In message <slrnhpummo.2ter.j...@rwpc12.mby.riverwillow.net.au>, John Marshall writes: > On Tue, 16 Mar 2010 08:14:40 +0000 (UTC), John Marshall wrote: > > > > Client: 192.168.25.71 is querying the PTR record for its own address. > > Server: 172.25.24.16 is querying itself for the DS record for the > > parent of the zone which the client is querying (Why?). > > There is no DS record in that zone. Neither the child or > > parent zones are signed. > > > > 16-Mar-2010 18:15:34.761 query-errors: debug 1: client 172.25.24.16#62578: > view internal: query failed (SERVFAIL) for 168.192.in-addr.arpa/IN/DS at quer > y.c:4631 > > 16-Mar-2010 18:15:34.761 query-errors: debug 2: fetch completed at resolver > .c:6117 for 168.192.in-addr.arpa/DS in 1.358282: SERVFAIL/success [domain:168 > .192.in-addr.arpa,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,ba > dresp:1,adberr:0,findfail:0,valfail:0] > > 16-Mar-2010 18:15:34.761 query-errors: debug 1: client 192.168.25.71#43718: > view guest: query failed (SERVFAIL) for 71.25.168.192.in-addr.arpa/IN/PTR at > query.c:4631 > > 16-Mar-2010 18:15:34.762 query-errors: debug 2: fetch completed at resolver > .c:3023 for 71.25.168.192.in-addr.arpa/PTR in 2.342775: failure/no valid DS [ > domain:25.168.192.in-addr.arpa,referral:0,restart:2,qrysent:1,timeout:0,lame: > 0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:1] > > I should have checked syslog before posting. It shows this going on at > the same time... > > Mar 16 18:15:33 rwsrv03 named[679]: error (chase DS servers) resolving '168.1 > 92.in-addr.arpa/DS/IN': 172.25.24.17#53 > Mar 16 18:15:33 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in- > addr.arpa/NS/IN': 204.61.216.50#53 > Mar 16 18:15:33 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in- > addr.arpa/NS/IN': 192.35.51.32#53 > Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in- > addr.arpa/NS/IN': 199.212.0.63#53 > Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in- > addr.arpa/NS/IN': 199.71.0.63#53 > Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in- > addr.arpa/NS/IN': 192.42.93.32#53 > Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in- > addr.arpa/NS/IN': 63.243.194.2#53 > Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in- > addr.arpa/NS/IN': 72.52.71.2#53 > Mar 16 18:15:34 rwsrv03 named[679]: error (no valid DS) resolving '71.25.168. > 192.in-addr.arpa/PTR/IN': 172.25.24.16#53 > > I don't understand this. If the client needs an answer from > 25.168.192.in-addr.arpa. and we are hosting that zone and its parent > zone (both unsigned, both in our internal view), why are we looking > higher for DS records?
Because you have a trust anchor configured at or above the query name and the validator need to see a DS or non existance proof (NSEC/NSEC3) for the DS which indicates a secure to insecure transition. Are your trust anchors up to date? Mark > If I grant the guest clients access to the internal view, all is well. > Things seem to go wobbly, unless checking is disabled, when we forward > the guest view queries to the internal view. > > -- > John Marshall > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
