[sclug] BIND 9 returns empty response instead of REFUSED for non-hosted zones

Simon Heywood simon at triv.org.uk
Fri Nov 7 12:51:33 UTC 2008 

I have two authoritative DNS servers answering for various domains. If I
query one of them for a domain for which it is not authoritative, the
request is refused, as I'd expect.

----------
$ host -v -t soa foo.bar ns1.triv.org.uk
Trying "foo.bar"
Using domain server:
Name: ns1.triv.org.uk
Address: 80.68.90.5#53
Aliases: 

Host foo.bar not found: 5(REFUSED)
Received 25 bytes from 80.68.90.5#53 in 2 ms
----------

If I send the same query to the other server, I get an empty response
with the list of root servers in the authority section.

----------
$ host -v -t soa foo.bar ns0.triv.org.uk
Trying "foo.bar"
Using domain server:
Name: ns0.triv.org.uk
Address: 217.147.82.28#53
Aliases: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40587
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.bar.			IN	SOA

;; AUTHORITY SECTION:
.			518400	IN	NS	H.ROOT-SERVERS.NET.
.			518400	IN	NS	I.ROOT-SERVERS.NET.
.			518400	IN	NS	J.ROOT-SERVERS.NET.
.			518400	IN	NS	K.ROOT-SERVERS.NET.
.			518400	IN	NS	L.ROOT-SERVERS.NET.
.			518400	IN	NS	M.ROOT-SERVERS.NET.
.			518400	IN	NS	A.ROOT-SERVERS.NET.
.			518400	IN	NS	B.ROOT-SERVERS.NET.
.			518400	IN	NS	C.ROOT-SERVERS.NET.
.			518400	IN	NS	D.ROOT-SERVERS.NET.
.			518400	IN	NS	E.ROOT-SERVERS.NET.
.			518400	IN	NS	F.ROOT-SERVERS.NET.
.			518400	IN	NS	G.ROOT-SERVERS.NET.

Received 236 bytes from 217.147.82.28#53 in 3 ms
----------

I can't work out why the second request isn't replied to with an error
code, but I suspect that it's something to do with ns0 being configured
to allow recursive requests from certain IP addresses, using views.

----------
view "recursion" {
        match-clients { recursion; };
        recursion yes;
        // root zone hints and local zone declarations
}
view "public" {
        match-clients { any; };
        recursion no;
        // public zone declarations
}
----------

Any ideas? I'm running BIND 9 from Debian Etch on ns0.

S.

More information about the Sclug mailing list