Hi guys,
Couple of months ago I moved my main server to a new dedicated server running Debian 11.
I always have had my own nameservers (three servers, different places) but since the move intodns reports an informational message I never had before.
I understand this is an informational message, and an extra A lookup isn't that expensive these days, but we all want to deliver a perfect service. So I've been investigating this whole weekend and didn't find a solution...
I suppose into dns does a dig query to the nameservers to find out everything it displays? I discovered the Debian 11 servers has less info in the additional section of the response.
ns1.buggedbrain.com
ns2.buggedbrain.com
ns3.buggednetworks.eu
As you can see the additional section of ns2 and ns3 contain all ip addresses for all nameservers, but ns1 only contains those for ns1 and ns2. I think this is what intodns is pointing out?
Bind/Named versions:
ns1: 9.16.22
ns2: 9.11.4
ns3: 9.11.5
These are all standard DA setups, sharing zones through multi server. Named configuration hasn't been changed. So I can only suspect they changed something in bind between 9.11 and 9.16... But I can't seem to pin it down, been searching through the changelog but found nothing. Been searching on google, but it is hard to find (recent) discussions about this.
I tried setting 'minimal-responses no;' in the named config, but this didn't help. Only thing that helped was setting 'allow-recursion { any; };' but as everyone says this is a security risk, this isn't a solution.
So does anyone here have an idea as to what has changed in bind to be less informative?
Like I said at the beginning of this post, an extra A lookup isn't the end of the world, but I like to know what has changed, so if someone can point me in the right direction I would be happy.
Couple of months ago I moved my main server to a new dedicated server running Debian 11.
I always have had my own nameservers (three servers, different places) but since the move intodns reports an informational message I never had before.
intoDNS: buggedbrain.com - check DNS server and mail server health
intoDNS: Checking health and configurtion of DNS server and mail server for domainbuggedbrain.com.
intodns.com
INFO: GLUE was not sent when I asked your nameservers for your NS records.This is ok but you should know that in this case an extra A record lookup is required in order to get the IPs of your NS records. The nameservers without glue are:
78.46.78.132
You can fix this for example by adding A records to your nameservers for the zones listed above.
I understand this is an informational message, and an extra A lookup isn't that expensive these days, but we all want to deliver a perfect service. So I've been investigating this whole weekend and didn't find a solution...
I suppose into dns does a dig query to the nameservers to find out everything it displays? I discovered the Debian 11 servers has less info in the additional section of the response.
ns1.buggedbrain.com
dig @ns1.buggedbrain.com buggedbrain.com NS
; <<>> DiG 9.16.23 <<>> @ns1.buggedbrain.com buggedbrain.com NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24225
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 5
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 19ab739b81ee49100100000061adf556aa36b94e16811bfd (good)
;; QUESTION SECTION:
;buggedbrain.com. IN NS
;; ANSWER SECTION:
buggedbrain.com. 3600 IN NS ns1.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns2.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns3.buggednetworks.eu.
;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48
;; Query time: 34 msec
;; SERVER: 2a01:4f8:120:3493::2#53(2a01:4f8:120:3493::2)
;; WHEN: Mon Dec 06 12:34:45 Romance (standaardtijd) 2021
;; MSG SIZE rcvd: 231
; <<>> DiG 9.16.23 <<>> @ns1.buggedbrain.com buggedbrain.com NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24225
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 5
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 19ab739b81ee49100100000061adf556aa36b94e16811bfd (good)
;; QUESTION SECTION:
;buggedbrain.com. IN NS
;; ANSWER SECTION:
buggedbrain.com. 3600 IN NS ns1.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns2.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns3.buggednetworks.eu.
;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48
;; Query time: 34 msec
;; SERVER: 2a01:4f8:120:3493::2#53(2a01:4f8:120:3493::2)
;; WHEN: Mon Dec 06 12:34:45 Romance (standaardtijd) 2021
;; MSG SIZE rcvd: 231
ns2.buggedbrain.com
dig @ns2.buggedbrain.com buggedbrain.com NS
; <<>> DiG 9.16.23 <<>> @ns2.buggedbrain.com buggedbrain.com NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4790
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 7
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 6efe0418c11a99b548bfd80261adf5d77ab5cea62193d12a (good)
;; QUESTION SECTION:
;buggedbrain.com. IN NS
;; ANSWER SECTION:
buggedbrain.com. 3600 IN NS ns2.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns3.buggednetworks.eu.
buggedbrain.com. 3600 IN NS ns1.buggedbrain.com.
;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns3.buggednetworks.eu. 3600 IN AAAA 2605:a140:2037:7597::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48
ns3.buggednetworks.eu. 3600 IN A 209.126.6.143
;; Query time: 35 msec
;; SERVER: 2a02:c207:2025:7385::1#53(2a02:c207:2025:7385::1)
;; WHEN: Mon Dec 06 12:36:54 Romance (standaardtijd) 2021
;; MSG SIZE rcvd: 275
; <<>> DiG 9.16.23 <<>> @ns2.buggedbrain.com buggedbrain.com NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4790
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 7
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 6efe0418c11a99b548bfd80261adf5d77ab5cea62193d12a (good)
;; QUESTION SECTION:
;buggedbrain.com. IN NS
;; ANSWER SECTION:
buggedbrain.com. 3600 IN NS ns2.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns3.buggednetworks.eu.
buggedbrain.com. 3600 IN NS ns1.buggedbrain.com.
;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns3.buggednetworks.eu. 3600 IN AAAA 2605:a140:2037:7597::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48
ns3.buggednetworks.eu. 3600 IN A 209.126.6.143
;; Query time: 35 msec
;; SERVER: 2a02:c207:2025:7385::1#53(2a02:c207:2025:7385::1)
;; WHEN: Mon Dec 06 12:36:54 Romance (standaardtijd) 2021
;; MSG SIZE rcvd: 275
ns3.buggednetworks.eu
dig @ns3.buggednetworks.eu buggedbrain.com NS
; <<>> DiG 9.16.23 <<>> @ns3.buggednetworks.eu buggedbrain.com NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37671
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 7
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c3a31828a013f83cc30942d761adf5fb75fc789506838b7b (good)
;; QUESTION SECTION:
;buggedbrain.com. IN NS
;; ANSWER SECTION:
buggedbrain.com. 3600 IN NS ns3.buggednetworks.eu.
buggedbrain.com. 3600 IN NS ns1.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns2.buggedbrain.com.
;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns3.buggednetworks.eu. 3600 IN AAAA 2605:a140:2037:7597::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48
ns3.buggednetworks.eu. 3600 IN A 209.126.6.143
;; Query time: 120 msec
;; SERVER: 2605:a140:2037:7597::1#53(2605:a140:2037:7597::1)
;; WHEN: Mon Dec 06 12:37:31 Romance (standaardtijd) 2021
;; MSG SIZE rcvd: 275
; <<>> DiG 9.16.23 <<>> @ns3.buggednetworks.eu buggedbrain.com NS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37671
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 7
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c3a31828a013f83cc30942d761adf5fb75fc789506838b7b (good)
;; QUESTION SECTION:
;buggedbrain.com. IN NS
;; ANSWER SECTION:
buggedbrain.com. 3600 IN NS ns3.buggednetworks.eu.
buggedbrain.com. 3600 IN NS ns1.buggedbrain.com.
buggedbrain.com. 3600 IN NS ns2.buggedbrain.com.
;; ADDITIONAL SECTION:
ns1.buggedbrain.com. 3600 IN AAAA 2a01:4f8:120:3493::2
ns2.buggedbrain.com. 3600 IN AAAA 2a02:c207:2025:7385::1
ns3.buggednetworks.eu. 3600 IN AAAA 2605:a140:2037:7597::1
ns1.buggedbrain.com. 3600 IN A 78.46.78.132
ns2.buggedbrain.com. 3600 IN A 207.180.214.48
ns3.buggednetworks.eu. 3600 IN A 209.126.6.143
;; Query time: 120 msec
;; SERVER: 2605:a140:2037:7597::1#53(2605:a140:2037:7597::1)
;; WHEN: Mon Dec 06 12:37:31 Romance (standaardtijd) 2021
;; MSG SIZE rcvd: 275
As you can see the additional section of ns2 and ns3 contain all ip addresses for all nameservers, but ns1 only contains those for ns1 and ns2. I think this is what intodns is pointing out?
Bind/Named versions:
ns1: 9.16.22
ns2: 9.11.4
ns3: 9.11.5
These are all standard DA setups, sharing zones through multi server. Named configuration hasn't been changed. So I can only suspect they changed something in bind between 9.11 and 9.16... But I can't seem to pin it down, been searching through the changelog but found nothing. Been searching on google, but it is hard to find (recent) discussions about this.
I tried setting 'minimal-responses no;' in the named config, but this didn't help. Only thing that helped was setting 'allow-recursion { any; };' but as everyone says this is a security risk, this isn't a solution.
So does anyone here have an idea as to what has changed in bind to be less informative?
Like I said at the beginning of this post, an extra A lookup isn't the end of the world, but I like to know what has changed, so if someone can point me in the right direction I would be happy.