topic Re: BIND problem in Operating System - Linux

BIND problem

Piotr Kirklewski — Fri, 22 Oct 2010 02:57:12 GMT

Hi there.

I don't understand why rdnc is not giving me any error but named-checkzone does.

rndc reload & tail -f /var/log/daemon.log
[4] 1450
Oct 21 20:44:28 ns1 named[725]: using default UDP/IPv6 port range: [1024, 65535]
Oct 21 20:44:28 ns1 named[725]: reloading configuration succeeded
Oct 21 20:44:28 ns1 named[725]: reloading zones succeeded
Oct 21 20:49:17 ns1 named[725]: received control channel command 'reload'
Oct 21 20:49:17 ns1 named[725]: loading configuration from '/etc/bind/named.conf'
Oct 21 20:49:17 ns1 named[725]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Oct 21 20:49:17 ns1 named[725]: using default UDP/IPv4 port range: [1024, 65535]
Oct 21 20:49:17 ns1 named[725]: using default UDP/IPv6 port range: [1024, 65535]
Oct 21 20:49:17 ns1 named[725]: reloading configuration succeeded
Oct 21 20:49:17 ns1 named[725]: reloading zones succeeded
server reload successful
Oct 21 20:49:25 ns1 named[725]: received control channel command 'reload'
Oct 21 20:49:25 ns1 named[725]: loading configuration from '/etc/bind/named.conf'
Oct 21 20:49:25 ns1 named[725]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Oct 21 20:49:25 ns1 named[725]: using default UDP/IPv4 port range: [1024, 65535]
Oct 21 20:49:25 ns1 named[725]: using default UDP/IPv6 port range: [1024, 65535]
Oct 21 20:49:25 ns1 named[725]: reloading configuration succeeded
Oct 21 20:49:25 ns1 named[725]: reloading zones succeeded

root@ns1:~# named-checkzone xdomain.local /etc/bind/xdomain.local.zone
/etc/bind/xdomain.local.zone:3: ignoring out-of-zone data (xdomain.local.zone)
/etc/bind/xdomain.local.zone:10: ignoring out-of-zone data (NS)
/etc/bind/xdomain.local.zone:10: unknown RR type 'ns1.xdomain.com.'
/etc/bind/xdomain.local.zone:11: ignoring out-of-zone data (MX)
/etc/bind/xdomain.local.zone:11: unknown RR type 'mail.xdomain.com.'
zone xdomain.local/IN: loading from master file /etc/bind/xdomain.local.zone failed: unknown class/type
zone xdomain.local/IN: not loaded due to errors.

root@ns1:/etc/bind# cat /etc/bind/xdomain.local.zone
$ORIGIN .
$TTL 86400; 1 day
xdomain.local.zone IN SOA ns1.xdomain.com. admin\@xdomain.com. (
2010102010 ; serial
10800 ; refresh (3 hours)
15 ; retry (15 seconds)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS ns1.xdomain.com.
MX 10 mail.xdomain.com.
$ORIGIN xdomain.local.
adm001bri CNAME ns1
mail A 10.10.0.2
ns1 A 10.10.0.10
fog001bri A 10.10.0.3
$TTL 86400; 1 day
www A 172.229.158.235

Re: BIND problem

Matti_Kurkela — Fri, 22 Oct 2010 08:54:13 GMT

> named-checkzone xdomain.local /etc/bind/xdomain.local.zone

vs.

> $ORIGIN .
> $TTL 86400; 1 day
> xdomain.local.zone IN SOA ns1.xdomain.com. admin\@xdomain.com. (
2010102010 ; serial [...]

Your named-checkzone command says the zone should be named "xdomain.local". But the SOA record names the zone "xdomain.local.zone", which is not the same.

Lines 10 and 11 are incomplete: they are missing the name (xdomain.local.zone) and the RR type (IN). Normally incomplete records will be auto-completed by looking at the previous records and copying the missing parts from the last record that had them.

But the first error caused the SOA record to be ignored, so named-checkzone cannot use it; so it cannot auto-complete the recods on the later lines.

Try running named-checkzone again, using the correct name for the zone as it is specified in the SOA record:

# named-checkzone xdomain.local.zone /etc/bind/xdomain.local.zone

This should fix the first error, and allows named-checkzone to recognize the SOA record as valid. As there is now one complete record before incomplete ones, the auto-completion should now work and the lines 10 and 11 should be parsed correctly too.

In general, whenever a program suddenly starts detecting multiple errors at the same time, it's possible that the first error causes the program to get "out of sync" of the data it's reading, and the rest of the errors might be just a consequence of that. Fix the first error, and the others may vanish too.

MK

Re: BIND problem

Piotr Kirklewski — Fri, 22 Oct 2010 12:45:22 GMT

One more question:

How do I check from another system if the MX record is working fine ?

I'm trying to install Zimbra and it complains:

DNS ERROR resolving MX for mail.xdomain.com
It is suggested that the domain name have an MX record configured in DNS.

I clearly have the MX record in my DNS - why is my mail server having difficulties seeing it ?

Re: BIND problem

Steven Schweda — Fri, 22 Oct 2010 13:10:20 GMT

> How do I check from another system if the
> MX record is working fine ?

man nslookup

nslookup -type=mx domain.of.interest

> [...] why is my mail server having
> difficulties seeing it ?

Many things are possible. Are you
incrementing your "serial" number when you
make a change? DNS servers and resolvers may
have caches.

Re: BIND problem

Steven Schweda — Fri, 22 Oct 2010 13:11:38 GMT

> One more question:
> [...]

That was two more questions.

Re: BIND problem

Piotr Kirklewski — Fri, 22 Oct 2010 16:40:06 GMT

[root@mail ~]# nslookup -type=mx xdomain.com
Server: 10.10.0.10
Address: 10.10.0.10#53

xdomain.com mail exchanger = 10 mail.xdomain.com.

[root@mail ~]# nslookup -type=mx mail.xdomain.com
Server: 10.10.0.10
Address: 10.10.0.10#53

*** Can't find mail.xdomain.com: No answer

I don;t understand why it resolves MX to xdomain.com and not to mail.xdomain.com.
Both xdomain.local.zone and xdomain.com.internal.zone have the record:

MX 10 mail.xdomain.com.

Re: BIND problem

Steven Schweda — Fri, 22 Oct 2010 17:38:17 GMT

> I don;t understand why it resolves MX to
> xdomain.com and not to mail.xdomain.com.

I don't understand what you don't understand.

> [...] # nslookup -type=mx xdomain.com
> [...]
> xdomain.com mail exchanger = 10 mail.xdomain.com.

To me, that says that for the domain
"xdomain.com", the MX is "mail.xdomain.com.".
(You seem to be the one who put that dot at
the end, by the way.) So, if someone wants
to send a message to, say,
"fred@xdomain.com", then he should talk to
"mail.xdomain.com.". Isn't this what you
want (except, perhaps, for that last dot)?

> [...] # nslookup -type=mx mail.xdomain.com
> [...]

That would tell you whom to talk to if you
had a message for, say,
"fred@mail.xdomain.com", and you haven't
configured anything for that case. (And you
probably don't want to.)

Re: BIND problem

Matti_Kurkela — Wed, 27 Oct 2010 16:13:16 GMT

>root@mail ~]# nslookup -type=mx xdomain.com
>Server: 10.10.0.10
>Address: 10.10.0.10#53
>
>xdomain.com mail exchanger = 10 mail.xdomain.com.

This says: "The mail server where mail for email addresses like '@xdomain.com' should be delivered is mail.xdomain.com."

Now, your Zimbra is not trying to resolve the MX just for curiosity: it's either trying to connect to it, or trying to ensure the mail server will be connectable by others. An IP address is necessary for making a successful connection, so the next lookup step is trying to find a regular A record for mail.xdomain.com.

Test: does the command "nslookup mail.xdomain.com" return a valid IP address?

A mail server has extra strict validity requirements for its DNS information: it generally must have a valid reverse-DNS entry too. This is intended to make it slightly less easy to send email using fake addresses. (Unfortunately, it's still far too easy.)

Test: run "nslookup " using the IP address you got from the previous step. The response should include the name "mail.xdomain.com".

MK