Hi,
I encountered a zone that has ns-ext.isc.org as one of its
nameservers. The zone file provides an A record for ns-ext.isc.org in
that zone. Bind will load this zone without issues, but nsd (well zonec)
will reject the entire zone due to an "out of zone" error.
I guess the entry is not glue. And the A record does not appear in either
the answer or the additional section of the reply, and I cannot query
for the A record with any of the nameservers for this zone, apart from
ns-ext.isc.org itself.
Why is there is discrepency between nsd and bind? Should nsd ignore
the entry and still built the zone? Should bind error out? This zone is
currently served using bind only, but will be served by nsd nameservers
in the near future as well. So for migration, this might cause problems.
I am also not sure yet what happens when nsd receives this entry via
AXFR or IXFR.
Paul
Paul,
what does named-checkzone (and named-compilezone) say to you? My does:
ondrej@pagan:/tmp$ named-checkzone sury.cz sury.cz
sury.cz:15: ignoring out-of-zone data (ns-ext.isc.org)
sury.cz:16: ignoring out-of-zone data (ns-ext.isc.org)
zone sury.cz/IN: loaded serial 1
OK
Ondrej.
what does named-checkzone (and named-compilezone) say to you? My does:
2009042902.zone:2840621: ignoring out-of-zone data (ns-ext.isc.org)
ondrej@pagan:/tmp$ named-checkzone sury.cz sury.cz
sury.cz:15: ignoring out-of-zone data (ns-ext.isc.org)
sury.cz:16: ignoring out-of-zone data (ns-ext.isc.org)
zone sury.cz/IN: loaded serial 1
So is that zone served by any nsd daemon? My version of nsd (3.2.2)
will not compile such zone into nsd.db.
I guess when using bind as the hidden primary, it will drop
the "out of zone" data, so any subsequent nsd *XFR's do not see
this record and thus have no problem. At least that is the only
explanation I can come up with. Try loading sury.cz into nsd
before bind has ignored the out-of-zone data....
Since I don't see the A record appearing in any of the answers,
I guess I should really just make the zone owner remove this bogus
entry.
Paul
what does named-checkzone (and named-compilezone) say to you? My does:
2009042902.zone:2840621: ignoring out-of-zone data (ns-ext.isc.org)
And this is your answer what bind does...
ondrej@pagan:/tmp$ named-checkzone sury.cz sury.cz
sury.cz:15: ignoring out-of-zone data (ns-ext.isc.org)
sury.cz:16: ignoring out-of-zone data (ns-ext.isc.org)
zone sury.cz/IN: loaded serial 1
So is that zone served by any nsd daemon? My version of nsd (3.2.2)
will not compile such zone into nsd.db.
Nope, I just made it for purpose of testing.
I guess when using bind as the hidden primary, it will drop
the "out of zone" data, so any subsequent nsd *XFR's do not see
this record and thus have no problem. At least that is the only
explanation I can come up with. Try loading sury.cz into nsd
before bind has ignored the out-of-zone data....
Yep.
Since I don't see the A record appearing in any of the answers,
I guess I should really just make the zone owner remove this bogus
entry.
Yep, this is out of the bailiwick data and should not be there.
Ondrej.