Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 425
  • Last Modified:

can someone explain why my dns records might be 'non-authoratitve'

hi - mostly an academic question really, as everything "works"...

i've set my self up a dns server, master and slave.
This dns server is intended to be SOA for a number of domains.
For all practicle purposes it works
BUT
when I use nslookup or even watchin syslog on the slave as it recieves 'notifies' from the master, theres always a '(non-authoratative)' mentioned.

Im wondering WTF does that mean and what can I do about it?!?

thanks

0
valhallatech
Asked:
valhallatech
  • 7
  • 6
  • 3
2 Solutions
 
giltjrCommented:
--> i've set my self up a dns server, master and slave.

This confuses me.  Did you setup two DNS severs?  If you have one, what is it a slave to?

"non-authorative" means that something thinks it received an answer from a DNS sever that is not authortive, that is not a primary or a secondary, for the domain in which the host resides.

I would have to know more about your setup.  However this is not necesarlly a "bad" thing.
0
 
jar3817Commented:
It simply means the server you are asking the question of is neither master or slave for that domain...but rather got the answer through a recursive lookup.

In other words... you have a domain.com...and setup ns1 and ns2.domain.com as the dns servers for it. At home if you do an nslookup and your computer asks your ISP's nameservers what www.domain.com is...your isp's nameservers will then ask ns1.domain.com for the answer and then send that same answer to you.

You can ask ns1.domain.com specifically using nslookup like this:

nslookup -v www.domain.com ns1.domain.com

That should return an authoritative answer. Also note that a non-authoritative answer will probably be cached
0
 
valhallatechAuthor Commented:
hey gilir
Ive setup up 2 one master on the same box as the domains it answers for and one slave on a linode, so that it has geographic seperation - so how does the domain become 'known' as authoratitve i.e. pimary or secondary. I would have assumed that the delegation would have done that?
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
valhallatechAuthor Commented:
hey jar3817

thats my dliema, that IS when I get the non-authorative response, which is why im confused. in fact even the log of the secondry when it gets notifications reports that the result is non-authoratative

0
 
jar3817Commented:
post the some logs, your zone files, and output of nslookup.

are there NS records for the correct nameservers in your zone file?
0
 
giltjrCommented:
The SOA record should point to the box that is the primary.  You should have NS records for the primary and the secondary.

The box that you are running the nslookup from should point to either the primary and/or the secondary as the DNS severs you have setup as the authortive severs for you domain.

--> one master on the same box as the domains it answers for ...

Based on this I am assuming this is a Windows enviroment.  

-- > ... and one slave on a linode

What is a "linode"?
0
 
valhallatechAuthor Commented:
hey guys....
ok will post actuall info bit later in day.

No, master=debian box (216.133.67.151) and secondary = debian 69.56.173.95, client at home is ubuntu

sorry - linode is a virtual hosting service

0
 
giltjrCommented:
O.K.  For you to see an authoritive answer whatever computer your are doing the nslookups from must have either 216.133.67.151 or 69.56.173.95 coded as their DNS sever or you must switch to point to one of these boxes to do the query against.

For a linux box, this would be in /etc/resolv.conf.  

If you are doing nslookup, then the best bet is to:

nslookup
lserver x.x.x.x (where x.x.x.x is one of the above IP addresses)
hostname.domain.com

0
 
valhallatechAuthor Commented:
so thats it! bingo! is that all it means - ok so now, when I do any of the above method using primary I get authorataive answers. but not for secondary - then the answers are non-authorative - does that indicate a configuration issue at secondary, or on the client?
0
 
giltjrCommented:
Do you have a NS record in your zone for the secondary?  If not, it may not answer as "authoritive".  Infact I am not 100% sure that a secondary will answer as authortive at all.  It really is not "THE" authoritve sever for the zone.

If the primary is down long enough, it (the secondary) will stop responding to any queiries as the zone will expires.
0
 
valhallatechAuthor Commented:
>>Do you have a NS record in your zone for the secondary?  
yes

>>Infact I am not 100% sure that a secondary will answer as authortive at all.  It really is not "THE" authoritve sever for the zone.
sounds good - but just tried it with my isp primary and secondary - they both answer authoratively for tpg.com.au
(name servers are 203.12.160.35 and 203.12.160.36)
0
 
jar3817Commented:
All servers (including slaves and stealth server) that have the zone defined in named.conf and answer queries for that zone are authoritative. If there is no NS record for that server, the resolver will probably think it's non-authoritative. Make sure your NS record is correct.
0
 
giltjrCommented:
I run a DNS sever in my house for my home network.  I just setup a second DNS server and set it up as a slave for my home domain and it responded as a authortive sever. I did NOT have NS record for my second DNS server.  So it knew it was authortive for the zone without the NS record.

I then deleted the slave zone and just set it up as a forwarder and it responded as non-authortive, which I would expect.

Which version/release of BIND are you running?
0
 
valhallatechAuthor Commented:
bind 9.3.2 on master and 9.24 on slave

in the slave I have 'forward first'   and 2 forwards set up - is that relevant?

also I have auth-nxdomain=no in the primary and yes in slave - this relevant?

thanks

0
 
giltjrCommented:
Yes forward first matters..  Forward first means it will forward the request before it attempts to reslove it itself.

In other words, when your secondary/slave receives a request for "yourdomain" it will forward it to the primary first, if the primary responds, then the secondary/slave will relay the response, but it will say "non-authoritive" as in this situtation it (the secondary) did not reslove the name.

If you remove forward first, then your secondary should no longer respond with non-authortive.

If the primary does not respond, then it (the secondary) will attempt to reslove it from the copy of the zones it has.  In this case it (the secondary) will act as an authortive sever as it did reslove the request.

auth-nxdomain deals with how a name severs answers for a NXDOMAIN response.  BIND V8 defaulted to YES and BIND V9 defaults to NO.  
0
 
valhallatechAuthor Commented:
ok - ive fixed problem - infact several:
 - foward first = BAD - at least in this use case
 - also found several issues in the various zone definitions, but didnt see them fail in log file

thanks for your inputs guys
glenn
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now