--- Chris Boyd <chris_d_b71 at yahoo.com> wrote:
> Date: Sat, 8 May 2004 09:55:00 -0700 (PDT)
> From: Chris Boyd <chris_d_b71 at yahoo.com>
> Subject: Re: [ILUG] DNS problems
> To: Des Keane <des at o2.ie>
>>> --- Des Keane <des at o2.ie> wrote:
> > As well as the nameservers, if you haven't
> arranged
> > with IOL and Pipex for backup mail services, you
> > should probably take those out as well.
>> I have for several years now. Just to clarify I
> installed Fedora over a previous DNS server running
> RH
> 7.1. I then just copied over the config files. I was
> getting the same problem before and then I'm not
> sure
> what I did but it just came up after restarting
> named
> on primary and secondary DNS servers.
>> > It would be
> > nice to have two real DNS servers rather than a
> > CNAME for the same server to fool the IEDR into
> > thinking you have two.
>> I do. Master is leviathan, secondary is calisto.
> I took out titan.
>> >Although the
> > x.x.194.in-addr.arpa zone has calisto and
> leviathan
> > as its nameservers - should this be consistent for
> > each zone?
>> Not sure what you're asking here.
>>> >
> > Do you really have calisto.mydomain.ie and
> > levithan.mydomain.ie mail domains? If not a few of
> > the extra MX records are redundant.
>> Yes
> >
> > But the suggestions already made are the big ones.
> >
> > HTH
> >
> > Des
> >
> Thanks for the help. I also made amendments that
> others suggested here to no avail.
> I then went to www.dnsreport.com and following are
> the
> results. It seems like named isn't responding at all
> to requests.
> Just to clarify. I have secondary dns running RH
> 7.3.
> I'm not sure if the different versions of bind might
> have any relevance here?!? Thanks
>> from dnsreport.com:
>> Category Status Test Name Information
>> Parent PASS Missing Direct Parent check OK. Your
> direct parent zone exists, which is good. Some
> domains
> (usually third or fourth level domains, such as
> example.co.us) do not have a direct parent zone
> ('co.us' in this example), which is legal but can
> cause confusion.
>> INFO NS records at parent servers Your NS records at
> the parent servers are:
>> leviathan.irelands-web.ie. [194.125.22.1]
> [TTL=172800]
> [IE]
> calisto.irelands-web.ie. [194.125.22.2] [TTL=172800]
> [IE]
>> [These were obtained from gns1.domainregistry.ie]
>> PASS Parent nameservers have your nameservers listed
> OK. When someone uses DNS to look up your domain,
> the
> first step (if it doesn't already know about your
> domain) is to go to the parent servers. If you
> aren't
> listed there, you can't be found. But you are listed
> there, with 2 entries.
>> PASS Glue at parent nameservers OK. The parent
> servers
> have glue for your nameservers. That means they send
> out the IP address of your nameservers, as well as
> their host names.
>> NS INFO NS records at your nameservers Your NS
> records
> at your nameservers are:
>> [None of your nameservers returned your NS records;
> they could be down
> or unreachable, or could all be lame nameservers]
>> WARN All nameservers report identical NS records
>> WARNING: At least one of your nameservers did not
> return your NS records (it reported 0 answers). This
> could be because of a referral, if you have a lame
> nameserver (which would need to be fixed).
>> 194.125.22.1 returns 0 answers (may be a referral)
> 194.125.22.2 returns 0 answers (may be a referral)
>>> PASS All nameservers respond OK. All of your
> nameservers listed at the parent nameservers
> responded.
>> PASS Nameserver name validity OK. All of the NS
> records that your nameservers report seem valid (no
> IPs or partial domain names).
>> PASS Number of nameservers OK. You have 2
> nameservers.
> You must have at least 2 nameservers (RFC2182
> section
> 5 recommends at least 3 nameservers), and preferably
> no more than 7.
>> FAIL Lame nameservers ERROR: You have one or more
> lame
> nameservers. These are nameservers that do NOT
> answer
> authoritatively for your domain. This is bad; for
> example, these nameservers may never get updated.
> The
> following nameservers are lame:
> 194.125.22.1
> 194.125.22.2
>> PASS Missing (stealth) nameservers OK. All 0 of your
> nameservers (as reported by your nameservers) are
> also
> listed at the parent servers.
>> FAIL Missing nameservers 2 ERROR: One or more of the
> nameservers listed at the parent servers are not
> listed as NS records at your nameservers. The
> problem
> NS records are:
> leviathan.irelands-web.ie.
> calisto.irelands-web.ie.
>> PASS No CNAMEs for domain OK. There are no CNAMEs
> for
> irelands-web.ie. RFC1912 2.4 and RFC2181 10.3 state
> that there should be no CNAMEs if an NS (or any
> other)
> record is present. Note that I only checked
> irelands-web.ie, I did not check the NS records,
> which
> should not have CNAMEs either.
>> PASS No NSs with CNAMEs OK. There are no CNAMEs for
> your NS records. RFC1912 2.4 and RFC2181 10.3 state
> that there should be no CNAMEs if an NS (or any
> other)
> record is present.
>> WARN Nameservers on separate class C's WARNING: All
> of
> your nameservers (listed at the parent nameservers)
> are in the same Class C (technically, /24) address
> space, which means that they are probably at the
> same
> physical location. Your nameservers should be at
> geographically dispersed locations. You should not
> have all of your nameservers at the same location.
> RFC2182 3.1 goes into more detail about secondary
> nameserver location.
>> PASS All NS IPs public OK. All of your NS records
> appear to use public IPs. If there were any private
> IPs, they would not be reachable, causing DNS
> delays.
> INFO Nameservers versions Your nameservers have the
> following versions:
>> 194.125.22.1: "9.2.2-P3"
> 194.125.22.2: "9.2.1"
>> PASS NS TTL discrepancy OK. Your NS records at your
> authoritative DNS servers have TTLs that match those
> of the parent servers. This is prevents some odd
> problems that could otherwise occur.
>> PASS Stealth NS record leakage Your DNS servers do
> not
> leak any stealth NS records (if any) in non-NS
> requests.
>> SOA INFO SOA record Your SOA record [TTL=0] is:
> Primary nameserver:
> Hostmaster E-mail address:
> Serial #: 0
> Refresh: 0
> Retry: 0
> Expire: 0
> Default TTL: 0
>> FAIL NS agreement on SOA Serial # ERROR: Your
> nameservers disagree as to which version of your DNS
> is the latest! 4294967295 versus 0! This is OK if
> you
> have just made a change recently, and your secondary
> DNS servers haven't yet received the new information
> from the master. I will continue the report,
> assuming
> that 0 is the correct serial #.
>> FAIL SOA MNAME Check ERROR: Your SOA (Start of
> Authority) record states that your master (primary)
> name server is: . However, that is not a valid
> domain
> name!
>> FAIL SOA RNAME Check ERROR: Your SOA (Start of
> Authority) record states that your DNS contact
> E-mail
> address in hostname format is: . However, that is
> NOT
> valid (it must have at least 2 '.''s in it and no
> '@')!
>> WARN SOA Serial Number WARNING: Your SOA serial
> number
> is: 0. That is OK, but the recommended format (per
> RFC1912 2.2) is YYYYMMDDnn, where 'nn' is the
> revision. For example, if you are making the 3rd
> change on 02 May 2000, you would use 2000050203.
> This
> number must be incremented every time you make a DNS
> change.
>> FAIL SOA REFRESH value WARNING: Your SOA REFRESH
> interval is : 0 seconds. This seems very low. You
> should consider increasing this value to about
> 3600-7200 seconds. RFC1912 2.2 recommends a value
> between 1200 to 43200 seconds (20 minutes to 12
> hours). A value that is too low will unncessarily
> increase Internet traffic.
>> FAIL SOA RETRY value WARNING: Your SOA RETRY
> interval
> is : 0 seconds. This seems very low. You should
> consider increasing this value to about 120-7200
> seconds. The retry value is the amount of time your
> secondary/slave nameservers will wait to contact the
> master nameserver again if the last attempt failed.
>> FAIL SOA EXPIRE value WARNING: Your SOA EXPIRE time
> is
> : 0 seconds. This seems very low. You should
> consider
> increasing this value to about 1209600 to 2419200
> seconds (2 to 4 weeks). RFC1912 recommends 2-4
> weeks.
> This is how long a secondary/slave nameserver will
> wait before considering its DNS data stale if it
> can't
> reach the primary nameserver.
>> FAIL SOA MINIMUM TTL value WARNING: Your SOA MINIMUM
> TTL is : 0 seconds. This seems very low (unless you
> are just about to update your DNS). You should
> consider increasing this value to somewhere between
> 3600 and 10800. RFC2308 suggests a value of 1-3
> hours.
> This value used to determine the default
> (technically,
> minimum) TTL (time-to-live) for DNS entries, but now
> is used for negative caching.
>> MX FAIL MX Category ERROR: I couldn't find any MX
> records for irelands-web.ie. If you want to receive
> E-mail on this domain, you should have MX record(s).
> Without any MX records, mailservers should attempt
> to
> deliver mail to the A record for irelands-web.ie. I
> can't continue in a case like this, so I'm assuming
> you don't receive mail on this domain.
>> Mail FAIL Connect to mail servers ERROR: I could not
> find any mailservers for irelands-web.ie.
>> WWW FAIL WWW Category ERROR: I couldn't find any A
> records for www.irelands-web.ie. If you want a
> website
> at www.irelands-web.ie, you will need an A record
> for
> www.irelands-web.ie. If you do not want a website at
> www.irelands-web.ie, you can ignore this error.
>> Chris
>> > ----- Original Message -----
> > From: Chris Boyd <chris_d_b71 at yahoo.com>
> > Date: Friday, May 7, 2004 1:56 pm
> > Subject: [ILUG] DNS problems
> >
> > > I just recently did a full install of Fedora
> Core
> > I
> > > (over RH 7.1, possibly not the best move) and
> I've
> > > having serious problems with named/DNS.
> > > I had thought that there was a problem with the
> > name
> > > servers being registered with IEDR, but that
> > doesn't
> > > seem to be the case.
> > > The named process is running and listening but
> > nothing
> > > in mydomain resolves. It was working for a few
> > days
> > > after (so I don't see how it could be the config
> > > files) I configured it after installing Fedora
> but
> > it
> > > went down and I haven't been able to get it
> > working
> > > since.
> > > After attempting to re-register the nameservers
> > with
> > > IEDR I'm getting the following message from
> them:
> > >
> > > OK: 09:45:43 UTC on Fri 7 May 2004
> > > OK: Verifying zone mydomain.ie.
> > > OK: Starting verification from server 194.x.x.x
> > > OK: Requesting NS list for zone mydomain.ie.
> from
> > > 194.x.x.x
> > > OK: No NS list in 'answer' section; checking
> > > 'authority' section
> > > FATAL: Empty NS list found for zone mydomain.ie.
> > from
> > > 194.x.x.x
> > > OK: Querying server 194.x.x.x as 194.x.x.x
> > > FATAL: No authoritative answers obtained
> > > FATAL: Verification failed for zone mydomain.ie.
> > > FATAL: 09:45:43 GMT on Fri 7 May 2004
> > >
> > > _____________________________________________
> > >
> > > rndc -s host reload
> > >
> > > tail -f /var/log/messages
> > >
> > > May 7 08:35:21 leviathan named[22884]: loading
> > > configuration from '/etc/named.conf'
> > > May 7 08:35:21 leviathan named[22884]: no IPv6
> > > interfaces found
> > > May 7 08:35:46 leviathan named[22884]: lame
> > server
> > > resolving 'www.mydomain.ie' (in 'mydomain.ie'?):
> > > 194.x.x.x#53
> > > May 7 08:35:46 leviathan last message repeated
> 2
> > > times
> > >
> > >
> > >
> > > ps auxw|less
> > >
> > > named 22884 0.0 1.4 40824 3636 ? May06
> 0:56
> > > /usr/sbin/named -u named -t /var/named/chroot
> > >
> > > Here's named.conf:
> > >
> > > // generated by named-bootconf.pl
> > >
> > > options {
> > > directory "/var/named";
> > > /*
> > > * If there is a firewall between you and
> > > nameservers you want
> > > * to talk to, you might need to
> uncomment
> > the
> > > query-source
> > > * directive below. Previous versions of
> > BIND
> > > always asked
> > > * questions using port 53, but BIND 8.1
> > uses
> > > an unprivileged
> > > * port by default.
> > > */
> > >
> > > //query-source address * port 53;
> > > };
> > >
> > > //
> > > // File: named.boot
> > > // Purpose: give the DNS its startup
> parameters
> > and
> > > // list of startup files.
> > > //
> > > //
> > > //
> > > //
> > > // XFRNETS parameter limits the transfer of zone
> > > information
> > > // to machines matching the subnet wildcard/mask
> > > entries listed
> > > //
> > > //
> > > // XFRNETS
> > > //
> > > // establish a loopback entry for this machine,
> > and
> > > tell
> > > // it to load its identity from db.127.0.0
> > > //
> > > zone "0.0.127.IN-ADDR.ARPA" {
> > > type master;
> > > file "db.127.0.0";
> > > };
> > >
> > > //
> > > // set ourselves as primary server for the zone
> > > //
> > > zone "mydomain.ie" {
> > > type master;
> > > file "db.zoneinfo";
> > > };
> > >
> > > //
> > > // provide reverse address-to-host mapping
> > > //
> > > zone "x.x.194.in-addr.arpa" {
> > > type master;
> > > file "db.194.x.x";
> > > };
> > >
> > > //
> > > // prime the DNS with root server 'hint'
> > information
> > > //
> > > zone "." {
> > > type hint;
> > > file "db.cache";
> > > };
> > >
> > > logging {
> > > category lame-servers{null;};
> > > };
> > > key rndc {
> > > algorithm hmac-md5 ;
> > > secret "x";
> > > };
> > > controls {
> > > inet 127.0.0.1 allow { localhost; } keys
> > > {rndc; };
> > > };
> > >
> > >
> > > Here's /var/named/db.zoneinfo:
> > >
> > > $ORIGIN .
> > > $TTL 172800 ; 2 days
> > > mydomain.ie IN SOA host.mydomain.ie.
> > > hostmaster.mydomain.ie. (
> > > 1998062504 ;
> serial
> > > 21600 ;
> > refresh
> > > (6 hours)
> > > 7200 ;
> retry
> > (2
> > > hours)
> > > 1209600 ;
> expire
> > (2
> > > weeks)
> > > 172800 ;
> > minimum
> > > (2 days)
> > > )
> > > NS ns.isi.ie
> > > NS ns2.esat.net
> > > NS
> titan.mydomain.ie.
> > > NS
> > leviathan.mydomain.ie.
> > > A 194.x.x.x
> > > MX 5
> GPO.mydomain.ie.
> > > MX 10
> > mxbackup.iol.net.
> > > MX 50
> relay.pipex.net.
> > > $ORIGIN mydomain.ie.
> > > calisto A 194.x.x.2
> > > MX 1 leviathan
> > > $ORIGIN mydomain.ie.
> > > defunct A 194.x.x.111
> > > ftp CNAME leviathan
> > > $ORIGIN mydomain.ie.
> > > GPO CNAME leviathan
> > > $ORIGIN mydomain.ie.
> > > keeper A 194.x.x.112
> > > leviathan A 194.x.x.x
> > > MX 5 GPO
> > > MX 10 mail.iol.ie.
> > > MX 50
> relay.pipex.net.
> > > localhost A 127.0.0.1
> > > mail CNAME leviathan
> > > $ORIGIN mydomain.ie.
> > > ns CNAME leviathan
> > > $ORIGIN mydomain.ie.
> > > titan CNAME leviathan
> > > ww2 CNAME leviathan
> > > www CNAME leviathan
> > >
> > > Here's /var/named/db.194.x.x
> > >
> > > $TTL 172800 ; 2 days
> > > x.x.194.in-addr.arpa. IN SOA
> > > leviathan.mydomain.ie. hostmaster.mydomain.ie. (
> > > 1998062504 ;
> serial
> > > 21600 ;
> > refresh
> > > (6 hours)
> > > 7200 ;
> retry
> > (2
> > > hours)
> > > 1209600 ;
> expire
> > (2
> > > weeks)
> > > 172800) ;
> > minimum
> > > (2 days)
> > >
> > > NS ns.isi.ie
> > > NS ns2.esat.net
> > > NS
> > leviathan.mydomain.ie.
> > > NS
> calisto.mydomain.ie
> > >
> > >
> > > >From the secondary DNS server:
> > >
> > > /etc/rc.d/init.d/named restart
> > > Stopping named:
>> >
> > > [ OK ]
> > > Starting named:
>> >
> > > [ OK ]
> > > [root at calisto root]# tail -f /var/log/messages
> > > May 7 13:07:31 calisto named[23381]: zone
> > > mydomain.ie/IN: expired
> > > May 7 13:07:31 calisto named[23381]: zone
> > > x.x.194.in-addr.arpa/IN: refresh:
> > non-authoritative
> > > answer from master 194.x.x.x#53
> > > May 7 13:07:31 calisto named[23381]: zone
> > > irelands-web.ie/IN: refresh: non-authoritative
> > answer
> > > from master 194.125.22.1#53
> > >
> > > Anyway, not sure where to go from here and any
> > help
> > > greatly appreciated.
> > >
> > > TIA
> > >
> > > Chris
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Win a $20,000 Career Makeover at Yahoo! HotJobs
>> > >
> >
>http://hotjobs.sweepstakes.yahoo.com/careermakeover> > > --
> > > Irish Linux Users' Group
> > > http://www.linux.ie/mailman/listinfo/ilug/> > >
> > >
> >
>>> =====
> "We stand for a culture of responsibility in
> America. We're changing the culture of this country
> from one that has said, if it feels good do it, and
> if you got a problem, blame somebody else, to a
> culture in which each of us are responsible for the
> decisions we make in life." - President Bush
>> Chris Boyd
> Cell: + 27 84 983 5242
>>>>> __________________________________
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs
>http://hotjobs.sweepstakes.yahoo.com/careermakeover>
=====
"We stand for a culture of responsibility in America. We're changing the culture of this country from one that has said, if it feels good do it, and if you got a problem, blame somebody else, to a culture in which each of us are responsible for the decisions we make in life." - President Bush
Chris Boyd
Cell: + 27 84 983 5242
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
