[Pdns-users] Hi. How to test DNS when not authoritative?
bert hubert
bert.hubert at netherlabs.nl
Mon Apr 10 20:18:22 UTC 2006
On Mon, Apr 10, 2006 at 01:15:10PM -0700, Alan Hodgson wrote:
> On April 10, 2006 01:12 pm, Derrick MacPherson <dmacpher at vfs.com> wrote:
> > How can I test DNS when it says I'm not authoritative for the domain?
> > I'm just setting up powerdns and I"ve not moved DNS services yet, but
> > would like to test to make sure all is working as need be on the new DNS
> > server..
> >
>
> dig @new.server.ip +norecurse query
Derrick, perform the command above and check for the AA bit being set, like
this:
$ dig +norecurs ds9a.nl @213.244.168.210
; <<>> DiG 9.3.2 <<>> +norecurs ds9a.nl @213.244.168.210
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20776
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
^^
;; QUESTION SECTION:
;ds9a.nl. IN A
;; ANSWER SECTION:
ds9a.nl. 3600 IN A 213.244.168.210
More info:
Q: PowerDNS does not give authoritative answers, how come?
A: This is almost always not the case. An authoritative answer is
recognized by the 'AA' bit being set. Many tools prominently print the
number of Authority records included in an answer, leading users to conclude
that the absence or presence of these records indicates the authority of an
answer. This is not the case.
Verily, many misguided country code domain operators have fallen into
this trap and demand authority records, even though these are fluff and
quite often misleading. Invite such operators to look at section 6.2.1 of
RFC 1034, which shows a correct authoritative answer without authority
records. In fact, none of the non-deprecated authoritative answers shown
have authority records!
Sorry for sounding like DJB on this, but we get so many misguided
questions about authority..
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the Pdns-users
mailing list