Help requested for zone delegation using DLZ

Mike Toler | 3 Nov 2009 21:45

Help requested for zone delegation using DLZ

First off, I’ve gone through all of the previous DLZ/Zone Delegation threads both here and on other lists, and have not found a working example on any of them. I’ve tried dumbing down my own selects to the bare minimum and still am not able to get a successful delegation of a request. The QUERIES all look fine when I run named in debug mode (see below), but I NEVER see any attempt to delegate to the second server any DNS queries for us.example.com.

Using the example.com and us.example.com nomenclature that seems popular in the threads, this is a description of what I have (DB SQL statements at the bottom of e-mail so they can be easily dropped into a matching DB):

Server A:

Domain: example.com

IP: 172.25.2.94

Hosts: SOA record, NS record (ns1), A record (ns1), A record (ns1-us), NS record (us.example.com)

----------------+--------+-----+------+-------------+---------------------+-------------+------------+---------+-------+--------+---------

example.com | <at> | 300 | SOA | | ns1 | hostmaster | 2009091600 | 900 | 2800 | 8640 | 1080

example.com | ns1-us | 300 | A | | 172.24.1.93 | | | | | |

example.com | <at> | 300 | NS | | ns1.example.com. | | | | | |

us.example.com | <at> | 300 | NS | | ns1-us.example.com. | | | | | |

example.com | ns1 | 300 | A | | 172.24.2.196 | | | | | |

Server B:

Domain: us.example.com

IP: 172.25.1.93

Hosts: SOA record, NS record (ns1), A record (ns1), A record (ns1-us), NS record (us.example.com)

----------------+-------+-----+------+-------------+---------------------+-------------+------------+---------+-------+--------+---------

us.example.com | ns1 | 300 | A | | 172.24.1.93 | | | | | |

us.example.com | <at> | 300 | SOA | | ns1 | hostmaster | 2009091600 | 900 | 2800 | 8640 | 1080

us.example.com | <at> | 300 | NS | | ns1.us.example.com. | | | | | |

us.example.com | test1 | 300 | A | | 1.2.3.4 | | | | | |

My DLZ configuration in the Named.conf file looks like:

. . .

dlz "postgres zone" {

database "postgres 2

{host=int-dbs port=5432 dbname=xxxx user=yyyy}

{select zone from dns_records where zone = '%zone%'}

{select ttl, type, mx_priority, case when lower(type)='txt' then '\"' || data

|| '\"' else data end from dns_records where zone = '%zone%' and host = '%record%' }";

};

. . .

If I do a dig command for the NS record for “us.example.com” on server A, it works fine and returns the NS record. (ns1-us.example.com evaluates to the IP of server B.

[root <at> int-svc-11 ~]# dig ns <at> 172.24.2.196 us.example.com

; <<>> DiG 9.4.3-P2 <<>> ns <at> 172.24.2.196 us.example.com

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30308

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;us.example.com. IN NS

;; ANSWER SECTION:

us.example.com. 300 IN NS ns1-us.example.com.

;; Query time: 1 msec

;; SERVER: 172.24.2.196#53(172.24.2.196)

;; WHEN: Tue Nov 3 20:20:49 2009

;; MSG SIZE rcvd: 53

If I do a dig command for the A Record “test1.us.example.com” it fails.

[root <at> int-svc-11 ~]# dig a <at> 172.24.2.196 test1.us.example.com

; <<>> DiG 9.4.3-P2 <<>> a <at> 172.24.2.196 test1.us.example.com

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29260

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;test1.us.example.com. IN A

;; Query time: 3 msec

;; SERVER: 172.24.2.196#53(172.24.2.196)

;; WHEN: Tue Nov 3 20:22:03 2009

;; MSG SIZE rcvd: 38

The final query that DLZ does before failing (that if I understand correctly is used to determine if the request needs to be forwarded) is:

03-Nov-2009 20:20:56.532 84 built query

03-Nov-2009 20:20:56.532 84 query is 'select ttl, type, mx_priority, case when lower(type)='txt' then '"' || data

|| '"' else data end from dns_records where zone = 'us.example.com' and host = ' <at> ' '

03-Nov-2009 20:20:56.532 84 executing query for 0 time

03-Nov-2009 20:20:56.532 84 rs ok

03-Nov-2009 20:20:56.532 84 cleaning up

03-Nov-2009 20:20:56.532 84 returning

03-Nov-2009 20:20:56.532 842 Getting DBI

03-Nov-2009 20:20:56.532 842 Got DBI - checking query

03-Nov-2009 20:20:56.532 842 cleaning up

03-Nov-2009 20:20:56.532 842 returning

That query on my DB returns:

dns_data=# select ttl, type, mx_priority, case when lower(type)='txt' then '"' || data || '"' else data end from dns_records where zone = 'us.example.com' and host = ' <at> ';

ttl | type | mx_priority | data

-----+------+-------------+---------------------

300 | NS | | ns1-us.example.com.

(1 row)

Which appears to me to be correct. That is returning the NS record defined for “us.example.com” in SERVER A (ns1-us.example.com is an A record that points to server B).

So why, when I do a dig, does the query never make it to the server B and I get the DNS lookup failure??? This is driving me nuts.

--------------------------------------------------DB Definition ----------------

Postgres DB Definition:

CREATE TABLE dns_records

(

"zone" character varying(255) NOT NULL,

host character varying(255) NOT NULL,

ttl integer,

"type" character varying(16) NOT NULL,

mx_priority integer,

data character varying(255) NOT NULL,

resp_person character varying(255),

serial integer,

refresh integer,

retry integer,

expire integer,

minimum integer,

datestamp timestamp without time zone DEFAULT now(),

CONSTRAINT dns_records_pkey PRIMARY KEY (zone, host, data, type)

)

WITH (

OIDS=FALSE

);

Michael L. Toler

Sr. System Test Engineer

Prodea Systems, Inc.

214-278-1834 (office)

972-816-7790 (mobile)

This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

_______________________________________________
Bind-dlz-testers mailing list
Bind-dlz-testers <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bind-dlz-testers