Raymond, Thnx for a quick reply. I checked with the person in the charge of the host. He could not telnet 53 my host. So I believe that is the problem Since they did not like to have zone transfer. I create to record to pass "NS" to that host via tying xyz.com. IN NS that.host *.xyz.com In NS that.host and it works fine when I type www.xyz.com,which give me the A record but ... in the daemonlog, I see Sep 28 14:34:06 auth2 named[8958]: Ready to answer queries. Sep 28 14:34:16 auth2 named[8958]: bad referral (xyz.com !< *.xyz.com) Sep 28 14:34:16 auth2 named[8958]: bad referral (xyz.com !< *.xyz.com) Any suggestion? what did I do? かわさき TK3197 = = = = = = Business Network Telecom (BNT) ビジネスネットワークテレコム株式会社 〒111-0053 東京都台東区浅草橋3-8-5 31山京ビル6階 TEL 03-5687-3945 FAX 03-5687-6009 http://www.giganet.net On Sun, 27 Sep 1998, Raymond Forbes wrote:
It is possible that the router or the firewall is not allowing connections, that would be the only way to explain what you are seeing.
ray
---------- From: Tatsuya Kawasaki[SMTP:tatsuya@giganet.net] Sent: Sunday, September 27, 1998 9:33 PM To: Raymond Forbes Subject: RE: UDP packet/DNS server
I have tried to get zone transfer via dig. it failed. None get back. I have looked at their named.conf. I did not see any restriction on it.
I could not receive zone transfer from a host. So if someone log in the the host telnet 53 to my host. If telnet is sccuessful then zone transfer is possible. But telent from my host to the host, and telent failed does not really means anything?
TIA
Tatsuya
???? TK3197
= = = = = = Business Network Telecom (BNT) ?????????????????? ?111-0053?"??s'??????3-8-5 31????6? TEL 03-5687-3945 FAX 03-5687-6009 http://www.giganet.net
On Sun, 27 Sep 1998, Raymond Forbes wrote:
zone transfers are not done by UDP. They are TCP. A couple of ways you can test is to telnet to port 53 and see if you make a connection. Also, if you do nslookup and then ls domain name this is equivilant to doing a zone transfer.
hope this helps.
ray
---------- From: Tatsuya Kawasaki[SMTP:tatsuya@giganet.net] Sent: Sunday, September 27, 1998 8:44 PM To: nanog ml Subject: UDP packet/DNS server
Hello Nanog,
I am trying get zone trasfer from a host, but it seems that because of firewals?, I can not get any record. They acknowelged that there is a host behind the firewalls but they claim it should not affect it. (I don't believe it.) But I don't know how to check/prove that if certain host can receive/send an UDP packet.
TIA,
Tatsuya
???? TK3197
= = = = = = Business Network Telecom (BNT) ?????????????????? ?111-0053?"??s'??????3-8-5 31????6? TEL 03-5687-3945 FAX 03-5687-6009 http://www.giganet.net
Tatsuya Kawasaki wrote:
xyz.com. IN NS that.host *.xyz.com In NS that.host
Gah!! Illegal! Never use "*" in DNS! Just makes /bad things/ happen. @ IN SOA xyz.com. hostmaster.xyz.com. ( 1998092801 3600 1800 3600000 7200) ns ns1.xyz.com. ns ns2.xyz.com. mx 0 mail.xyz.com. mail a 1.2.3.4 mx 0 mail .. etc .. -- jamie rishaw (efnet:gavroche) American Information Systems, Inc. Tel:312.425.7140, FAX:312.425.7240 Help stop spam! router(config)#no ip routing thirty thousand feet above the earth..youre a beautiful thing..
Jamie, First of, I must correct that for the wild DNS entry, there is a trailing '.' on the real entry. Having said that. Two questions. #1 Why Illegal? what is the theory behide it. I don't see the problem? #2 If I want to pass DNS inquiry to the primary server(ie server that does not allowed ZONE transfer) I thought for that, all I need to do is to pass NS record to that server. Any Suggestion? Tatsuya かわさき TK3197 = = = = = = Business Network Telecom (BNT) ビジネスネットワークテレコム株式会社 〒111-0053 東京都台東区浅草橋3-8-5 31山京ビル6階 TEL 03-5687-3945 FAX 03-5687-6009 http://www.giganet.net On Mon, 28 Sep 1998, James Rishaw wrote:
Tatsuya Kawasaki wrote:
xyz.com. IN NS that.host *.xyz.com In NS that.host
Gah!!
Illegal!
Never use "*" in DNS! Just makes /bad things/ happen.
@ IN SOA xyz.com. hostmaster.xyz.com. ( 1998092801 3600 1800 3600000 7200)
ns ns1.xyz.com. ns ns2.xyz.com.
mx 0 mail.xyz.com.
mail a 1.2.3.4 mx 0 mail
.. etc ..
-- jamie rishaw (efnet:gavroche) American Information Systems, Inc. Tel:312.425.7140, FAX:312.425.7240 Help stop spam! router(config)#no ip routing thirty thousand feet above the earth..youre a beautiful thing..
Allowable characters in hostnames are: a-zA-Z0-9 I think / is also allowable, and there is an RFC on this subject. Go to ftp://nic.ddn.mil/pub/rfc to check. On a side note, some DNS implementations do not adhere to this standard, for instance Lose9[5|8] and other microsuck "products". BIND 8 will not load a zone containing illegal characters. Jamie is absolutely right (suprise!). PS: jamie.. o-line baby.. On Tue, Sep 29, 1998 at 09:20:31AM +0900, Tatsuya Kawasaki wrote:
Jamie,
First of, I must correct that for the wild DNS entry, there is a trailing '.' on the real entry.
Having said that.
Two questions. #1 Why Illegal? what is the theory behide it. I don't see the problem?
#2 If I want to pass DNS inquiry to the primary server(ie server that does not allowed ZONE transfer)
I thought for that, all I need to do is to pass NS record to that server.
Any Suggestion?
Tatsuya
$B$+$o$5$-(B TK3197
= = = = = = Business Network Telecom (BNT) $B%S%8%M%9%M%C%H%o!<%/%F%l%3%`3t<02q<R(B $B")(B111-0053$B!!El5~ETBfEl6h@uAp66(B3-8-5 31$B;35~%S%k(B6$B3,(B TEL 03-5687-3945 FAX 03-5687-6009 http://www.giganet.net
On Mon, 28 Sep 1998, James Rishaw wrote:
Tatsuya Kawasaki wrote:
xyz.com. IN NS that.host *.xyz.com In NS that.host
Gah!!
Illegal!
Never use "*" in DNS! Just makes /bad things/ happen.
@ IN SOA xyz.com. hostmaster.xyz.com. ( 1998092801 3600 1800 3600000 7200)
ns ns1.xyz.com. ns ns2.xyz.com.
mx 0 mail.xyz.com.
mail a 1.2.3.4 mx 0 mail
.. etc ..
-- jamie rishaw (efnet:gavroche) American Information Systems, Inc. Tel:312.425.7140, FAX:312.425.7240 Help stop spam! router(config)#no ip routing thirty thousand feet above the earth..youre a beautiful thing..
you have to admit, it does save one hell of a lot of typing for the 1918 IN-ADDR.ARPA delegations. rfc1918.db ---------- @ IN SOA ns1.xxx.net. hostmaster.xxx.net. ( 1997101001 ; serial 300 ; refresh 300 ; retry 604800 ; expire 600) ; minimum IN NS ns1.xxx.net. IN NS ns2.xxx.net. * IN PTR rfc1918.xxx.net. ----------- then in named.bt primary 16.172.in-addr.arpa RFC1918.DB primary 17.172.in-addr.arpa RFC1918.DB primary 18.172.in-addr.arpa RFC1918.DB primary 19.172.in-addr.arpa RFC1918.DB primary 20.172.in-addr.arpa RFC1918.DB primary 21.172.in-addr.arpa RFC1918.DB primary 22.172.in-addr.arpa RFC1918.DB primary 23.172.in-addr.arpa RFC1918.DB primary 24.172.in-addr.arpa RFC1918.DB primary 25.172.in-addr.arpa RFC1918.DB primary 26.172.in-addr.arpa RFC1918.DB primary 27.172.in-addr.arpa RFC1918.DB primary 28.172.in-addr.arpa RFC1918.DB primary 29.172.in-addr.arpa RFC1918.DB primary 30.172.in-addr.arpa RFC1918.DB primary 31.172.in-addr.arpa RFC1918.DB repeat for 10.x.x.x and 192.168 space To reiterate the question posed by the original poster, (donning asbestos), why is this bad? Eric At 08:31 AM 9/28/98 -0500, you wrote:
Tatsuya Kawasaki wrote:
xyz.com. IN NS that.host *.xyz.com In NS that.host
Gah!!
Illegal!
Never use "*" in DNS! Just makes /bad things/ happen.
@ IN SOA xyz.com. hostmaster.xyz.com. ( 1998092801 3600 1800 3600000 7200)
ns ns1.xyz.com. ns ns2.xyz.com.
mx 0 mail.xyz.com.
mail a 1.2.3.4 mx 0 mail
. etc ..
-- jamie rishaw (efnet:gavroche) American Information Systems, Inc. Tel:312.425.7140, FAX:312.425.7240 Help stop spam! router(config)#no ip routing thirty thousand feet above the earth..youre a beautiful thing..
========================================================================== Eric Germann CCTec ekgermann@cctec.com Van Wert, OH 45891 http://www.cctec.com Ph: 419 968 2640 Fax: 419 968 2641 Network Design, Connectivity & System Integration Services A Microsoft Solution Provider
To reiterate the question posed by the original poster, (donning asbestos), why is this bad?
If you use a "*" as a label for an NS record, you will answer with a referral for any label. *Any* label, not just the ones for which you completed the receiving end of the zone cut. Think of it as the ultimate lame delegation. Stephen
At 06:28 PM 9/28/98 -0700, Stephen Stuart wrote:
To reiterate the question posed by the original poster, (donning asbestos), why is this bad?
If you use a "*" as a label for an NS record, you will answer with a referral for any label. *Any* label, not just the ones for which you completed the receiving end of the zone cut. Think of it as the ultimate lame delegation.
Speaking of lame delegations, this has been polluting my syslog files lately;
Sep 28 18:42:27 falcon named[12943]: Lame server on 'ns3.above.net' (in 'above.net'?): [128.9.0.107].53 'b.root-servers.net': learnt (A=".",NS=".") Sep 28 18:42:27 falcon named[12943]: Lame server on 'ns3.above.net' (in 'above.net'?): [192.33.4.12].53 'c.root-servers.net': learnt (A=".",NS=".") Sep 28 18:42:28 falcon named[12943]: Lame server on 'ns3.above.net' (in 'above.net'?): [128.8.10.90].53 'd.root-servers.net': learnt (A=".",NS=".") Sep 28 18:42:28 falcon named[12943]: Lame server on 'ns3.above.net' (in 'above.net'?): [192.203.230.10].53 'e.root-servers.net': learnt (A=".",NS=".") Sep 28 18:42:28 falcon named[12943]: Lame server on 'ns3.above.net' (in 'above.net'?): [192.36.148.17].53 'i.root-servers.net': learnt (A=".",NS=".") Sep 28 18:42:28 falcon named[12943]: Lame server on 'ns3.above.net' (in 'above.net'?): [192.5.5.241].53 'f.root-servers.net': learnt (A=".",NS=".")
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ I bet the human brain is a kludge. -- Marvin Minsky
But it's perfectly ok for PTR records, though perhaps your example is less than ideal. The objection to the use of "*" was specific to NS records. An NS record should exist for a domain only if that domain exists. Since "*" matches any subdomain whether the domain exists or not, an NS record will be returned for non-existent subdomains and that violates the rule. Some records of other types are incompatible with "*" for similar reasons. The major point here is that any DNS record should reference either a valid response or another record that will lead to a response, and an NS record pointing to a zone file that doesn't exist is neither. Some folks will contend that the use of "*" in PTR records is bad form even though it is legal. That's a religious war, not a technical one. (I happen to like the use of "*", though I also believe that one should first apply specific host names whenever a static mapping allows). On Monday, 28 Sep 1998 at 21:02 EDT, Eric Germann wrote:
you have to admit, it does save one hell of a lot of typing for the 1918 IN-ADDR.ARPA delegations.
rfc1918.db ----------
@ IN SOA ns1.xxx.net. hostmaster.xxx.net. ( 1997101001 ; serial 300 ; refresh 300 ; retry 604800 ; expire 600) ; minimum
IN NS ns1.xxx.net. IN NS ns2.xxx.net.
* IN PTR rfc1918.xxx.net. -----------
then in named.bt
primary 16.172.in-addr.arpa RFC1918.DB primary 17.172.in-addr.arpa RFC1918.DB primary 18.172.in-addr.arpa RFC1918.DB primary 19.172.in-addr.arpa RFC1918.DB primary 20.172.in-addr.arpa RFC1918.DB primary 21.172.in-addr.arpa RFC1918.DB primary 22.172.in-addr.arpa RFC1918.DB primary 23.172.in-addr.arpa RFC1918.DB primary 24.172.in-addr.arpa RFC1918.DB primary 25.172.in-addr.arpa RFC1918.DB primary 26.172.in-addr.arpa RFC1918.DB primary 27.172.in-addr.arpa RFC1918.DB primary 28.172.in-addr.arpa RFC1918.DB primary 29.172.in-addr.arpa RFC1918.DB primary 30.172.in-addr.arpa RFC1918.DB primary 31.172.in-addr.arpa RFC1918.DB
repeat for 10.x.x.x and 192.168 space
To reiterate the question posed by the original poster, (donning asbestos), why is this bad?
Eric
At 08:31 AM 9/28/98 -0500, you wrote:
Tatsuya Kawasaki wrote:
xyz.com. IN NS that.host *.xyz.com In NS that.host
Gah!!
Illegal!
Never use "*" in DNS! Just makes /bad things/ happen.
@ IN SOA xyz.com. hostmaster.xyz.com. ( 1998092801 3600 1800 3600000 7200)
ns ns1.xyz.com. ns ns2.xyz.com.
mx 0 mail.xyz.com.
mail a 1.2.3.4 mx 0 mail
. etc ..
-- jamie rishaw (efnet:gavroche) American Information Systems, Inc. Tel:312.425.7140, FAX:312.425.7240 Help stop spam! router(config)#no ip routing thirty thousand feet above the earth..youre a beautiful thing..
========================================================================== Eric Germann CCTec ekgermann@cctec.com Van Wert, OH 45891 http://www.cctec.com Ph: 419 968 2640 Fax: 419 968 2641 Network Design, Connectivity & System Integration Services A Microsoft Solution Provider
Eric, thank for your reply. Though I did not agree with RFC I understand what you are saying. Do you think it is about time to change RFC? BTW, according to NDS and BIND 2nd Ed. by O'Reilly, it is okay for MX record too. :-) TIA, Tatsuya かわさき TK3197 = = = = = = Business Network Telecom (BNT) ビジネスネットワークテレコム株式会社 〒111-0053 東京都台東区浅草橋3-8-5 31山京ビル6階 TEL 03-5687-3945 FAX 03-5687-6009 http://www.giganet.net On Tue, 29 Sep 1998, Eric Sobocinski wrote:
But it's perfectly ok for PTR records, though perhaps your example is less than ideal. The objection to the use of "*" was specific to NS records. An NS record should exist for a domain only if that domain exists. Since "*" matches any subdomain whether the domain exists or not, an NS record will be returned for non-existent subdomains and that violates the rule. Some records of other types are incompatible with "*" for similar reasons. The major point here is that any DNS record should reference either a valid response or another record that will lead to a response, and an NS record pointing to a zone file that doesn't exist is neither.
Some folks will contend that the use of "*" in PTR records is bad form even though it is legal. That's a religious war, not a technical one. (I happen to like the use of "*", though I also believe that one should first apply specific host names whenever a static mapping allows).
On Monday, 28 Sep 1998 at 21:02 EDT, Eric Germann wrote:
you have to admit, it does save one hell of a lot of typing for the 1918 IN-ADDR.ARPA delegations.
rfc1918.db ----------
@ IN SOA ns1.xxx.net. hostmaster.xxx.net. ( 1997101001 ; serial 300 ; refresh 300 ; retry 604800 ; expire 600) ; minimum
IN NS ns1.xxx.net. IN NS ns2.xxx.net.
* IN PTR rfc1918.xxx.net. -----------
then in named.bt
primary 16.172.in-addr.arpa RFC1918.DB primary 17.172.in-addr.arpa RFC1918.DB primary 18.172.in-addr.arpa RFC1918.DB primary 19.172.in-addr.arpa RFC1918.DB primary 20.172.in-addr.arpa RFC1918.DB primary 21.172.in-addr.arpa RFC1918.DB primary 22.172.in-addr.arpa RFC1918.DB primary 23.172.in-addr.arpa RFC1918.DB primary 24.172.in-addr.arpa RFC1918.DB primary 25.172.in-addr.arpa RFC1918.DB primary 26.172.in-addr.arpa RFC1918.DB primary 27.172.in-addr.arpa RFC1918.DB primary 28.172.in-addr.arpa RFC1918.DB primary 29.172.in-addr.arpa RFC1918.DB primary 30.172.in-addr.arpa RFC1918.DB primary 31.172.in-addr.arpa RFC1918.DB
repeat for 10.x.x.x and 192.168 space
To reiterate the question posed by the original poster, (donning asbestos), why is this bad?
Eric
At 08:31 AM 9/28/98 -0500, you wrote:
Tatsuya Kawasaki wrote:
xyz.com. IN NS that.host *.xyz.com In NS that.host
Gah!!
Illegal!
Never use "*" in DNS! Just makes /bad things/ happen.
@ IN SOA xyz.com. hostmaster.xyz.com. ( 1998092801 3600 1800 3600000 7200)
ns ns1.xyz.com. ns ns2.xyz.com.
mx 0 mail.xyz.com.
mail a 1.2.3.4 mx 0 mail
. etc ..
-- jamie rishaw (efnet:gavroche) American Information Systems, Inc. Tel:312.425.7140, FAX:312.425.7240 Help stop spam! router(config)#no ip routing thirty thousand feet above the earth..youre a beautiful thing..
========================================================================== Eric Germann CCTec ekgermann@cctec.com Van Wert, OH 45891 http://www.cctec.com Ph: 419 968 2640 Fax: 419 968 2641 Network Design, Connectivity & System Integration Services A Microsoft Solution Provider
participants (8)
-
Christopher Neill
-
Eric Germann
-
Eric Sobocinski
-
jamie@dilbert.ais.net
-
Randy Bush
-
Roeland M.J. Meyer
-
Stephen Stuart
-
Tatsuya Kawasaki