NS answer instead of SOA

Sam Trenholme strenholme.usenet at gmail.com
Fri Jul 16 13:23:29 EDT 2010 

> izsmmmo.com. SOA ns1.izsmmmo.com. hostmaster at izsmmmo.com. 10 10800 3600
> 604800 1080 ~
> izsmmmo.com. +600 a 88.255.136.43 ~
> izsmmmo.com. +600 ns ns1.izsmmmo.com. ~
> izsmmmo.com. +600 ns ns2.izsmmmo.com. ~

As a general rule, it is a good idea to check your logfile (syslog if
you are using duende to start MaraDNS) for messages indicating
potential problems.

This zone file gives the following warning:

Warning: Authoritative NSes must be immediately after SOA
Or the first records in the zone
Otherwise, the record is ignored

Again, this is not a warning buried on page 132 of the manual.  It is
readily visible.

It is fixed by changing your zone file to read thusly:

izsmmmo.com. SOA ns1.izsmmmo.com. hostmaster at izsmmmo.com. 10 10800
3600 604800 1080 ~
izsmmmo.com. +600 ns ns1.izsmmmo.com. ~
izsmmmo.com. +600 ns ns2.izsmmmo.com. ~
izsmmmo.com. +600 a 88.255.136.43 ~

In other news, Deadwood is, as I type this, a fully recursive DNS
server.  It is what software developers call "feature complete":
Deadwood now can do everything that it will do in the MaraDNS 2.0
release.  However, there is a lot of testing that still needs to be
done.  Bugs need to be found and fixed.

For example, I already know that Deadwood doesn't handle unresponsive
nameservers very well, and will make changes to resolve that.  My plan
right now is to have it so, if a nameserver doesn't resolve, try the
next nameserver, or better yet, try [(nameserver + 83) %
number_of_nameservers].  If I decide to be really fancy about it, if a
nameserver doesn't resolve while solving a glueless NS record, give up
on the glueless sub-query and try another nameserver from the list.

While testing Deadwood yesterday, I found a bug in authoritative
MaraDNS: MaraDNS incorrectly handles delegation NS records when given
an ANY query.

So, yes, I already have bugs I need to fix.  So, back to working on
MaraDNS.  There's a reason I don't do email support for MaraDNS, and
reject blog comments asking for MaraDNS support.

- Sam

Note: I do not answer MaraDNS (including Deadwood) support requests
sent by private email without being compensated for my time. A MaraDNS
support request is any and all discussion you may wish to have about
MaraDNS in private email; if you want to email me to talk about
MaraDNS then, yes, that is a support request. I will discuss rates if
you want this kind of support. Thank you for your understanding.

MaraDNS security vulnerability reports, however, will be dealt with
without charge and kept confidential. If you don't know what Bugtraq
is, then, no, your email is not a security report. It is not a
security report unless you've done due diligence to determine how the
security bug you think you found can reasonably be exploited.

More information about the list mailing list