From wolfgang@lyxys.ka.sub.org Sun Mar 3 14:24:23 2002 Return-Path: Received: from subnet.sub.net (subnet.sub.net [212.227.14.21]) by hub.freebsd.org (Postfix) with ESMTP id 032B337B400 for ; Sun, 3 Mar 2002 14:24:22 -0800 (PST) Received: from lyxys.ka.sub.org (uucp@localhost) by subnet.sub.net (8.11.6/8.11.6/subnet-freebsd-1.0) with bsmtp id g23MOKk91894 for FreeBSD-gnats-submit@freebsd.org; Sun, 3 Mar 2002 23:24:20 +0100 (CET) (envelope-from wolfgang@lyxys.ka.sub.org) Received: from localhost (4715 bytes) by lyxys.ka.sub.org via sendmail with P:stdio/R:smart_host/T:inet_uusmtp (sender: ) (ident using unix) id for ; Sun, 3 Mar 2002 23:08:47 +0100 (CET) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Aug-23) Message-Id: Date: Sun, 3 Mar 2002 23:08:47 +0100 (CET) From: Wolfgang Zenker Reply-To: Wolfgang Zenker To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: nsupdate fails if destination dns is not in your resolv.conf X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 35521 >Category: bin >Synopsis: nsupdate fails if destination dns is not in your resolv.conf >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 03 14:30:01 PST 2002 >Closed-Date: Sun Sep 29 21:07:41 PDT 2002 >Last-Modified: Sun Sep 29 21:07:41 PDT 2002 >Originator: Wolfgang Zenker >Release: FreeBSD 4.5-STABLE i386 >Organization: >Environment: System: FreeBSD gate.lyx 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Mar 3 17:28:22 CET 2002 wolfgang@gate.lyx:/usr/obj/usr/local/src/sys/GATE i386 >Description: Trying to use nsupdate to dynamically update a dns entry fails. It works using an nsupdate from early November (based on BIND 8.2.4) instead of the 8.3.1-based nsupdate that is now in STABLE. Debug-output: Working version (from 4.4-STABLE, based on BIND 8.2.4): ------------------------------------------------------- This is the last part of the output of a working update. As you can see, it asks my nameserver (192.168.203.254) for the NS Record for the destination domain (dyn.sub.org), then sends the update request to that servers ip address. :: ;; res_nmkquery(QUERY, dyn.sub.org, IN, NS) :: ;; res_send() :: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43947 :: ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 :: ;; QUERY SECTION: :: ;; dyn.sub.org, type = NS, class = IN :: :: ;; Querying server (# 1) address = 192.168.203.254 :: ;; new DG socket :: ;; got answer: :: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43947 :: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 :: ;; QUERY SECTION: :: ;; dyn.sub.org, type = NS, class = IN :: :: ;; ANSWER SECTION: :: dyn.sub.org. 23h10m34s IN NS goldie.jpaves.de. :: :: ;; ADDITIONAL SECTION: :: goldie.jpaves.de. 14h52m51s IN A 212.86.210.58 :: :: ;; res_send() :: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 43948 :: ;; flags:; ZONE: 1, PREREQUISITE: 0, UPDATE: 2, ADDITIONAL: 1 :: ;; dyn.sub.org, type = SOA, class = IN :: lyxys.dyn.sub.org. 0S ANY A :: lyxys.dyn.sub.org. 2m30s IN A 217.227.147.166 :: dynsub. 0S ANY TSIG HMAC-MD5.SIG-ALG.REG.INT. 0 :: ;; Querying server (# 1) address = 212.86.210.58 :: ;; new DG socket :: ;; got answer: :: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 43948 :: ;; flags: qr ra; ZONE: 0, PREREQUISITE: 0, UPDATE: 0, ADDITIONAL: 1 :: dynsub. 0S ANY TSIG HMAC-MD5.SIG-ALG.REG.INT. 0 :: Non-Working version (from 4.5-STABLE, based on BIND 8.3.1): ----------------------------------------------------------- This is the last part of the output of a non-working update. As you can see, this time the update request is beeing sent to my own nameserver, which has nothing to do with the zone being updated. Therefore it sends back "NOTAUTH". :: ;; res_nmkquery(QUERY, dyn.sub.org, IN, NS) :: ;; res_send() :: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42326 :: ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 :: ;; QUERY SECTION: :: ;; dyn.sub.org, type = NS, class = IN :: :: ;; Querying server (# 1) address = 192.168.203.254 :: ;; new DG socket :: ;; got answer: :: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42326 :: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 :: ;; QUERY SECTION: :: ;; dyn.sub.org, type = NS, class = IN :: :: ;; ANSWER SECTION: :: dyn.sub.org. 23h10m4s IN NS goldie.jpaves.de. :: :: ;; ADDITIONAL SECTION: :: goldie.jpaves.de. 14h52m21s IN A 212.86.210.58 :: :: ;; res_send() :: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42327 :: ;; flags:; ZONE: 1, PREREQUISITE: 0, UPDATE: 2, ADDITIONAL: 1 :: ;; dyn.sub.org, type = SOA, class = IN :: lyxys.dyn.sub.org. 0S ANY A :: lyxys.dyn.sub.org. 2m30s IN A 217.227.147.166 :: dynsub. 0S ANY TSIG HMAC-MD5.SIG-ALG.REG.INT. 0 :: ;; Querying server (# 1) address = 192.168.203.254 :: ;; new DG socket :: ;; got answer: :: ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 42327 :: ;; flags: qr ra; ZONE: 1, PREREQUISITE: 0, UPDATE: 0, ADDITIONAL: 1 :: ;; dyn.sub.org, type = SOA, class = IN :: . 0S ANY TSIG . 17 >How-To-Repeat: Send update request for a zone where your own nameserver (the one in your resolv.conf) is not authoritative. >Fix: As a workaround I am currently using an old nsupdate binary. >Release-Note: >Audit-Trail: State-Changed-From-To: open->analyzed State-Changed-By: matusita State-Changed-When: Sun Mar 3 15:53:54 PST 2002 State-Changed-Why: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35521 From: Makoto Matsushita To: Wolfgang Zenker Cc: bug-followup@FreeBSD.org Subject: Re: bin/35521: nsupdate fails if destination dns is not in your resolv.conf Date: Mon, 04 Mar 2002 08:59:47 +0900 > State-Changed-From-To: open->analyzed > State-Changed-By: matusita > State-Changed-When: Sun Mar 3 15:53:54 PST 2002 > State-Changed-Why: Gaaaaaaah, null comments, sorry. What I should say is: This is a (known) nsupdate bug of BIND 8.3.1. Already fixed in ISC's code. This bug can be fixed if and only if BIND 8.3.2 (the next release of BIND 8.3) is out. This PR can be closed if we import a new BIND code. From: Peter Pentchev To: Makoto Matsushita Cc: bug-followup@FreeBSD.org Subject: Re: bin/35521: nsupdate fails if destination dns is not in your resolv.conf Date: Mon, 4 Mar 2002 12:12:12 +0200 On Sun, Mar 03, 2002 at 04:00:09PM -0800, Makoto Matsushita wrote: > The following reply was made to PR bin/35521; it has been noted by GNATS. > > From: Makoto Matsushita > To: Wolfgang Zenker > Cc: bug-followup@FreeBSD.org > Subject: Re: bin/35521: nsupdate fails if destination dns is not in your > resolv.conf > Date: Mon, 04 Mar 2002 08:59:47 +0900 > > > State-Changed-From-To: open->analyzed > > State-Changed-By: matusita > > State-Changed-When: Sun Mar 3 15:53:54 PST 2002 > > State-Changed-Why: > > Gaaaaaaah, null comments, sorry. What I should say is: > > This is a (known) nsupdate bug of BIND 8.3.1. Already fixed > in ISC's code. This bug can be fixed if and only if BIND > 8.3.2 (the next release of BIND 8.3) is out. > > This PR can be closed if we import a new BIND code. Mmm.. I may be dumb here, but if this bug is already fixed in ISC's code, and we get their assurance that the fix and the lines around the fix would not change much before 8.3.2 is out, could we not import this fix on a vendor branch? This has certainly been done before for other contrib software.. G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence is false. From: Makoto Matsushita To: roam@ringlet.net Cc: bug-followup@FreeBSD.org Subject: Re: bin/35521: nsupdate fails if destination dns is not in your resolv.conf Date: Mon, 04 Mar 2002 19:29:26 +0900 roam> Mmm.. I may be dumb here, but if this bug is already fixed in roam> ISC's code, and we get their assurance that the fix and the roam> lines around the fix would not change much before 8.3.2 is out, roam> could we not import this fix on a vendor branch? No. The author said that "please do NOT". It is not a good idea to spoil the author's intension. -- - Makoto `MAR' Matsushita From: Peter Pentchev To: Makoto Matsushita Cc: bug-followup@FreeBSD.org Subject: Re: bin/35521: nsupdate fails if destination dns is not in your resolv.conf Date: Mon, 4 Mar 2002 13:09:45 +0200 On Mon, Mar 04, 2002 at 07:29:26PM +0900, Makoto Matsushita wrote: > > roam> Mmm.. I may be dumb here, but if this bug is already fixed in > roam> ISC's code, and we get their assurance that the fix and the > roam> lines around the fix would not change much before 8.3.2 is out, > roam> could we not import this fix on a vendor branch? > > No. The author said that "please do NOT". It is not a good idea to > spoil the author's intension. Oh; okay, I did not know this. Thanks for the explanation :) G'luck, Peter (who is not using BIND anyway ;) -- Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am not the subject of this sentence. From: wolfgang@lyxys.ka.sub.org (Wolfgang Zenker) To: Makoto Matsushita Cc: bug-followup@FreeBSD.org Subject: Re: bin/35521: nsupdate fails if destination dns is not in your resolv.conf Date: Mon, 30 Sep 2002 01:24:43 +0200 (CEST) > This is a (known) nsupdate bug of BIND 8.3.1. Already fixed > in ISC's code. This bug can be fixed if and only if BIND > 8.3.2 (the next release of BIND 8.3) is out. > This PR can be closed if we import a new BIND code. Since we have had BIND 8.3.3 in the system for quite a while now and the problem does not exist anymore, I suggest that this PR be closed. State-Changed-From-To: analyzed->closed State-Changed-By: matusita State-Changed-When: Sun Sep 29 21:06:21 PDT 2002 State-Changed-Why: The originator requests to close this PR, since FreeBSD already imports new BIND code (8.3.3) to 4-stable. Thank you for pointing out. http://www.freebsd.org/cgi/query-pr.cgi?pr=35521 >Unformatted: