Context: BIND 9.7.0
I have made use of views on a single server for providing
suitable/selective responses to internal, external and guest clients.
This setup has been working for years but is now broken for clients
querying from a guest network (via the guest view) unless the queries
have checking disabled.
- The guest network is not local to the server.
- Internal view and guest view clients are allowed recursion.
- The breakage only relates to queries for internal zones from guest
clients.
- Queries for internal zones from (local) internal clients are fine.
- In the guest view, queries for most zones are forwarded to the
server's internal address (internal view) but queries for some
zones are forwarded to the server's external address (external view)
- The name servers for all of the internal zones live in an internal
signed zone. That zone is visible to the guest and internal views
and its key is listed in trusted-keys{}.
- The zones being queried (below) are unsigned.
Client: 192.168.25.71 is querying the PTR record for its own address.
Server: 172.25.24.16 is querying itself for the DS record for the
parent of the zone which the client is querying (Why?).
There is no DS record in that zone. Neither the child or
parent zones are signed.
16-Mar-2010 18:15:34.761 query-errors: debug 1: client 172.25.24.16#62578: view
internal: query failed (SERVFAIL) for 168.192.in-addr.arpa/IN/DS at query.c:4631
16-Mar-2010 18:15:34.761 query-errors: debug 2: fetch completed at
resolver.c:6117 for 168.192.in-addr.arpa/DS in 1.358282: SERVFAIL/success
[domain:168.192.in-addr.arpa,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]
16-Mar-2010 18:15:34.761 query-errors: debug 1: client 192.168.25.71#43718:
view guest: query failed (SERVFAIL) for 71.25.168.192.in-addr.arpa/IN/PTR at
query.c:4631
16-Mar-2010 18:15:34.762 query-errors: debug 2: fetch completed at
resolver.c:3023 for 71.25.168.192.in-addr.arpa/PTR in 2.342775: failure/no
valid DS
[domain:25.168.192.in-addr.arpa,referral:0,restart:2,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:1]
Is the problem due to the fact that the name servers live in a signed
zone? This view configuration has worked for years. I configured
DNSSEC on the server about 18 months ago. I guess I've just been lucky?
Again, these queries still work fine with +cd passed to dig, so I'm
obviously missing something with respect to DNSSEC configuration. I
only just noticed this today (we don't use the guest network much) so I
don't know whether this problem surfaced with 9.7.0 or DNSSEC things
happening higher up.
--
John Marshall
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
