Solved

help me get some glue records in my bind9 dns (please :-) )

Posted on 2007-04-02
19
884 Views
Last Modified: 2013-12-24
Hi
I've set up a name server that answers for a few domains, using bind9.

it seems I dont have any 'glue' records, and apparently, these are important. I thought I had glue records by simply referencing the ns address, and its ip address in my zone files, but turns out thats not right.

soo obvious question.. how do I get my self some glue records?

thanks!
0
Comment
Question by:valhallatech
  • 11
  • 5
  • 3
19 Comments
 
LVL 14

Assisted Solution

by:pablouruguay
pablouruguay earned 200 total points
ID: 18836267
0
 
LVL 2

Author Comment

by:valhallatech
ID: 18836400
yep - i still don't understand how from that I can come up with a glue record... though it is good to have me suspicion that something like this was occurring...

so a great many registrys dont provide facility for entering an ip address as well as a name for the dns - godaddy chief among them, although in this instance its another registrar. So what is it this article is actually telling me to do? i.e. what is the equivilent to 'wikipedia.org'.

the name server Im trying to glue is ns.australianaikido.info

its registrar allows me to provide a number and an ip address - is this not the 'glue' record?
if not (or with registrars that dont provide this ) what is the glue and how/where to i set it up?


0
 
LVL 14

Assisted Solution

by:pablouruguay
pablouruguay earned 200 total points
ID: 18836424
can you paste in here the zone file please
0
 
LVL 2

Author Comment

by:valhallatech
ID: 18836486
forward zone:
$TTL 402400       ; 1 hour
@                IN                300 SOA  ns.australianaikido.info. austaikido.australianaikido.info. (
                2007040200      ;serial
                1200        ; refresh
                7200        ; retry (4 minutes 10 seconds)
                1209600   ; expire (2 weeks)
                172800       ; minimum (1 hour)
                )
;name server:I
                                IN      NS      ns.australianaikido.info.
                                IN      NS      ns2.australianaikido.info.
                                IN MX 10 mail.australianaikido.info.
australianaikido.info.          IN      A       216.133.67.151
valhalla.australianaikido.info.         IN      A       216.133.67.151
mail            IN      A       216.133.67.151
www             CNAME   australianaikido.info.
workshop1       IN      A       60.240.41.118
ns              IN      A       216.133.67.151
ns2             IN      A       69.56.173.95

reverse zone:
$TTL 804800
;
@               300     SOA     ns.australianaikido.info. austaikido.australianaikido.info. (
                2007040200      ;serial
                86400           ;refresh 24 h
                7200            ;retry 2h
                3600000         ;expire,100h
                172800          ;minimum 2 days

)
        NS ns.australianaikido.info.
        NS ns2.australinaikido.info.
151.67.133.216  PTR australianaikido.info.
151.67.133.216  PTR ns.australianaikido.info.
95.173.56.69    PTR ns2.australianaikido.info.
151.67.133.216  PTR www.australianaikido.info.
;151.67.133.216 PTR tangelosoftware.net.
;151.67.133.216 PTR valhalla.tangelosoftware.net.
118.41.240.60 PTR workshop1.australianiaikido.info
0
 
LVL 14

Assisted Solution

by:pablouruguay
pablouruguay earned 200 total points
ID: 18836581
ok you have more that 1 error
http://www.dnsreport.com/tools/dnsreport.ch?domain=australianaikido.info

i think
ns2.davy.net.au

dont have you in the zone
0
 
LVL 2

Author Comment

by:valhallatech
ID: 18836679
yep - ive just removed it

have found a few errrors - am working through that list now to try and solve things as i go - I guess it would be smartest for me to complete that - and see if I still have an issue.

but if look at one of the domains I answer for with dnsreport, say australasianaikikai.com.au

Note, the 'no glue' comments next to ns and ns2 australianaikido.info ?
---------------------------------------------------------------------------

Your NS records at the parent servers are:

ns2.australianaikido.info. [69.56.173.95 (NO GLUE)] [US]
ns.australianaikido.info. [216.133.67.151 (NO GLUE)] [US]
[These were obtained from dns1.telstra.net]

---------------------------------------------------------------------------------------

Where should that be addressed - at the delegation of australasianaikikai.com.au, or else where?


thx
0
 
LVL 14

Assisted Solution

by:pablouruguay
pablouruguay earned 200 total points
ID: 18836734
i see that you have 2 servers with no glue but is not your servers... you have a Glue in the last one.. that is your server...


ns2.velocityserver.com. [216.133.76.3 (NO GLUE)] [US]
ns2.davy.net.au. [NO GLUE; No A record]
ns.australianaikido.info. [216.133.67.151] [TTL=86400] [US]


0
 
LVL 2

Author Comment

by:valhallatech
ID: 18836812
ok - i've cleaned lots of errors up and getting much better results...
this is what I get when I run australasianaikikai.com.au through dnsreport

Your NS records at the parent servers are:

ns.australianaikido.info. [216.133.67.151 (NO GLUE)] [US]
ns2.australianaikido.info. [69.56.173.95 (NO GLUE)] [US]
[These were obtained from ns4.ausregistry.net]


its still tells me that ns.australianaiki.info and ns2.australianaikido.info has "(NO GLUE)" - any idea why, or how to remedy it?
0
 
LVL 2

Author Comment

by:valhallatech
ID: 18836843
btw - the affore mentioned ref to davy.net.au and velocityserver has been clean up, but it may take 24hrs or so to be recognised
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 14

Expert Comment

by:pablouruguay
ID: 18836897
add this lines please and restart named.

valhalla         IN      A       216.133.67.151
IN      A       216.133.67.151

0
 
LVL 2

Author Comment

by:valhallatech
ID: 18836956
hmmm... am a bit confused...
add them to which? the australianakido.info zone?

the 2nd line in particular seems to cause this error:

 zone australianaikido.info/IN: has no NS records
0
 
LVL 2

Author Comment

by:valhallatech
ID: 18840362
anyone know how I can get my dns to 'have' a glue record?
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 300 total points
ID: 18840964
Your reverse zone doesn't seem right to me.

Should be

151.67.133.216.in-addr.arpa  PTR australianaikido.info.
151.67.133.216.in-addr.arpa  PTR ns.australianaikido.info.
95.173.56.69.in-addr.arpa    PTR ns2.australianaikido.info.
151.67.133.216.in-addr.arpa  PTR www.australianaikido.info.
;151.67.133.216.in-addr.arpa PTR tangelosoftware.net.
;151.67.133.216.in-addr.arpa PTR valhalla.tangelosoftware.net.
118.41.240.60.in-addr.arpa PTR workshop1.australianiaikido.info

If you had defined a zone called in-addr.arpa, then you could leave it the way you have it.  I don't think you can claim to be authoritative for that zone though...  but reverse-lookup PTR's have to have that .in-addr.arpa TLD tacked on the end of the reversed-order IPv4.

As to glue records, they should only be necessary when you have a subordinate zone server and your higher-level server refers the lookup to the subordinate zone server - the "glue" record would point to the subordinate zone server's IP address instead of its name, so it doesn't have to look itself up (the dreaded recursive lookup.)

What's happening is the TLD servers authoritative to the .info zone apparently don't have glue records for your name servers.  Makes me wonder if whoever is providing your name services isn't registering your name servers to the root servers or something.  Not sure how it works with those new TLD's, if it changed at all...  if your ISP is supposed to be acting as a tier 2 name service provider for the .info zone, then they've dropped the ball - provided you actually registered those name servers as name servers authoritative for the australianaikido.info zone.
0
 
LVL 2

Author Comment

by:valhallatech
ID: 18841026
re Reverse Zone:
The zone file with the PTR records is called "151.67.133.216.austaikido.in-addr.arpa" - is that what you mean by 'defined zone called in-addr.arpa" ?

re glue:
before I make sense of everything you said, can I qualify this:
"provided you actually registered those name servers as name servers authoritative for the australianaikido.info zone."

When you say 'registered those name servers as name servers authoritative'... I have, at the registrar site, delegates the name servers for australianaikido.info to be ns1.australianaikido.info, and ns2.australianaikido.info and provided IP numbers for that delegation - is that the same thing?

0
 
LVL 2

Author Comment

by:valhallatech
ID: 18841054
Should I be using my hosting providers dns to point to my name servers to break any circular reference?

To me that begs the question - what does the host provider, or if applicable his provider do to resolve this?
0
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 300 total points
ID: 18841313
The reverse-lookup zone  always ends in in-addr.arpa, but it has no hostname in it - just the reversed subnet that defines the zone.

For example, you could have a zone called "67.133.216.in-addr.arpa" and in your zone file have

151    PTR     australianaikido.info

but you wouldn't be able to put any other of your listed addresses in that zone.

If you have a zone called "in-addr.arpa" you could have
151.67.133.216  PTR  australianaikido.info
151.67.133.216  PTR ns.australianaikido.info.
95.173.56.69    PTR ns2.australianaikido.info.

etc.

because the zone would append itself to the address for the lookup, resulting in 151.67.133.216.in-addr.arpa.

Reverse-lookup must resolve the full reverse-notation IP address plus the in-addr.arpa to a qualified host name.
If I do a reverse lookup on 216.133.67.151 now, I get:

Results
216.133.67.151 resolves to
"tangelosoftware.com.au"
Top Level Domain: "com.au"

Which isn't any of the names you have listed...

As to the "registered" question, I could be mistaken, but you registered the names and delegates with the registrar, but I don't know that that necessarily delegates authority to those servers...  It's been a couple of years but back when I was working with public DNS and ISPs and registrars what I had to work with was getting the second-tier authoritative for the .com zone (my ISP) to register the delegation of name services for the domain "mycompany.com" so the entries I put in would propagate eventually through the root servers...

I was under the impression that you couldn't just arbitrarily create NS records without the second-tier authoritative for the zone within your subnet registering the delegation.  I could be mistaken.  Time fades memory...  

Looking at the dnsreport, I think you have bigger fish to fry than the glue record thing.  In fact, dnsreport says that
"This is perfectly acceptable behavior per the RFCs. This will usually occur if your DNS servers are not in the same TLD as your domain"

However, it's saying that the parent servers aren't providing A records that correspond to the NS records.  Again, the "parent" servers, not your DNS servers.  Goes back to what I was saying about the delegation from a second-tier name service provider...

Check with dnsreport after your TTL expires and see what's still red.  It's possible that the A record thing isn't propagated through to the parent servers, and the "glue" will appear, but if not, then it goes back to the delegation...
0
 
LVL 2

Author Comment

by:valhallatech
ID: 18841353
re reverse: Thanks ShineOn - i didnt realise any of that re the reverse zone... just as a btw, the reason the reverse comes up as a different host is that this box is 'multihomed'... im not specifically sure, why that name wins over the others, but perhaps I should configure the dns services provided by that box to be that host, not australianaikido.info

DNS is simply _the_ sliperiest, most ambiguous, elusive topic i've come across - Im not sure if its because no-one actually knows anything, or if the terms just lack concise definition, or its necessarily this complex.

I'll close this topic now, and spend some time reviewing this material and seeing what checks out and what I need to revisit with more questions.

Just 1 thing though - the term 'parent server' seems to be used very broardly.... in dns terms, what are we talking about? the delgating server? then server for the domain above?, the server with the glue record? something completely other?

thanks both of you for your contributions
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 18841417
In terms of DNS, in this particular context, it's the DNS server that has authority to delegate subordinate zones, that sits as the intermediary between the child zone master and the root servers.  The server the root servers pass the referrals to for resolution of the child zones.  If that makes sense.

In a private LAN domain the parent would be the server that is zone master for the high level domain, say for example mycompany.lan - and has delegated a subordinate zone - division1.mycompany.lan - to another server as master for the subordinate zone.

It is a slippery topic with more twists than Chubby Checker - and it keeps evolving...

Microsoft did nobody any favors by complicating the hell out of it as part of kludging it on top of the old NT4 domains to make it look from the outside like an x.500 structure...

DNS is related to x.500 in that it's got a hierarchy, but it's not intended as a Directory Service - just a name-to-address provider to make TCP/IP more "friendly."  It grew beyond that, and AD makes it a twisted hell.
0
 
LVL 2

Author Comment

by:valhallatech
ID: 18841461
well MS have never been as big on doing favours as they have been at making life a twisted hell - thanks shine on - above and beyond

I'm having trouble mapping what you're saying to my situation... but i'll open another question about parent servers in next 12 hrs or so, if your interested to follow this through and pick up more points

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now