[Dnsmasq-discuss] wrong response code for no SRV record
Rahul Amaram
rahul at synovel.com
Tue May 4 10:59:27 BST 2010
Hi Rob,
Thanks a lot for your response. Please find my responses inline. Btw,
your last suggestion has helped me achieve the desired result though I
still feel it would be great to have dnsmasq return NXDOMAIN only for a
particular domain and forward the remainig domain queries to upstream
servers. For example, dnsmasq should be configurable such that query for
_kerberos-master._udp.example.com is returned as NXDOMAIN where as
queries for _kerberos._udp.example.com and _kpasswd._udp.example.com are
forwarded to upstream server.
Thanks and Regards,
Rahul.
On Tuesday 04 May 2010 01:43 PM, /dev/rob0 wrote:
>> Simon Kelley wrote:
>>
>>> I think you have mis-interpreted the way this works. NXDOMAIN
>>> means that there is no data in the DNS for the given domain. That
>>> is not what's happening here. The example line returns a valid
>>> SRV record for _ldap._tcp.example.com which happens to be empty.
>>> The "domain" refers to _ldap._tcp.example.com and not the domain
>>> which may be returned as part of the reply.
>>>
>>> Have you encountered real-world problems with the existing
>>> behaviour?
>>>
> On Sat, May 01, 2010 at 02:59:25PM +0530, Rahul Amaram wrote:
>
>> Well yes. I have encountered some problems with this. I am using
>> Kerberos in my company LAN. While performing kinit on my system,
>> the SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up.
>>
> Show the dig(1) results to demonstrate this.
# dig +short _kerberos-master._udp.example.com SRV [Request forwarded
to upstream server]
# echo 'srv-host=_kerberos-master._udp.example.com' >> /etc/dnsmasq.conf
# /etc/init.d/dnsmasq restart
Restarting DNS forwarder and DHCP server: dnsmasq.
# dig +short _kerberos-master._udp.example.com SRV
0 0 1 . [Response from dnsmasq. I want this response to be NXDOMAIN)
#
> Is EXAMPLE.COM your
> company LAN domain? Does _kerberos-master.udp.EXAMPLE.COM exist in
> the form of any RR type, SRV or otherwise?
>
EXAMPLE.COM is the kerberos realm. I could even have SYNOVEL.COM as the
realm.
> Show what Kerberos is actually looking up. Is it as you said,
> _kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the
> documented LDAP example, "_kerberos-master._udp.EXAMPLE.COM"?
>
I do not understand the difference. If the kerberos realm is
"EXAMPLE.COM" it looks up "_kerberos-master._udp.example.com". If the
kerberos realm is "SYNOVEL.COM", it looks up
"_kerberos-master._udp.synovel.com".
>> Now if an NXDOMAIN is not returned but instead the default port 1
>> with empty host is returned, the kinit command tries to further
>> resolve that empty host (which I think is replaced with<ROOT>
>> somehow) and this causes a extereme slowdown of kinit.
>>
>> I think there should be some configuration option to say that an
>> NXDOMAIN should be returned for a particular SRV record. This
>> would be really helpful. What are your thoughts about this?
>>
> Useless. NXDOMAIN, as Simon explained, means that there is no record
> of any RR type for the given name. If you want NXDOMAIN, define
> yourself as authoritative for any level of the parent domain[s] in
> question.
> local=/EXAMPLE.COM/
> or, if you only want the SRV subdomains:
> local=/_tcp.EXAMPLE.COM/
> local=/_udp.EXAMPLE.COM/
>
> Then, any name NOT defined under those domains will be NXDOMAIN. I
> suspect you have misdiagnosed your original issue.
Thanks. This solution works perfectly. I have added
"local=/_tcp.EXAMPLE.COM/" to dnsmasq.conf and now I am able to get the
desired result.
More information about the Dnsmasq-discuss
mailing list