I'm trying fix a primary & secondary nameserver and hopefully get qmail running on ns2.getnby.com (it's running now but when checking mail I'm getting The host 'mail.getnby.com' could not be found) I've changed the records on both machines but when ns1.getnby.com dns was first setup the master & secondary directories were symlinked since I only had 1 ip at first. I'm pretty sure I've munged this setup too (I have a history of that) so any criticisms(sp), opinions or other remarks would be appreciated!

/etc/namedb/named.conf

options {
directory "/var/named";
};
zone "." {
type hint;
file "etc/named.ca";
};
zone "getnby.com"{
type master;
file "master/getnby.com";
notify yes;
};
zone "199.104.118.67"{
type master;
file "master/199.104.118.67";
notify yes;
};
zone "0.0.127.in-addr.arpa"{
type master;
file "master/named.local";
};

zone file
$TTL 86400
getnby.com. IN SOA ns1.getnby.com. webmaster.getnby.com. (
2002020403 ; serial
86400 ; refresh
30 ; retry
604800 ; expire
172800 ; default_ttl
)
getnby.com. IN NS ns1.getnby.com.
getnby.com. IN NS ns2.getnby.com.
ns1.getnby.com. IN A 199.104.118.66
ns2.getnby.com. IN A 199.104.118.67
getnby.com. IN A 199.104.118.66
www.getnby.com. IN A 199.104.118.66
mail.getnby.com. IN MX 10 ns2.getnby.com.

named.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
2001071401 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ; default_ttl
)
@ IN NS localhost.
1 IN PTR localhost.

Doing some further checking I've found that I can check mail if I use ns2.getnby.com or ip# for incoming mail server but not mail.getnby.com???

Thanks, Terry

In my test yesterday I found that you have just made some big configuration changes to your DNS. Here is what I got yesterday.

1) SOA as of yesterday:
What's listed in roots?
# whois getnby.com

NS1.GETNBY.COM 199.104.118.66
NS2.GETNBY.COM 199.104.118.67

let's check your getnby.com by querying ns1.getnby.com

# dnsq soa getnby.com ns1.getnby.com

6 getnby.com:
133 bytes, 1+1+2+2 records, response, authoritative, weird ra, noerror
query: 6 getnby.com
answer: getnby.com 172800 SOA getnby.com root.getnby.com 2002011101 86400 30 604800 172800
authority: getnby.com 172800 NS getnby.com
authority: getnby.com 172800 NS ns1.getnby.com
additional: getnby.com 172800 A 192.168.0.1
additional: ns1.getnby.com 172800 A 199.104.118.66
At your SOA, you have set its MNAME to getnby.com but root servers don't know anything about it because it has been delegated to ns1.getnby.com. So you need to change it to ns1.getnby.com so it can be traced to roots and chain of delegation is followed properly.

Don't use root.getby.com as your RNAME, setup an alias of hostmaster instead.

Your Retry (30 seconds) which wastes a lot of bandwidth if your ns2.getnby.com is ever down. A proper Retry should be around 30 minutes (1800) to 1H (3600).
You need to change your TTL from 172800 (2 days) to 86400 (1 day). Note, TTL is the minimum, not the actual.

SOA as of today:
# dnsq soa getnby.com ns1.getnby.com

6 getnby.com:
142 bytes, 1+1+2+2 records, response, weird ra, noerror
query: 6 getnby.com
answer: getnby.com 167164 SOA ns1.getnby.com webmaster.getnby.com 2002020404 86400 30 604800 172800
authority: getnby.com 86400 NS ns1.getnby.com
authority: getnby.com 86400 NS ns2.getnby.com
additional: ns1.getnby.com 80585 A 199.104.118.66
additional: ns2.getnby.com 86400 A 199.104.118.67
- Your MNAME has been fixed.
- However, your ns1.getnby.com is no longer giving authoritative answer for getnby.com, this is so-called lame server.

Now let's try to ask ns2.getnby.com:
# dnsq soa getnby.com ns2.getnby.com

6 getnby.com:
142 bytes, 1+1+2+2 records, response, authoritative, weird ra, noerror
query: 6 getnby.com
answer: getnby.com 86400 SOA ns1.getnby.com webmaster.getnby.com 2002020404 86400 30 604800 172800
authority: getnby.com 86400 NS ns1.getnby.com
authority: getnby.com 86400 NS ns2.getnby.com
additional: ns1.getnby.com 86400 A 199.104.118.66
additional: ns2.getnby.com 86400 A 199.104.118.67

2) NS as of today has been fixed.
3) A record as of yesterday:
Why used 192.168.0.1? You need to add another A record for ns2.getnby.com so it's glued.
What is glueness?
When you delegate your getnby.com to ns1.getnby.com and ns2.getnby.com with the NS record, you MUST add the associated A record of ns1.getnby.com and ns2.getnby.com within the same zone. It's required.
I've heard of gluelessness, what is it?
When you delegate your getnby.com to ns1.anotherdomain.com, you CAN'T add:

ns1.anotherdomain.com. IN A 12.34.56.78
Then further DNS lookup is required since you can't get the Address of getnby.com within the same zone. BIND will ignore such A record by default.
How about delegating subdomain.getnby.com to ns.subdomain.getnby.com?
It's the same parent zone, same parent domain, therefore glue is needed.

subdomain.getnby.com. IN NS ns.subdomain.getnby.com.
ns.subdomain.getnby.com. IN A 11.22.33.44
NS + A makes it glue. In this example, you don't need to define an A record for subdomain.getnby.com because it's delegated to ns.subdomain.getnby.com. BTW, gluelessness is bad, according to djb (qmail author). It's fine to be glueless at one level, that usually happens when you host someone's domain.

4) MX:

What's your MX?

Normally you can do:
# dnsmx getnby.com
But I trust no one, I want to see what you have set so I will ask ns1.getnby.com for the answer (yesterday):
# dnsq mx getnby.com ns1.getnby.com

15 getnby.com:
129 bytes, 1+1+2+3 records, response, authoritative, weird ra, noerror
query: 15 getnby.com
answer: getnby.com 172800 MX 10 mail.getnby.com
authority: getnby.com 172800 NS getnby.com
authority: getnby.com 172800 NS ns1.getnby.com
additional: mail.getnby.com 172800 A 199.104.118.67
additional: getnby.com 172800 A 192.168.0.1
additional: ns1.getnby.com 172800 A 199.104.118.66
Because currently your ns1.getnby.com is a lame server, so I am going to ask ns2.getnby.com for the answer (today):
# dnsq mx getnby.com ns2.getnby.com

15 getnby.com:
78 bytes, 1+0+1+0 records, response, authoritative, weird ra, noerror
query: 15 getnby.com
authority: getnby.com 172800 SOA ns1.getnby.com webmaster.getnby.com 2002020404 86400 30 604800 172800
It's not even giving answer. Why?
Let's try this:
# dnsmx getnby.com
10 mail.getnby.com

So mail.getnby.com appears to be your MX. But wait, it doesn't have A record as of today, that's why ns2 is not answering.
Your MX has got a serious problem.
# dnsip ns2.getnby.com
199.104.118.67
Oh no, as of yesterday it's the same IP as mail.getnby.com. Remember the whois lookup and ns1.getnby.com and ns2.getnby.com are listed at root servers?
If you want more reliability, you MUST set your MX to be ns2.getnby.com to avoid unnecessary DNS traffic. It makes 30% difference.

Here is what you need to do on ns1 now:
1) Fix all your Retry, Refresh, Expire and Minimum
2) Change your MX to ns2.getnby.com
>>
mail.getnby.com. IN MX 10 ns2.getnby.com.
That's absolutely incorrect.
- mail.getnby.com has no A record.
- your DNS servers have never delegated anything to mail.getnby.com
- specifying mail.getnby.com is out-of-zone.
The fix is:

getnby.com. IN MX 0 ns2.getnby.com.
3) At your named.conf add the following:
directory "/var/named";
version "";
auth-nxdomain no;
fetch-glue no;
recursion no;
};
4) Remove the following:
zone "199.104.118.67"{
type master;
file "master/199.104.118.67";
notify yes;
};
Why?
Because your authoritative DNS servers will NEVER be authoritative for your reverse.
5) Increment the Serial on NS1 then shutdown completely and restart it.
6) Fix (1) and (2) then I will look it up again.

I 'think' I've done everything you've suggested to both ns1 & ns2 and restarted them both but I'm confused by

>NS + A makes it glue. In this example, you don't need to define an A record for subdomain.getnby.com because it's delegated to ns.subdomain.getnby.com. BTW, gluelessness is bad, according to djb (qmail author). It's fine to be glueless at one level, that usually happens when you host someone's domain.

I would need to do this only if I wanted to add a subdomain of getnby.com (terry.getnby.com) right? It's not required if I don't???

zone record...
$TTL 86400
getnby.com. IN SOA ns1.getnby.com. webmaster.getnby.com. (
2002020501 ; serial
86400 ; refresh
1800 ; retry
604800 ; expire
86400 ; default_ttl
)
getnby.com. IN NS ns1.getnby.com.
getnby.com. IN NS ns2.getnby.com.
ns1.getnby.com. IN A 199.104.118.66
ns2.getnby.com. IN A 199.104.118.67
getnby.com. IN A 199.104.118.66
www.getnby.com. IN A 199.104.118.66
getnby.com. IN MX 0 ns2.getnby.com.

named.conf
options {
directory "/var/named";
version"";
auth-nxdomain no;
fetch-glue no;
recursion no;
};
zone "." {
type hint;
file "etc/named.ca";
};
zone "getnby.com"{
type master;
file "master/getnby.com";
notify yes;
};
zone "0.0.127.in-addr.arpa"{
type master;
file "master/named.local";
};

Also with my old zone records (munged up ones) people could check mail by using their domain name (mail.getnby.com) but it seems that to pop mail with the records like this that it's neccessary to use ns2.getnby.com??? oh well once I get this fixed and another box built I'm going to try out djbdns, at least with this setup it's alot easier to edit zones...

Thanks again, Terry

Latest:

$ dnsq soa getnby.com ns2.getnby.com
6 getnby.com:
142 bytes, 1+1+2+2 records, response, authoritative, noerror
query: 6 getnby.com
answer: getnby.com 86400 SOA ns1.getnby.com webmaster.getnby.com 2002020501 86400 1800 604800 86400
authority: getnby.com 86400 NS ns1.getnby.com
authority: getnby.com 86400 NS ns2.getnby.com
additional: ns1.getnby.com 86400 A 199.104.118.66
additional: ns2.getnby.com 86400 A 199.104.118.67

$ dnsq soa getnby.com ns1.getnby.com
6 getnby.com:
80 bytes, 1+0+2+1 records, response, noerror
query: 6 getnby.com
authority: getnby.com 86400 NS ns1.getnby.com
authority: getnby.com 86400 NS ns2.getnby.com
additional: ns2.getnby.com 86400 A 199.104.118.67
As you can see, your ns1.getnby.com is still a lame server, while ns2.getnby.com is perfectly fine, even the MX:

$ dnsq mx getnby.com ns2.getnby.com
15 getnby.com:
112 bytes, 1+1+2+2 records, response, authoritative, noerror
query: 15 getnby.com
answer: getnby.com 86400 MX 0 ns2.getnby.com
authority: getnby.com 86400 NS ns1.getnby.com
authority: getnby.com 86400 NS ns2.getnby.com
additional: ns2.getnby.com 86400 A 199.104.118.67
additional: ns1.getnby.com 86400 A 199.104.118.66
It seems like your ns2 is being the master at this moment. You need to check your named.conf on both and make sure.
In BIND8 on ns1, you should add allow-transfer { 199.104.118.67; }; and in your 0.0.127.in-addr.arpa zone add allow-transfer { none; };
You also need to change the Serial on NS1 to tomorrow like 2002020601 and lower the Refresh from 86400 (1 day) to 1800 (1/2 hour) so your NS2 can pick up the change in half hour.

With recursion no; your DNS server is no longer producing the weird ra error from my query above.

>> people could check mail by using their domain name (mail.getnby.com)

If you want user-friendly more than reliability, then use mail.getnby.com. For SMTP, don't even do it. If you do, you will lose 30% on reliability. Not to mention when your ISP (srv.net) has a broken in-addr.arpa (reverse DNS), you will lose another 40%, that's a total of 70% loss on reliability, because many SMTP servers reject MX that has a broken reverse DNS.
RFC says your MX should have reverse DNS but yours don't, that alone is a RFC violation and you shouldn't run SMTP server in the first place.
When you create another A record like mail.getnby.com, it takes further lookup to get the answer of the Address record of your mail.getnby.com (remember ns2.getnby.com is glued at roots?), which is extremely unreliable. All I can say is, you have chose the wrong ISP, because srv.net's DNS as well is highly misconfigured.

>> this that it's neccessary to use ns2.getnby.com?

Up to you, it's a 70% loss in reliability on SMTP. For POP3, probably 30%. You can do whichever way you wish, but don't complain when there's a problem.
Maybe you should switch your ISP to Speakeasy.net, which is by far the best for running servers yourself.

>> if I wanted to add a subdomain of getnby.com (terry.getnby.com) right?

Yes. Anyway I don't want to confuse you further so I am not going to talk about that subdomain delegation anymore.

>> I'm going to try out djbdns

Great. But djbdns is not suitable for DNS newbie. So make sure you fix your BIND, play around with it for couple weeks, then do the migration.

>> at least with this setup it's alot easier to edit zones

Not only that, djbdns's dnscache is much more secure and reliable than BIND's cache. Why? Because BIND caches anything, authoritative answers and negative answers, that is why BIND is vulnerable to cache posioning, BIND 9 doesn't make any difference. You can search google and find out more about cache posioning. dnscache, however, only caches authoritative answers that can be traced to roots. You can say BIND's cache trust everyone (vulnerable to zone spoofing), even script kiddies. If there are no evil people on earth, that would be fine, but that's not true. Now that you know BIND developers have never had any security concerns when developing their ****ty software.
You can say that practice is equivalent to running Windows file sharing with Open Guest Access, which uses weak password or without password with full Administrator read+write access to your Windows network.
Yeah BIND9 is a little better in security but it doesn't help much because it's being rewritten from scratch (they claimed that) by the same old group of security-illiterate people. Those BIND people should go back to school.

I've been trying to figure out the ns1.getnby.com bs everything seems identical between the two but I think part of it is that it's a redhat 6.2 box that's been hacked on pretty bad by me (it was my first 'nix' experience) so I'm working on putting back together an old box that I'll load freebsd on and just use it for a name server until I'm ready to replace the redhat box with another freebsd one and just change the ns1.getnby.com internic record to have it go to another ip# (I have 16 available, 2 are now being used)

>If you want user-friendly more than reliability,

I'll take your advise and go for reliabilty!

>Maybe you should switch your ISP to Speakeasy.net, which is by far the best for running servers yourself.

The only problem is that there is no dsl in our town, I'm getting a pretty good deal on my 56k frame because I'm also a reseller for srv.net dialup service so it's only costing me about $80/mo. including phone co. charges

>>> if I wanted to add a subdomain of getnby.com (terry.getnby.com) right?

>Yes. Anyway I don't want to confuse you further so I am not going to talk about that subdomain delegation anymore.

whew! Thanks :-) Gotta save something for me to screw up on later!

I sure appreciate the help!
Thanks Again!!!
Terry

Guess what? lame server is gone!!

$ dnsq soa getnby.com ns1.getnby.com
6 getnby.com:
142 bytes, 1+1+2+2 records, response, authoritative, noerror
query: 6 getnby.com
answer: getnby.com 86400 SOA ns1.getnby.com webmaster.getnby.com 2002020601 1800 1800 604800 86400
authority: getnby.com 86400 NS ns1.getnby.com
authority: getnby.com 86400 NS ns2.getnby.com
additional: ns1.getnby.com 86400 A 199.104.118.66
additional: ns2.getnby.com 86400 A 199.104.118.67
Now that your ns1.getnby.com is giving authoritative answer for getnby.com and it's no longer a lame server.
So let's check ns2.getnby.com:

$ dnsq soa getnby.com ns2.getnby.com
6 getnby.com:
142 bytes, 1+1+2+2 records, response, authoritative, noerror
query: 6 getnby.com
answer: getnby.com 86400 SOA ns1.getnby.com webmaster.getnby.com 2002020501 86400 1800 604800 86400
authority: getnby.com 86400 NS ns1.getnby.com
authority: getnby.com 86400 NS ns2.getnby.com
additional: ns1.getnby.com 86400 A 199.104.118.66
additional: ns2.getnby.com 86400 A 199.104.118.67
As you can see they are pretty identical except ns2 hasn't picked up the changes. Check your named.conf and make sure.

>> I have 16 available, 2 are now being used

Then you should create another slave and name it mail.getnby.com. Normally when you are short of static IPs, like sthost.co.uk (sjbates's thead), you either have to call your master ns1.sthost.co.uk or mail.sthost.co.uk. Of course, using mail.xxx.yyy for nameserver doesn't sound right, but that's just the way you have to configue, for more reliability.

>> it's only costing me about $80/mo

Maybe you should educate them to fix their DNS servers, currently their DNS is worse off then yours (too many glueless records + broken reverse DNS).
If they can fix their broken reverse DNS, your DNS will then be 100% reliable. Like I said previously, many SMTPs reject MX with a broken reverse DNS (not able to resolve to a name). As far as I heard, AOL does that.
I also see that your SMTP server (qmail-smtpd) is up and running and deny relaying. Just so you know, when you run an open relay SMTP, you probably will not be able to send any messages to hotmail.com (they are ordb.org's big-time supporter/subscriber).
Finally, when DNS resolution is propagated to your NS2 you should increase the SOA Refresh to about 3 hours to 12 hours (86400 - 24 hours).
Go back to Mail forum and continue your qmail configuration when you are ready.

>As you can see they are pretty identical except ns2 hasn't picked up the changes. Check your named.conf and make sure.

I didn't set up the update since I'm almost finished with another freebsd box and I was afraid ns1 would screw up ns2 but i'll do that now!

>I also see that your SMTP server (qmail-smtpd) is up and running and deny relaying.

I've never allowed anyone (except me) to send my through my mailserver (now there's 2!!! I'll post what I think my problems were in other forum) since I don't offer dialup my clients (all 14 of them, 3 paying!) have to use their normal dialup account to send but they can receive through email accounts I setup for them and now that dns is going good I feel happy about accepting new domains!

Thanks again!!! You are GREAT!!!
Terry