Forum Discussion
NimbostratusGTM nameserver records not reponding
Last months working on a GTM implementation and everything is working fine except the GTM is not responding with all NS records. GTM is configured in HA using two F5 4000 Big IPs.
GTM is currently configured in the zone gtm.cavali.com.pe and this zone is being delegated at the server provider in their public DNS in domain cavali.com.pe. The delegated nameserver configuration is pointing to primary nameserver cvlbal01.cavali.com.pe and secondary namserver cvlbal02.cavali.com.pe each having public IP´s that exist on the GTM as the listeners. We use CNAME to direct the DNS request to the GTM like for example. www.cavali.com.pe has a CNAME pointing to www.gtm.cavali.com.pe.
If I try to retrieve the NS records connecting directly the the nameserver on the GTM using nslookup it only shows me the SOA record and the primary NS server.
The nameserver configuration is as follows
If I look at the traffic coming in to the GTM I do see a NS query and a response with cvlbal01.cavali.com.pe as the nameserver. So why the secondary NS record is not being served as well?
I should reveive something similar like the following example when querying for the nameservers of Google.
When I do the zonecheck using https://zonemaster.net it also responds with the following
Does anyone has an idea why only one Nameserver record is being returned and why te zonemaster check is failing?
5 Replies
- JRahm
Admin
to clarify, is the secondary NS part of your HA pair, or a separate system? 
MarvinCirrocumulus
Hi Jason, yes both nameservers are part of the HA pair, we don't have other nameservers involved. I do only have one SOA record configured on the GTM and two NS records, I don't know if it is required to have one SOA records for each nameserver speaking in terms of DNS. However connecting to either both of the nameservers, the GTM resolves correctly. Just find it very weird that it doesn't display all nameservers when asking specifically for them using nslookup or dig and also that the domain check is failing.- IanB
Employee
Firstly, I note that you're running 11.5.1, since it has GUI bug that displays "DNS >> Zones:Zones >> cavali.com.pe" when it should say "DNS >> Zones:ZoneRunner:Zone List >> Properties : cavali.com.pe". In 11.5.1, the breadcrumbs incorrectly link to DNS Express (Zones:Zones), and should link to Zonerunner (Zones:ZoneRunner)
The NS records for a zone need to be sitting in the parent zone, as well as in the actual zone file, but for different reasons. The parent zone is for delegation, so that it can send the referral data. The NS data in the zone itself is used to allow the nameserver to know that it is authoritative for that zone.
If I do a dig +trace on this, it looks like you've got the delegation NS records working - ns2.telmex.net.pe does give me a referral to both cvlbal02 and cvlbal01 when I ask about gtm.cavali.com.pe:
dig +trace gtm.cavali.com.pe gtm.cavali.com.pe. 7200 IN NS cvlbal02.cavali.com.pe. gtm.cavali.com.pe. 7200 IN NS cvlbal01.cavali.com.pe. ;; Received 124 bytes from 200.24.191.1053(ns2.telmex.net.pe) in 1184 ms cavali.com.pe. 60 IN SOA cvlbal01.cavali.com.pe. hostmaster.cvlbal01.cavali.com.pe. 101 10800 3600 604800 60 ;; Received 102 bytes from 190.223.42.16353(cvlbal01.cavali.com.pe) in 393 msThe two GTMs are cvlbal01.cavali.com.pe (190.223.42.163), and cvlbal02.cavali.com.pe (200.37.97.51)
But if I ask those GTMs for data about that zone, they have nothing to give. It doesn't look like you've created a zone for gtm.cavali.com.pe, so when I send queries to the GTMs for that zone, it doesn't match anything, and you get an empty response.
Note also that when you create a wideip, it will look for the best matching existing zone, and won't create a new one if one appears to already exist, so if you create a wideip as test.gtm.example.org, it will put it into example.org, rather than create a new zone for gtm.example.org.
So in this case, you'll need to manually create the gtm.cavali.com.pe zone in zonerunner, and then create your wideips (the first time they're created, or when pools are changed, they populate the zone file)
$ dig -t NS gtm.cavali.com.pe ;; QUESTION SECTION: ;gtm.cavali.com.pe. IN NS ;; AUTHORITY SECTION: cavali.com.pe. 2610 IN NS ns2.telmex.net.pe. cavali.com.pe. 2610 IN NS ns1.telmex.net.pe. ;; ADDITIONAL SECTION: ns2.telmex.net.pe. 1857 IN A 200.24.191.10 ns1.telmex.net.pe. 1857 IN A 200.62.191.10The Manual Chapter: Delegating DNS Traffic to BIG-IP GTM may help you, though it assumes that your parent zone is on another nameserver, which is different from your scenario.
- Marvin
- IanB
Creating zones in zonerunner shouldn't affect any GTM activity, because the order of processing will be that it attempts to handle the query with GTM long before it tries bind, and zonerunner is just manipulating the bind zone files.
The reason I suggested deleting the wideips and recreating them is that when you create a wideip (one that has a pool associated with it), GTM will populate the bind zone with those values (as a fallback mechanism). It will also do that if you change the gtm pool members associated with the wideip, so that's a workaround. If neither is possible, you'll can just edit the zone's A-records manually with zonerunner.
DNS Express is a marketing term, we changed the GUI in 11.5.0 and later to just say 'Zones', so what you see under Zones / Zone is actually DNS express (though do ensure it is turned on in your DNS profile - it is enabled by default, and a nameserver is set up): DNS Express (11.5.x) : https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/dns-services-implementations-11-5-0/1.html
The GUI menu anomaly is in 11.5.x, not just 11.5.1. It is fixed in 11.6.0 and 12.0.0 - it correctly shows zones:zonerunner in those versions
Did I miss anything ?
