Discussion:
first axfr challenges
Jack Craig
2021-05-17 19:50:23 UTC
Permalink
*i am getting a notauth on my axfr attempt. what i am not seeing is an A
ip# for the secondary dns server.*


*is this missing A record a problem i need to fix for following host cli???*

*dig @ws.linuxlighthouse.com <http://ws.linuxlighthouse.com> axfr
linuxlighthouse.com <http://linuxlighthouse.com>*

; <<>> DiG 9.11.28-RedHat-9.11.28-1.fc32 <<>> @ws.linuxlighthouse.com axfr
linuxlighthouse.com
; (1 server found)
;; global options: +cmd
linuxlighthouse.com. 259200 IN SOA ws.linuxlighthouse.com.
root.linuxlighthouse.com. 2021051603 86400 7200 3600000 172800
linuxlighthouse.com. 259200 IN A 108.220.213.121
linuxlighthouse.com. 259200 IN CAA 0 issue "letsencrypt.org"
linuxlighthouse.com. 259200 IN NS ws.linuxlighthouse.com.
*linuxlighthouse.com <http://linuxlighthouse.com>. 259200 IN NS
ns2.swbell.net <http://ns2.swbell.net>.*
ws.linuxlighthouse.com. 259200 IN A 108.220.213.121
www.linuxlighthouse.com. 259200 IN A 108.220.213.121
linuxlighthouse.com. 259200 IN SOA ws.linuxlighthouse.com.
root.linuxlighthouse.com. 2021051603 86400 7200 3600000 172800
;; Query time: 1 msec
;; SERVER: 108.220.213.121#53(108.220.213.121)
;; WHEN: Mon May 17 12:43:43 PDT 2021
;; XFR size: 8 records (messages 1, bytes 284)


*[***@ws ~ $ host -t axfr ns2.swbell.net <http://ns2.swbell.net>
ws.linuxlighthouse.com <http://ws.linuxlighthouse.com>*
Trying "ns2.swbell.net"
Using domain server:
Name: ws.linuxlighthouse.com
Address: 108.220.213.121#53
Aliases:

Host ns2.swbell.net not found: 9(NOTAUTH)
; Transfer failed.
[***@ws ~ $
Ed Greshko
2021-05-17 22:10:53 UTC
Permalink
*i am getting a notauth on my axfr attempt. what i am not seeing is an  A ip# for the secondary dns server.*
*
*
*is this missing A record a problem i need to fix for following host cli???
*
*
*
; (1 server found)
;; global options: +cmd
linuxlighthouse.com <http://linuxlighthouse.com>. 259200 IN SOA ws.linuxlighthouse.com <http://ws.linuxlighthouse.com>. root.linuxlighthouse.com <http://root.linuxlighthouse.com>. 2021051603 86400 7200 3600000 172800
linuxlighthouse.com <http://linuxlighthouse.com>. 259200 IN A 108.220.213.121
linuxlighthouse.com <http://linuxlighthouse.com>. 259200 IN CAA 0 issue "letsencrypt.org <http://letsencrypt.org>"
linuxlighthouse.com <http://linuxlighthouse.com>. 259200 IN NS ws.linuxlighthouse.com <http://ws.linuxlighthouse.com>.
/_linuxlighthouse.com <http://linuxlighthouse.com>. 259200 IN NS ns2.swbell.net <http://ns2.swbell.net>._/
ws.linuxlighthouse.com <http://ws.linuxlighthouse.com>. 259200 IN A 108.220.213.121
www.linuxlighthouse.com <http://www.linuxlighthouse.com>. 259200 IN A 108.220.213.121
linuxlighthouse.com <http://linuxlighthouse.com>. 259200 IN SOA ws.linuxlighthouse.com <http://ws.linuxlighthouse.com>. root.linuxlighthouse.com <http://root.linuxlighthouse.com>. 2021051603 86400 7200 3600000 172800
;; Query time: 1 msec
;; SERVER: 108.220.213.121#53(108.220.213.121)
;; WHEN: Mon May 17 12:43:43 PDT 2021
;; XFR size: 8 records (messages 1, bytes 284)
*
Trying "ns2.swbell.net <http://ns2.swbell.net>"
Name: ws.linuxlighthouse.com <http://ws.linuxlighthouse.com>
Address: 108.220.213.121#53
Host ns2.swbell.net <http://ns2.swbell.net> not found: 9(NOTAUTH)
; Transfer failed.
See "man host".  The server to query is the last entry on the line. So, the command should be....

host -t axfr linuxlighthouse.com ns2.swbell.net

But I don't know why you'd want/need to do that.

First off, it would seem to me (and others) that AT&T or SW-Bell or whoever is responsible for making
your secondary DNS server hasn't completed the task.

[***@acer ~]$ host ws.linuxlighthouse.com ns2.swbell.net
Using domain server:
Name: ns2.swbell.net
Address: 151.164.11.218#53
Aliases:

Host ws.linuxlighthouse.com not found: 5(REFUSED)

Says as much.  It doesn't have the info to complete the request without recursion and that server is
set for "no recursion".

Next, even if that server were set up as secondary server it would normally have "allow-transfer { none; };"
for secondary zones.  As there should be no need by anyone to request download of whole zones.  Especially
secondary zones.

It still puzzles me as to why you need to rely on AT&T or SW-Bell to be your secondary.  Why don't you just
use your registra as your secondary?  You should be able to set that up on your own without help from the
outside world.  I know my registra allows this.  If I wanted to, I could host the master DNS and let them be
slaves.  It would make your life so much easier as *everything* would be under your control.



--
Remind me to ignore comments which aren't germane to the thread.

_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infra
Ed Greshko
2021-05-18 00:30:17 UTC
Permalink
*i am getting a notauth on my axfr attempt. what i am not seeing is an  A ip# for the secondary dns server.*
Oh, FWIW, I have previously mentioned that since your system is quite "open" I configured a system here as a
slave to your domain.  My named.conf contains....

zone "greshko.com" {
         type master;
         file "greshko.com.zone";
         allow-update { none; };
         allow-transfer { 2001:470:66:cce::2; 192.168.0.0/16; 2001:b030:112f:0000::/56; };
        };

zone "linuxlighthouse.com" {
          type slave;
          file "light.zone";
          masters { 108.220.213.121; };
         };

So, transfers of greshko.com are limited to the listed IPs.  While linuxlighthouse.com is wide open.

So, try these to see the results.

host -t axfr linuxlighthouse.com 211.75.128.214
host -t axfr greshko.com 211.75.128.214


--
Remind me to ignore comments which aren't germane to the thread.
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://p
Jack Craig
2021-06-06 18:54:44 UTC
Permalink
*whois linuxlighthouse.com <http://linuxlighthouse.com> | grep ^NameName
Server: NS21.WORLDNIC.COM <http://NS21.WORLDNIC.COM>Name Server:
NS22.WORLDNIC.COM <http://NS22.WORLDNIC.COM>[***@ws ~ $ whois
linuxlighost -t axfr linuxlighthouse.com <http://linuxlighthouse.com>
ns21.worldnic.com <http://ns21.worldnic.com>Trying "linuxlighthouse.com
<http://linuxlighthouse.com>"Using domain server:Name: ns21.worldnic.com
<http://ns21.worldnic.com>Address: 162.159.26.132#53Aliases: Host
linuxlighthouse.com <http://linuxlighthouse.com> not found: 4(NOTIMP)*
*; Transfer failed.*









*[***@ws ~ $ host -t axfr linuxlighthouse.com
<http://linuxlighthouse.com> ns22.worldnic.com
<http://ns22.worldnic.com>Trying "linuxlighthouse.com
<http://linuxlighthouse.com>"Using domain server:Name: ns22.worldnic.com
<http://ns22.worldnic.com>Address: 162.159.27.77#53Aliases: Host
linuxlighthouse.com <http://linuxlighthouse.com> not found: 4(NOTIMP)*
*; Transfer failed.*

*something i dont get, if my registrar provides glue references for primary
& secondary domain dns servers,*
*what purpose is served by anything in my host's named.conf (et al) having
any reference to my domain if it's not*
*accessible/useful?*

*i had thought that i should provide the primary server and my hosting
service provided secondary, but*

*that leaves only the secondary os i have only 1 responding *


*Thx, jackc...*
Post by Jack Craig
*i am getting a notauth on my axfr attempt. what i am not seeing is an
A ip# for the secondary dns server.*
Oh, FWIW, I have previously mentioned that since your system is quite
"open" I configured a system here as a
slave to your domain. My named.conf contains....
zone "greshko.com" {
type master;
file "greshko.com.zone";
allow-update { none; };
allow-transfer { 2001:470:66:cce::2; 192.168.0.0/16;
2001:b030:112f:0000::/56; };
};
zone "linuxlighthouse.com" {
type slave;
file "light.zone";
masters { 108.220.213.121; };
};
So, transfers of greshko.com are limited to the listed IPs. While
linuxlighthouse.com is wide open.
So, try these to see the results.
host -t axfr linuxlighthouse.com 211.75.128.214
host -t axfr greshko.com 211.75.128.214
--
Remind me to ignore comments which aren't germane to the thread.
_______________________________________________
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
https://pagure.io/fedora-infrastructure
Tim via users
2021-06-07 13:49:12 UTC
Permalink
Post by Jack Craig
something i dont get, if my registrar provides glue references for
primary & secondary domain dns servers, what purpose is served by
anything in my host's named.conf (et al) having any reference to my
domain if it's not accessible/useful?
i had thought that i should provide the primary server and my hosting
service provided secondary, but that leaves only the secondary os i
have only 1 responding
The internet, at large, will always use your primary server. If it
can't, it'll try your secondary server. Both of those servers are
accessed by name, not numerical IP address, and those names have to be
in some public DNS records, so people can find the IP addresses for
them to connect to them.

A glue record is a helping hand to find your primary server, when
nothing else gives information about it.

e.g. I try to look up linuxlighthouse.com. My system will find the
root server for .com, then it will ask it who holds the records for
linuxlighthose.com, get told ns.linuxlighthouse.com and then query
whoever that was, for its IP address.

The big gotcha is that .com will say linuxlighthouse.com is handled by
a particular nameserver by that nameserver's *name* not its IP.

So the person trying to find linuxlighthouse.com first has to find the
IP for ns.linuxlighthouse.com. If the only server that knows that IP
is ns.linuxlighthouse.com, itself, outsiders have no way to find out
the IP of the nameserver to connect to it.

Having your primary server as yourself, answering queries for itself,
and nobody outside knowing it's IP to be able query it, is the quandary
you find yourself in.

How do you spell dictionary? Dunno, go look it up in the dictionary...

Hence, the glue record. Querying .com will say ns.linuxlighthouse.com
is handled by the holder of that gluerecord, we'll call it example.com
(your registrar or other service provider). Your registrar will have
records that everyone else can lookup, so they can find example.com's
IP address. Now people can connect to your example.com registrar, your
registrar's DNS server's glue record will give them the numerical IP of
your ns.linuxlighthouse.com DNS server that they couldn't look up
directly. And, then, after all that, they can find your DNS server and
query it about linuxlighthouse.com.

This is like borrowing $5 from someone who wants a favour from a third
party before they'll give you it, and that third party wants a favour
from a fourth party before they'll do the third party's favour, rinse,
lather, repeat...

In all seriousness, you're really doing this the hardest way possible.
I would let your registrar be your primary and secondary DNS servers
(they'll have more than one server), and have your IP addresses
programmed into them. The public can query them. And just run your
own name server for your own internal addresses, and for learning how
things work.

Your registar does not require you to run a DNS server to give them the
information. The DNS records will be programmed directly into their
DNS server. Either by them, manually, or automatically when you
registered the domain name, or you'll have some webpage interface to
enter and edit details.

--

uname -rsvp
Linux 3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64

Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.

_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-
Joe Zeff
2021-06-07 17:05:09 UTC
Permalink
Post by Tim via users
The internet, at large, will always use your primary server. If it
can't, it'll try your secondary server. Both of those servers are
accessed by name, not numerical IP address, and those names have to be
in some public DNS records, so people can find the IP addresses for
them to connect to them.
No. DNS servers are always accessed by IP address, never by name.
Trying to access a DNS server by name would just create an endless loop
of trying to resolve addresses as you can't get the server's address
without using DNS to get the IP address. To quote Professor Harold
Hill, "Now think, boys, think!"
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https
Mike Wright
2021-06-07 18:10:48 UTC
Permalink
Post by Tim via users
Post by Jack Craig
something i dont get, if my registrar provides glue references for
primary & secondary domain dns servers, what purpose is served by
anything in my host's named.conf (et al) having any reference to my
domain if it's not accessible/useful?
i had thought that i should provide the primary server and my hosting
service provided secondary, but that leaves only the secondary os i
have only 1 responding
The internet, at large, will always use your primary server.
<snip/>

Hi Tim,

Are you sure about that? If I query the gtld-servers.net. for my
domains I always receive my two nameservers but they are in random
order. Typically the first record received is used for a search
followed by the second record received. In that sense, the first record
received is primary in the search order, the next, secondary, and so on.
Since they arrive in a random order there is no such thing as a fixed
primary or secondary. A dnsadmin may refer to the server they manage as
primary, but that is primary only to the dnsadmin for referential purposes.

To the best of my knowledge the SOA contains the name of the AXFR server
(the master or primary source for zone data) and recipients of the zone
data are referred to as clients or secondaries.

Perhaps a lot of the confusion comes from the dual uses of the term:

primary in search order (which is random)
primary source for zone data (which is fixed by an SOA)

To make matters more confusing there are more complex setups where the
zone masters are also clients making them both primary and secondary.
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructu
Ed Greshko
2021-06-07 21:28:03 UTC
Permalink
  primary in search order (which is random)
  primary source for zone data (which is fixed by an SOA)
To make matters more confusing there are more complex setups where the zone masters are also clients making them both primary and secondary.
I would state that somewhat differently.  (And while, yes, violating my goal of not introducing tangents
in threads seeking answers.)

I would say that confusion arises when terms are used interchangeably when they shouldn't be.  This
often happens when the meaning of the terms are understood based on context.  The confusion can
be worse when the individual with different subject matter knowledge are involved in the conversation.

Anyway, I feel it would be helpful to use terms in a more consistent and "proper" manner.

primary/secondary should be used when discussing name resolution. The "old school" way of thinking
about this would be the order in which DNS servers are listed in /etc/resolv.conf.  The first entry being
primary with subsequent entries being secondary.

master/slave should be used when speaking of the data held in DNS servers.  That would coincide with
the terms used in, for example, the "zone type" declaration within the named.conf file of bind.

--
Remind me to ignore comments which aren't germane to the thread.

_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the lis
Jack Craig
2021-06-08 04:30:31 UTC
Permalink
Thanks for all your advice; you are right!

I'll let the registrar do what they are already being paid to do.

I really appreciate your guidance, jackc...
Post by Mike Wright
Post by Mike Wright
primary in search order (which is random)
primary source for zone data (which is fixed by an SOA)
To make matters more confusing there are more complex setups where the
zone masters are also clients making them both primary and secondary.
I would state that somewhat differently. (And while, yes, violating my
goal of not introducing tangents
in threads seeking answers.)
I would say that confusion arises when terms are used interchangeably when
they shouldn't be. This
often happens when the meaning of the terms are understood based on
context. The confusion can
be worse when the individual with different subject matter knowledge are
involved in the conversation.
Anyway, I feel it would be helpful to use terms in a more consistent and "proper" manner.
primary/secondary should be used when discussing name resolution. The "old
school" way of thinking
about this would be the order in which DNS servers are listed in
/etc/resolv.conf. The first entry being
primary with subsequent entries being secondary.
master/slave should be used when speaking of the data held in DNS
servers. That would coincide with
the terms used in, for example, the "zone type" declaration within the
named.conf file of bind.
--
Remind me to ignore comments which aren't germane to the thread.
_______________________________________________
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
https://pagure.io/fedora-infrastructure
Jack Craig
2021-06-08 04:27:27 UTC
Permalink
Thanks Tim,

If you aren't a teacher, you are missing an academic calling!

Thanks again!
Post by Tim via users
Post by Jack Craig
something i dont get, if my registrar provides glue references for
primary & secondary domain dns servers, what purpose is served by
anything in my host's named.conf (et al) having any reference to my
domain if it's not accessible/useful?
i had thought that i should provide the primary server and my hosting
service provided secondary, but that leaves only the secondary os i
have only 1 responding
The internet, at large, will always use your primary server. If it
can't, it'll try your secondary server. Both of those servers are
accessed by name, not numerical IP address, and those names have to be
in some public DNS records, so people can find the IP addresses for
them to connect to them.
A glue record is a helping hand to find your primary server, when
nothing else gives information about it.
e.g. I try to look up linuxlighthouse.com. My system will find the
root server for .com, then it will ask it who holds the records for
linuxlighthose.com, get told ns.linuxlighthouse.com and then query
whoever that was, for its IP address.
The big gotcha is that .com will say linuxlighthouse.com is handled by
a particular nameserver by that nameserver's *name* not its IP.
So the person trying to find linuxlighthouse.com first has to find the
IP for ns.linuxlighthouse.com. If the only server that knows that IP
is ns.linuxlighthouse.com, itself, outsiders have no way to find out
the IP of the nameserver to connect to it.
Having your primary server as yourself, answering queries for itself,
and nobody outside knowing it's IP to be able query it, is the quandary
you find yourself in.
How do you spell dictionary? Dunno, go look it up in the dictionary...
Hence, the glue record. Querying .com will say ns.linuxlighthouse.com
is handled by the holder of that gluerecord, we'll call it example.com
(your registrar or other service provider). Your registrar will have
records that everyone else can lookup, so they can find example.com's
IP address. Now people can connect to your example.com registrar, your
registrar's DNS server's glue record will give them the numerical IP of
your ns.linuxlighthouse.com DNS server that they couldn't look up
directly. And, then, after all that, they can find your DNS server and
query it about linuxlighthouse.com.
This is like borrowing $5 from someone who wants a favour from a third
party before they'll give you it, and that third party wants a favour
from a fourth party before they'll do the third party's favour, rinse,
lather, repeat...
In all seriousness, you're really doing this the hardest way possible.
I would let your registrar be your primary and secondary DNS servers
(they'll have more than one server), and have your IP addresses
programmed into them. The public can query them. And just run your
own name server for your own internal addresses, and for learning how
things work.
Your registar does not require you to run a DNS server to give them the
information. The DNS records will be programmed directly into their
DNS server. Either by them, manually, or automatically when you
registered the domain name, or you'll have some webpage interface to
enter and edit details.
--
uname -rsvp
Linux 3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
_______________________________________________
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
https://pagure.io/fedora-infrastructure
Ed Greshko
2021-06-07 21:27:57 UTC
Permalink
Trying "linuxlighthouse.com <http://linuxlighthouse.com>"
Name: ns22.worldnic.com <http://ns22.worldnic.com>
Address: 162.159.27.77#53
Host linuxlighthouse.com <http://linuxlighthouse.com> not found: 4(NOTIMP)
/
/; Transfer failed./
*
*
*something i dont get, if my registrar provides glue references for primary & secondary domain dns servers,*
*what purpose is served by anything in my host's named.conf (et al) having any reference to my domain if it's not*
*accessible/useful?*
*
*
*i had thought that i should provide the primary server and my hosting service provided secondary, but*
*that leaves only the secondary os i have only 1 responding *
I feel you are making your life more complex/difficult than it need be.  This is especially the case when
your network is comprised of minimal IP addresses and public facing hosts.

It seems you want to have your DNS server as the master (using more specific terms now) while having
your registra's servers be slaves.  This is generally not what people do.  They let the registra deal with having
both master and slaves and don't run a DNS server.  On some occasions they have the registra as the master, plus
slaves, and they run a slave copy locally for internal use.  It is not often that people run a master DNS server with
their registra running slaves.  That is what I think you're attempting to do.

I frankly don't see any value in that.

However, if that is what you're wanting to do then your discussions should be with your registra on how to
configure their side to accommodate your wishes.  My registra allows for this and actually covers the topic in
various articles in the "Knowledge Base".  They also include caveats about this configuration as it renders some
of the services they provide customers unusable by them.

Another reason for consulting your registra is to be certain of their configuration.  An example would be what I
found out with my registra when I wanted to have a slave copy locally.  I assumed that I could do a zone transfer
from any of their public DNS servers.  That was not the case. They have a specific server for customers to use
from which to request the transfers.

--
Remind me to ignore comments which aren't germane to the thread.

_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Loading...