Опубликован: 06.08.2012 | Уровень: специалист | Доступ: платный
Лекция 21:

The Domain Name Service

example.org with delegation

What does example.org's name server need to know about china.example.org? You might think, "nothing, they're separate zones, " but that’s not completely true. For a remote name server to find china.example.org, it first goes to example.org, so the parent domain must maintain enough information to find the child domain. This process is called delegation. The parent name server maintains NS records ("delegation records") and corresponding A records ("glue records") for the child zone. It might also be a good idea for the name servers for example.org to maintain a secondary name server for china: that way we can save a look up to the master name servers for china.example.org most of the time. To do so, we add the following line to /etc/namedb/named.conf:

zone "china.example.org" { 
  type slave; 
  file "backup.china"; 
  masters {
    223.169.23.1;
    223.169.23.2;
  };
};

zone "23.169.223.in-addr.arpa" { 
  type slave;
  file "backup.china-reverse";
  masters {
    223.169.23.1;
    223.169.23.2;

We add the following information to /etc/namedb/db.example.org:

@          IN SOA  freebie.example.org.grog.example.org. (
                     1997090501 ; Serial (date, 2 digits version of day) 
                     86400      ; refresh (1 day) 
                     7200       ; retry (2 hours) 
                     8640000    ; expire (100 days) 
                     86400 )    ; minimum (1 day)
china      IN NS   ns.china.example.org.
china      IN NS   ns1.china.example.org.
ns.china   IN A    223.169.23.1
ns1.china  IN A    223.169.23.2

We changed the information, so we also change the serial number of the SOA record so that the secondary name servers for example.org will reload the updated information.

We need to specify the addresses of the name servers as well. Strictly speaking they belong to the zone china, but we need to keep them in the parent zone example.org: these are the addresses to which we need to send any kind of query.

After changing the configuration like this, we restart the name server:

# ndc reload

We check the output, either by looking on the system console or by using the command tail/var/log/messages. We'll see something like:

Mar 18 15:23:40  freebie named[69752]:  reloading name server
Mar 18 15:23:40  freebie named[69752]:  master zone "china.example.org" (IN) loaded (s
erial 2001061701)
Mar 18 15:23:40  freebie named[69752]:  Forwarding source address is [0.0.0.0]. 4673 
Mar 18 15:23:40  freebie named[69752]:  Ready to answer queries. 

Messages from named

Once your named is up and running, it may still produce a number of messages. Here are some examples:

May 10 15:09:06 freebie named[124]: approved AXFR from [223.147.37.5]. 2872 for "exam ple.org"
May 10 15:09:06 freebie named[124]: zone transfer of "example.org" (IN) to [192.109.197.137].2872

These messages indicate that another name server has loaded the zone specified. This will typically be one of your secondary name servers. This should happen about as often as you have specified in your refresh parameter for the zone.

Mar 18 19:21:53  freebie named[69752]:  ns_forw: query(tsolyani.com) contains our
add ress (freebie.example.org:223.147.37.1) learnt (A=example.org:NS=66.47.255.122)

This message indicates that the server indicated by the A record has asked us to forward a query whose name server list includes our own names or address(es). This used to be called a lame delegation. It's interesting that the address in this (real) message was a.root-servers.net, one of the 13 base servers for the whole Internet, which was probably forwarding a query from some other system. The server doesn’t check the validity of the queries it forwards, so it’s quite possible for them to be in error.

Mar 19 14:53:32  freebie named[13822]:  Lame server on '182.201.184.212.relays.osirus oft.com'
(in 'relays.osirusoft.com'?): [195.154.210.134].53 'ns1-relays.osirusoft.com':
learnt (A=216.102.236.44, NS=216.102.236.44)

This message indicates that a name server, listed as authoritative for a particular zone, is in fact not authoritative for that zone.

Sep 14 03:33:18  freebie named[55]: ns_forw: query(gold sword.com) NS points to CNAME
(ns-user.gold sword.com:) learnt (CNAME=199.170.202.100:NS=199.170.202.100)

As we saw above, a name server address should be an A record. The administrator of this system didn't know this, and pointed it to a CNAME record.

Sep 14 15:55:52  freebie named[55]: ns_forw: query(219.158.96.202.in-addr.arpa)
A RR negative cache entry (ns.gz.gdpta.net.cn:) learnt (NODATA=202.96.128.68:NS=202.12.28.129)

This message indicates that the name server has already determined that the name server specified cannot be found, and has noted that fact in a negative cache entry.

Бехзод Сайфуллаев
Бехзод Сайфуллаев
Узбекистан, Бухара, Бухарский институт высоких технологий, 2013
Василь Остапенко
Василь Остапенко
Россия