0

I got problem with my BIND 9.8.2 setup. After configuring master zone which works fine I've noticed that I cannot get a list of all A records using the dig utility with the ANY option.

Here are some examples:

google.com

If I try google.com I am able to get A records:

# dig google.com ANY
;  DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> google.com ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51302
;; flags: qr rd ra; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com.                    IN      ANY
;; ANSWER SECTION:
google.com.             264     IN      A       46.28.246.109
google.com.             54220   IN      NS      ns3.google.com.
google.com.             264     IN      A       46.28.246.108
google.com.             264     IN      A       46.28.246.84
google.com.             264     IN      A       46.28.246.113
google.com.             264     IN      A       46.28.246.104
google.com.             54220   IN      NS      ns2.google.com.
google.com.             264     IN      A       46.28.246.99
google.com.             264     IN      A       46.28.246.118
google.com.             264     IN      A       46.28.246.119
google.com.             54220   IN      NS      ns4.google.com.
google.com.             264     IN      A       46.28.246.89
google.com.             264     IN      A       46.28.246.93
google.com.             264     IN      A       46.28.246.88
google.com.             264     IN      A       46.28.246.94
google.com.             60      IN      SOA     ns1.google.com. dns-admin.google.com. 1559778 7200 1800 1209600 300
google.com.             54220   IN      NS      ns1.google.com.
google.com.             264     IN      A       46.28.246.123
google.com.             264     IN      A       46.28.246.98
google.com.             264     IN      A       46.28.246.103
google.com.             264     IN      A       46.28.246.114

;; Query time: 47 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Thu Jun 26 18:43:50 2014
;; MSG SIZE  rcvd: 402

My lab domain - MX records as example

I may get MX records if I ask for them:

# dig internal.bluenet.lab MX
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> internal.bluenet.lab MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40974
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;internal.bluenet.lab.          IN      MX

;; ANSWER SECTION:
internal.bluenet.lab.   257965  IN      MX      20 mail2.internal.bluenet.lab.
internal.bluenet.lab.   257965  IN      MX      10 mail1.internal.bluenet.lab.

;; AUTHORITY SECTION:
internal.bluenet.lab.   257439  IN      NS      ns.internal.bluenet.lab.

;; Query time: 2 msec
;; SERVER: 10.200.1.99#53(10.200.1.99)
;; WHEN: Thu Jun 26 18:53:35 2014
;; MSG SIZE  rcvd: 99

My lab domain - no A records

No matter if I use the ANY or A options I can't get all A records as an answer. Only if I use the A option I get one A record

# dig internal.bluenet.lab ANY

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> internal.bluenet.lab ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39681
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;internal.bluenet.lab.          IN      ANY

;; ANSWER SECTION:
internal.bluenet.lab.   257961  IN      MX      10 mail1.internal.bluenet.lab.
internal.bluenet.lab.   257961  IN      MX      20 mail2.internal.bluenet.lab.
internal.bluenet.lab.   257961  IN      SOA     ns.internal.bluenet.lab.         adminlab.bluenet.lab.internal.bluenet.lab. 3837556585 28800 7200 2419200 86400
internal.bluenet.lab.   257435  IN      NS      ns.internal.bluenet.lab.

;; AUTHORITY SECTION:
internal.bluenet.lab.   257435  IN      NS      ns.internal.bluenet.lab.

;; Query time: 0 msec
;; SERVER: 10.200.1.99#53(10.200.1.99)
;; WHEN: Thu Jun 26 18:53:40 2014
;; MSG SIZE  rcvd: 168

I've got a typical BIND installation - chrooted, with only a master zone. I've blocked zone transfers (to prevent AXFR queries).

I wonder why I am not able to get A records. Kindly please assist me on it. Should some option in named.conf be used to allow this ?

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
Jeval
  • 1
  • 1
    Please share the zone file, make sure it passes a syntax check with `named-checkzone`, and ensure that the SOA serial you are seeing in the answer matches what is in the zone file. Also, you have shown us the `ANY` request, but not the `A` request. – Andrew B Jun 26 '14 at 18:41
  • 1
    Do you have really `IN A` **for domain**? – Lazy Badger Jul 02 '14 at 00:24
  • It's worth noting that you are talking about your bind installation having a master zone but none of the examples in the question show an authoritative answer (no `aa` flag), meaning that all of these queries were directed at caching resolvers rather than the actual authoritative server with the master zone. (Also, the first example was directed at a different server from the two following ones. I'm not sure if that is has any significance.) Additionally, please clarify why the response for the `A` query is not what you expected, that sounds like the correct query for what you wanted. – Håkan Lindqvist Jul 13 '14 at 13:56

1 Answers1

0

Assuming that there actually exists an A record, I believe the observed behavior just comes down to the general behaviour of ANY queries when directed at a caching server.

The important thing to note, which may not be intuitive, is that any server, whether caching or authoritative, is only required to return any records they have for the requested name in the ANY query.

That is, if a caching server has something in its cache, it's perfectly valid (and the most prevalent implementation) to just return whatever is still in the cache for that name. Meaning that parts of the result could have expired if there are differing TTLs.

What this means in practice is that ANY queries are only useful in very specific circumstances (generally not to be built into software but rather for debugging and similar uses).

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94