Since my servers are getting status "refused" from outside, could
someone shine me a light what is wrong here? Here is a copy of my named
conf file for the master.
Thanks!
//
// Include keys file
key rndc-key {
algorithm hmac-md5;
secret "yyxx-not-the-real-key-xmc/xxx/z/x==";
};
//
//
// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.
//
// Default controls
controls {
inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
};
//
//20
//21
//
options {
directory "/var/named";
version "Undisclosed";
//
// If there is a firewall between you and name servers you want
// to talk to, you might need to un-comment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 uses an unprivileged
// port by default.
//query-source address 192.168.1.cc port 53;
//
dnssec-enable yes;
dnssec-validation yes;
forward first;
transfer-format one-answer;
forwarders {
68.94.156.1 port 53;
68.94.157.1 port 53;
};
dnssec-lookaside . trust-anchor dlv.isc.org.;
};
//44
//45
//
//
statistics-channels {
inet * port 8053 allow { 127.0.0.1; };
};
//
// ACL statement
acl trusted {
192.168.1.254;
192.168.1.0/24;
localhost;
localnets;
};
view "internal" {
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
allow-query { any; };
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
allow-query {
any;
};
file "named.local";
allow-update {
none;
};
allow-transfer {
none;
};
};
//
//90
//100
// internal zones
//
zone "bonsi.org" IN {
type master;
allow-query {
any;
};
notify yes;
file "/var/named/db.bonsi.org";
also-notify {
192.168.1.cc;
};
};
zone "1.168.192.in-addr.arpa" IN {
type master;
allow-query {
any;
};
notify no;
file "/var/named/db.192.168.1";
also-notify {
192.168.1.cc;
};
};
zone "168.192.in-addr.arpa" IN {
type master;
allow-query {
any;
};
file "/var/named/db.192.168";
also-notify {
192.168.1.cc;
};
};
match-clients {any; };
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.internal.hosts";
};
allow-query {
any;
};
also-notify {
192.168.1.cc;
};
};
//150
// www.external zones
//
view "external" {
zone "bonsi.org" {
type master;
allow-query {
any;
};
file "/var/named/bonsi.org.external.hosts";
notify yes;
also-notify {
192.168.1.cc;
};
};
recursion no;
zone "ns1.bonsi.org" {
type master;
allow-query {
any;
};
file "ns1.bonsi.org.external.hosts";
also-notify {
192.168.1.cc;
};
};
match-clients { any; };
zone "sub.bonsi.org" {
type master;
allow-query { any; };
file "sub.bonsi.org.external.hosts";
};
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.com.external.hosts";
};
zone "45.200.63.in-addr.arpa" {
type master;
allow-query {
any;
};
file "63.200.45.external.rev";
also-notify {
192.168.1.cc;
};
};
allow-query {
any;
};
also-notify {
63.200.45.19;
};
};
//
server 192.168.1.cc {
keys {
rndc-key;
};
};
//
trusted-keys {
dlv.isc.org. 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
dlv.isc.org. 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};
//
logging {
channel dnssec_log {
file "log/dnssec" size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
category dnssec {
dnssec_log;
default_syslog;
default_debug;
default_stderr;
};
};
On 11/14/11 12:44 PM, Adamiec, Lawrence wrote:
Here are some results using the same commands you used.
# dig bonsi.org
;<<>> DiG 9.6.1-P3<<>> bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;bonsi.org. IN A
;; Query time: 666 msec
;; SERVER: 64.131.119.11#53(64.131.119.11)
;; WHEN: Mon Nov 14 14:41:54 2011
;; MSG SIZE rcvd: 27
# dig @63.200.45.18 ns1.bonsi.org soa
;<<>> DiG 9.6.1-P3<<>> @63.200.45.18 ns1.bonsi.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 986
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns1.bonsi.org. IN SOA
;; Query time: 75 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Mon Nov 14 14:42:25 2011
;; MSG SIZE rcvd: 31
#
-----Original Message-----
From: bind-users-bounces+ladamiec=kentlaw....@lists.isc.org
[mailto:bind-users-
bounces+ladamiec=kentlaw....@lists.isc.org] On Behalf Of Eduardo Bonsi
Sent: Monday, November 14, 2011 14:39
To: bind-us...@isc.org
Subject: Help with dig to check NS servers for DNSSEC setup
I am checking my DNS setup from inside using dig and I am getting
everything ok but I need a second opinion from outside of the server
to
see if my ns1 and ns2 are responding ok to setup DNSSEC.
Thanks!
user:~ user1$ dig bonsi.org
;<<>> DiG 9.6-ESV-R4-P3<<>> bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35880
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;bonsi.org. IN A
;; ANSWER SECTION:
bonsi.org. 3600 IN A 63.200.45.21
;; AUTHORITY SECTION:
bonsi.org. 3600 IN NS ns2.bonsi.org.
bonsi.org. 3600 IN NS ns1.bonsi.org.
;; ADDITIONAL SECTION:
ns2.bonsi.org. 3600 IN A 63.200.45.19
;; Query time: 14 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Mon Nov 14 12:09:43 2011
;; MSG SIZE rcvd: 95
********************************************************************
user:~ user1$ dig @63.200.45.18 ns1.bonsi.org soa
;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.18 ns1.bonsi.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31586
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns1.bonsi.org. IN SOA
;; ANSWER SECTION:
ns1.bonsi.org. 3600 IN SOA ns1.bonsi.org.
hostmaster.bonsi.org.
2011101403 10800 3600 604800 3600
;; AUTHORITY SECTION:
ns1.bonsi.org. 3600 IN NS ns1.bonsi.org.
;; Query time: 14 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Mon Nov 14 12:10:19 2011
;; MSG SIZE rcvd: 92
********************************************************************
user:~ user1$ dig @63.200.45.19 ns2.bonsi.org
;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.19 ns2.bonsi.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38660
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns2.bonsi.org. IN A
;; ANSWER SECTION:
ns2.bonsi.org. 3600 IN A 63.200.45.19
;; AUTHORITY SECTION:
ns2.bonsi.org. 3600 IN NS ns2.bonsi.org.
;; Query time: 12 msec
;; SERVER: 63.200.45.19#53(63.200.45.19)
;; WHEN: Mon Nov 14 12:11:04 2011
;; MSG SIZE rcvd: 61
********************************************************************
user:~ user1$ dig @63.200.45.19 ns2.bonsi.org soa
;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.19 ns2.bonsi.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17334
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns2.bonsi.org. IN SOA
;; ANSWER SECTION:
ns2.bonsi.org. 3600 IN SOA ns2.bonsi.org.
hostmaster.bonsi.org.
2011101409 10800 3600 604800 3600
;; AUTHORITY SECTION:
ns2.bonsi.org. 3600 IN NS ns2.bonsi.org.
;; ADDITIONAL SECTION:
ns2.bonsi.org. 3600 IN A 63.200.45.19
;; Query time: 58 msec
;; SERVER: 63.200.45.19#53(63.200.45.19)
;; WHEN: Mon Nov 14 12:19:50 2011
;; MSG SIZE rcvd: 108
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
webmas...@beart.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
webmas...@beart.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
