Fun with Incomplete Error Messages in BIND

Ran into a problem with named/Bind. I wasn’t able to update some slave DNS servers from our master:

May  3 15:07:55 dns3 named[7005]: transfer of 'xyz.edu/IN' from 10.1.2.3#53: failed while receiving responses: CNAME and other data
May  3 15:07:58 dns3 named[7005]: client 10.10.10.10#51125: update forwarding 'XYZ.EDU/IN' denied

This is actually quite easy to fix. First, use dig to download the zone file in question:
dig xyz.edu @yourDNS.xyz.edu -t axfr > /root/broken.xyz.edu

then use named-checkzone to check it:
/usr/sbin/named-checkzone xyz.edu /root/broken.xyz.edu
dns_master_load: /root/broken.xyz.edu:320: dup.xyz.edu: CNAME and other data
zone xyz.edu/IN: loading master file /root/broken.xyz.edu: CNAME and other data

There it is! In this case dup.xyz.edu had an A record and a CNAME which the RFCs say is not recommended.

A quick fix and after re-flushing the zone, a zone transfer with dig works:

dig xyz.edu @yourDNS.xyz.edu -t axfr > /root/unbroken.xyz.edu

/usr/sbin/named-checkzone xyz.edu /root/unbroken.xyz.edu
zone xyz.edu/IN: loaded serial 2011050308
OK

CategoriesUncategorized

Leave a Reply