[rbldnsd] queries of non-existent RRs

Steven F Siirila sfs at tc.umn.edu
Sat Apr 23 00:43:42 MSD 2005 

On Sat, Apr 23, 2005 at 12:02:50AM +0400, Michael Tokarev wrote:
> Steven F Siirila wrote:
> []
> >>Have you configured SOA in the zone you're using?  Without SOA configured,
> >>rbldnsd can't answer with NXDOMAIN, so it just REFUSEs the query, and such
> >>a reply gets translated into SERVFAIL by your forwarder.
> >
> >Actually, it doesn't appear that the rsync'd SBL zone has an SOA defined.
> >However, the rsync'd SORBS zone does and it has the same problem:
> >
> >$DATASET ip4set dul safe @
> >$SOA	86400	rbldns0.sorbs.net dns.isux.com 0 7200 7200 604800 3600
> >$NS 86400 sorbs-sql1.vix.com. rbldns0.sorbs.net. rbldns2.sorbs.net.
> >rbldns3.sorbs.net. rbldns4.sorbs.net rbl1.oregonstate.edu.
> >rbl2.oregonstate.edu. sorbs.bl.xs4all.nl. rbldns5.sorbs.net.
> >rbldns6.sorbs.net.
> >:127.0.0.10:Dynamic IP Addresses See:
> 
> This zone does not show the behaviour you mentioned (dnsbl.sorbs.net
> is running rbldnsd and is loaded with that zone you're rsyncing):
> 
> $ dnsget -v -n rbldns0.sorbs.net. 3.2.1.0.dnsbl.sorbs.net.
> ;; trying 3.2.1.0.dnsbl.sorbs.net.
> ;; sending 52 bytes query to 203.15.51.34 port 53
> 
> ;; received 97 bytes response from 203.15.51.34 port 53
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7960, size: 97
> ;; flags: qr rd aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUERY SECTION (1):
> ;3.2.1.0.dnsbl.sorbs.net.       IN      A
> 
> ;; AUTHORITY section (1):
> dnsbl.sorbs.net.        3600    IN      SOA     rbldns0.sorbs.net. 
> dns.isux.com. 1114198834 7200 7200 604800 3600
> 
> 
> Note the NXDOMAIN status.  (And note the SOA record - it IS used
> in the NXDOMAIN response -- that's why rbldnsd can't return NXDOMAIN
> if SOA record isn't present.)
> 
> Care to provide similar output from dig as shown when querying your
> rbldnsd?

Aha.  I was being lazy and using "host" instead of "dig".  When I used
dig, I got the expected answers.  Doh!

> >>Well... it's interesting.  Lemme take a more detailed look at this...
> 
> Perhaps I should add this issue to the docs and log a warning in rbldnsd
> if there's no SOA and NS records configured.

Actually, I hadn't realized that lines starting with #$SOA were not
comments.  So, all of my zones do appear to have SOA records after all.

> >Can you provide me with a small (< 20 lines) zone which I could load that
> >shouldn't have this problem, and I can test against it?
> 
> The one from sorbs should work.

And it does.  Thanks for the assistance!

-- 

Steven F. Siirila			Office: Lind Hall, Room 130B
Internet Services			E-mail: sfs at umn.edu
Office of Information Technology	Voice: (612) 626-0244
University of Minnesota			Fax: (612) 626-7593

More information about the rbldnsd mailing list