.

Oops, now I noticed that you have also "forwarders" in main. So whatever answer you get is from 192.168.2.1, as you use "forward only". I don't know what this dns does, but again you don't need it.

Quote:

What version of your bind? I use: 9.3.4.

I'm using 9.7.1-P2, but the version is irrelevant on this.

Regards

Rodnower · 08-30-2010, 07:17 AM

Thank you, I will try without forwarders lines and check.