Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 31 Oct 2004 14:05:04 +0100
From:      "jesk" <jesk@killall.org>
To:        <current@freebsd.org>
Subject:   Bind9.3 Bug?
Message-ID:  <008701c4bf4a$3d0ec600$45fea8c0@turbofresse>

next in thread | raw e-mail | index | archive | help
Hello,

i just configured a classles Reverse Delegation from BIND8 to BIND9.3.
the zonename on the BIND9.3 (ns0.example.com) system is
"224-239.xxx.xxx.xxx.in-addr.arpa".
i configured the zone as follows:
---
zone "224-239.xxx.xxx.xxx.in-addr.arpa" {
        type master;
        file "master/224-239.xxx.xxx.xxx.in-addr.arpa";
        allow-query { any; };
};
---
the zone itself looks like this:
---
$TTL                            18000
@  IN SOA  ns0.example.com.  hostmaster.example.com. (
                                2004103009  ; Serial number
                                3H                 ; Refresh every 3 hours
                                15M              ; Retry after 15 Minutes
                                1W                ; Expire after 1 week
                                4H )               ; Minimum 4 hourse

        IN      NS      ns0.example.com.
        IN      NS      ns1.example.com.

225     IN      PTR     ns0.example.com.
226     IN      PTR     mx0.example.com.
227     IN      PTR     www.example.com.
---

now i recognized that resolving a ip of the subnet directly from
ns0.example.com wont work:
---
"host xxx.xxx.xxx.227 ns0.example.com"
"Host 227.xxx.xxx.xxx.in-addr.arpa not found: 5(REFUSED)"
---
On ns0.example.com BIND9.3 says:
---
"named[53719]: client x.x.x.x#58160: query (cache) '
227.xxx.xxx.xxx.in-addr.arpa/PTR/IN' denied"
---

It seems that ns0.example.com doesnt feel authoritativ for the zone,
cause when setting allow-query { any; }; globally then resolving from
a other bind9.3 resolver will work but from a bind8 resolver it wont...
Am i totally stupid or whats going on there?

When iam commenting out all "allow-query" in named.conf then it will
work perfectly, but then recursive resolving will work for everyone.
So i tested it with "acl "systemitself" { 127.0.0.1; xx.x.x.x;
x.x.x.x/28; };"
"allow-recursion { "systemitself"; };" with the goal that
only the system itself can resolv recursiv, but that didnt worked too.
with this configuration all recursiv lookups worked from everywhere, and
authoritativ lookups too, but resolving the reverse zone for which the
system
should be authoritativ didnt worked.
Is this a Bug or are there any hardcore changes to Bind?






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008701c4bf4a$3d0ec600$45fea8c0>