Re: need help with BIND9

To: debian-user@lists.debian.org
Subject: Re: need help with BIND9
From: cls@truffula.sj.ca.us
Date: Wed, 14 Nov 2007 18:11:44 -0800
Message-id: <[🔎] slrnfjnan0.949.spambait@truffula.sj.ca.us>
References: <9pmgt-8gL-19@gated-at.bofh.it> <9ps2v-1aL-21@gated-at.bofh.it> <9pA01-5DJ-11@gated-at.bofh.it>
[This message has also been posted to linux.debian.user.]
In article <9pA01-5DJ-11@gated-at.bofh.it>, lists@pgrworld.com wrote:
>
> Michael Shuler wrote:
>> On 11/14/2007 02:53 AM, lists@pgrworld.com wrote:
>>   
>>> I need help setting up nameservers for my own domain.  The IPs and
>>> domains have been changed for privacy ;-)
>>>     
>>
>> ..which makes it difficult to properly troubleshoot.
>>
>>   
>>> $TTL 1h
>>> @ SOA ns1.mydomain.com. root.mydomain.com. (
>>>  2007110805; Serial (date + two digit serial)
>>>  10800 ; Refresh (3 hours)
>>>  3600 ; Retry (1 hour)
>>>  86400 ; Expire (1 day)
>>>  60 ) ; Default TTL 1 min
>>>  NS ns1.mydomain.com.
>>>  MX mail.mydomain.com.

First of all, that is really dumb.  Don't use name servers
with the same second level domain as the one they are
authoritative for.  If you only have one domain in the
whole world, let your registrar do your name service
for you.  Or use a service like zoneedit.com or dyndns.org.
(But stay away from granitecanyon.com.  It's been on
autopilot for years and years.  It's owners just don't
have time for it.)


>> If you are going to host authoritative DNS for mydomain.com. on a name
>> server host under the same domain, for example ns1.mydomain.com., then
>> you need to seed the process of finding your authoritative name server
>> via a glue A record at your domain registrar - this A record for
>> ns1.mydomain.com. gets pushed up to the com. TLD servers, so that
>> recursive resolvers around the Internet can find the correct name server
>> to ask, "where is mydomain.com.".

Right, and with most registrars, especially low-ballers
like Tucows/OpenSRS, it's not obvious how to do that, and
they don't do it automatically.  And with non-accredited
resellers, it's even harder.  You're at Register4less,
apparently a Tucows customer.  Guess what, your registrar
isn't listed in
 http://www.icann.org/registrars/accredited-list.html

Well-run registrars will have a separate form for
registering a hostname.  That's the "glue record"
you're looking for.  Unfortunately it pretty much never
says "glue record" on the form.  Which brings us back
to don't put your name servers in their own domain.



> Thanks for the reply!  I've investigated this at my domain registrar, 
> and ns1.mydomain.com did get pushed to the .com TLD servers (or root 
> servers)


Apparently so.  One of them, anyway.  This is b.gtld-servers.net,
chosen at random.

$ dig @192.33.14.30 NS1.CD-EXPRESS.COM a
;; ANSWER SECTION:
NS1.CD-EXPRESS.COM.     172800  IN      A       208.127.75.221
;; AUTHORITY SECTION:
CD-EXPRESS.COM.         172800  IN      NS      NS1.CD-EXPRESS.COM.

172800 is two days.





> My domain registrar said that I need a primary and secondary server 
> assigned,

Well, there is not really any such thing as primary and secondary.
They're all the same.  But you're supposed to have at least
two of them.

> so I created NS2.CD-EXPRESS.COM to point to the same IP 
> 208.127.75.221

Spammers do that a lot.  Your two name servers are supposed to
be on two independent networks.



> my bind settings is as follows (I've removed comments with a "//"):
> ********************** NAMED.CONF start 
> ***********************************************************
> include "/etc/bind/named.conf.options";
[as shipped]
> **********************NAMED.CONF.OPTIONS  
[as shipped]
>
> *****************************NAMED.CONF.LOCAL start 
> *************************************************
> //
> // Do any local configuration here
> zone "cd-express.com" {
>         type master;
>         file "/etc/bind/cd-express.db";
> };

Okay.

>
> zone "15.15.15.in-addr.arpa" {
>         type master;
>         file "/etc/bind/15.15.15.rev";
> };

What the heck is that?  Are you in charge of
reverse DNS for 15.15.15.0/24?  I think Hewlett
Packard would disagree.


> *****************************NAMED.CONF.LOCAL end 
> *************************************************
>
> ***************************** CD-EXPRESS.DB start 
> *************************************************
> ; BIND data file for cd-express.db
> ; /var/named/cd-express.db
> ;
> $TTL 1h
> @ SOA ns1.cd-express.com. root.cd-express.com. (
>   2007110805; Serial (date + two digit serial)
>   10800 ; Refresh (3 hours)
>   3600 ; Retry (1 hour)
>   86400 ; Expire (1 day)
>   60 ) ; Default TTL 1 min
>   NS ns1.cd-express.com.
>   MX mail.cd-express.com.
>   A 208.127.75.221

You might get away with those a/ns/mx records.
The white space in column 1 implies the zone that
was mentioned in the zone statement in the conf file.
But it would be more readable if you used an @
sign there.  I'm not sure if you can get away with
omitting the class (INternet) value, either.
Try it this way:

@   IN   NS  ns1.cd-express.com.
@   IN   A   208.127.75.221
@   IN   MX 5  mail.cd-express.com.

Notice that the NS and MX records use names which
I'll give A records to below.

>         ns1     A       208.127.75.221

That line makes no sense.  You're saying there
is an A record for cd-express.com, of class "ns1"
(which doesn't exist), and its value is "ns1.cd-express.com."
And your MX record was missing its priority number.
Since you only have one, it doesn't matter what
the number is, but it should be there.
Do it the way I showed it.


>         mail    A       208.127.75.221
>         www     A       208.127.75.221

I'm going to guess here that you are giving addresses
to the hostnames ns1.cd-express.com, mail.cd-express.com,
and www.cd-express.com.  It didn't work because
of the white space at the beginning of the line,
and maybe the missing class name.  You could use a wild
card, but for readability do it this way:

ns1     IN   A   208.127.75.221
mail    IN   A   208.127.75.221
www     IN   A   208.127.75.221


> ***************************** 15.15.15.REV start 
> *************************************************
>: BIND reverse data file for 15.15.15.0
>: /etc/bind/15.15.15.db
>:
> @ IN SOA cd-express.com. root.cd-express.com. (

You might be authoritative for cd-express.com, but
you are not authoritative for 15.15.15.in-addr.arpa.
That privilege belongs to Hewlett Packard.
So there is no point in you trying to define
PTR records there.  The guy at HP might write
something like

15.in-addr.arpa   IN SOA  charon.core.hp.com. hostmaster.hp.com. (
    1010272
    7200
    3600
    604800
    600
);
to cover all of 15.0.0.0/8.
And then he would write a bunch of PTR records.


>   IN NS ns1.cd-express.com.
>   10 IN PTR www.cd-express.com.
>   20 IN PTR dns.cd-express.com.
>   30 IN PTR mail.mycompany.com.

You don't get to do that.  The only PTR
record you might want in *your* DNS is

1.0.0.127.in-addr.arpa.  IN PTR  localhost.cd-express.com.
in which case you should have

localhost   IN A  127.0.0.1

in your cd-express.com.db file.  That might be useful for
readability in your Postfix main.cf file or something.
But the only zones you get to write PTR records
for are 127.in-addr.arpa., 168.192.in-addr.arpa.,
10.in-addr.arpa., and that one that starts with 172.
You could to that for practice on your home LAN.
Or you could get away without it by just putting the
names you need in /etc/hosts


There is already a PTR record for your public IP address.  

$ dig 221.75.127.208.in-addr.arpa. ptr
;; ANSWER SECTION:
221.75.127.208.in-addr.arpa. 86259 IN   PTR     netblock-208-127-75-221.dslextreme.com.


So you have to call customer service at DSL Extreme,
and say hey thanks for the static IP address,
can I have a PTR record with my domain name in it?
Ask for mail.cd-express.com.  That way when your
mail server connects to mine, its hostname will
match its PTR and I'll accept the message.
DSL Extreme will charge you twenty bucks, once.
It keeps the riff raff away.


> I'll be happy to get ANY HELP.  Thanks a lot!

Whoever told you you could just define PTR names in
the middle of Hewlett Packard's ARIN allocation was
way off!  You'd better figure out where that came
from and find a way to prevent further nonsense
from there from polluting your brain.
No doubt there are great DNS tutorials on the Web
someplace.  Try Ora.com or About.com.
I learned this stuff from "the cricket book,"
_DNS and BIND_ by Albitz and Liu.

Finally, your name server is responding, but it
does not know what to do because it didn't load
your broken zone file properly.


$ host www.cd-express.com 208.127.75.221
Using domain server:
Name: 208.127.75.221
Address: 208.127.75.221#53
Aliases: 

Host www.cd-express.com not found: 2(SERVFAIL)


Open a terminal window (such as xterm) and do this:

tail -f /var/log/daemon.log

and leave it running.  Then get another terminal,
and be root, and go

/etc/init.d/bind9 stop
sleep 5
/etc/init.d/bind9 start

and watch the messages in the log.  BIND9 is pretty
good about telling you what is wrong.
Incidently, "host" is in the Debian package bind9-host
and "dig" is in dnsutils.  You should print and read their
manpages.  Here, have a nice looking PDF file.

apt-get install groff gs-esp gsfonts
whereis host
zcat /usr/share/man/man1/host.1.gz | groff -Tps -mandoc - | \
  gs -sDEVICE=pdfwrite -sOutputFile=host.1.pdf -dBATCH -dNOPAUSE -




Cameron
Reply to:
Prev by Date: What is the debian way to configure raw device?
Next by Date: ftp.debian.org
Previous by thread: Re: need help with BIND9
Next by thread: Squid with Dansguardian problem.
Index(es):
- Date
- Thread