On 11/30/2014 12:34 AM, Rick Moen wrote:
>> A can only access nameserver settings; no records.
> What?

See Below (I pasted the wrong link last time)


This is what I'm looking at. There's nothing more to deal with from them.

> By 're-posting your question with real data', I did _not_ mean 'Please
> bulk-post your BIND configuration files and zonefiles', though thank you for
> taking the trouble.

No worries.

> Ummmm.... that's nice, but dig is precisely and solely what you need for
> what I said in the quoted paragraph.  Also, it's not obvious to me what the
> relevance is of netstat or ping, let alone whether Amazon EC2 'allows' them.
> The way you test whether published DNS is correct or not is to query it
> directly and look at the returned results.  The tool you use to query it is
> dig.  The copy of dig you use may be anywhere at all, as long as it has
> network connectivity to the relevant nameservers.

Good to know. I'll make a note of this for the next few thousand

> I forgot to mention, the first time, that the roster of NS lines in the
> master namserver's zonefile (the in-zone list) must always be changed in
> lockstep with the domain's namserver list at your registrar.  The in-zone 
> set of NS lines should be checked to ensure that they always match the NS
> records in the domain's parent zone.

I'm not sure what you mean here?

> [1] You never answered my question about whether your nameservers also need
> to do recursive DNS.  Once again, if the answer's no, then you really ought
> to use better software than BIND9, such as NSD.

My instructions say 'no' -

"The main thing that we need to configure in this file is recursion.
Since we are trying to set up an authoritative-only server, we do not
want to enable recursion on this server. We can turn this off within the
options block."

I'll work with NSD later, right now I have BIND9 to work with.

