My next move would be to look for issues in the network, I would look at what wireshark can sniff out. I would look for packets with errors. The purpose is to find out if the network is mangling packets.
On 06/12/12 16:46, Daniele Imbrogino wrote: > I'm testing new configuration on VirtualBox following the advice of > not forwarding. > Furthermore, I exclude any reference to DNSSEC. > > So, in these conditions and assuming an empty cache, if I query for a > remote domain name, my server should query a root-server and then > iterate, right? > Well, Wireshark shows me outcoming queries and incoming responses > to/from root-servers, but "dig www.apple.com <http://www.apple.com>" > (for example) fails with a timeout. > > "syslog" has a lot of "DNS format error ... non-improving referral" > and "error (FORMERR) resolving" entries. > > This is my very vary basic "named.conf" file > > options { > directory "/var/cache/bind"; > } > > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > I've also updated "db.root" from ftp.internic.net/domain/db.cache > <http://ftp.internic.net/domain/db.cache> > > > 2012/12/5 Sten Carlsen <st...@s-carlsen.dk <mailto:st...@s-carlsen.dk>> > > > On 05/12/12 18:29, Hauke Lampe wrote: >> On 05.12.2012 14 <tel:05.12.2012%2014>:59, Daniele Imbrogino wrote: >> >>> resolv.conf contains only 127.0.0.1 as nameserver. >>> >>> The syslog contains a lot of errors as "insecurity proof >>> failed", "no valid >>> RRSIG", "got insecure response" that I don't understand. >> >> Your forwarder probably doesn't handle DNSSEC responses well. >> Therefore your BIND cannot validate the answers and returns a >> failure code. >> >> Either update the forwarder/enable DNSSEC (older versions of BIND >> 9 require "dnssec-enable yes;" in the options clause), or disable >> DNSSEC validation in your local BIND (set "dnssec-validation no;"). > Or consider not doing forwarding, that usually gives fewer > problems if possible. > >> >> >> >> Hauke >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Best regards > > Sten Carlsen > > No improvements come from shouting: > > "MALE BOVINE MANURE!!!" > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> > https://lists.isc.org/mailman/listinfo/bind-users > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!"
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
