issue with dnssec, UDP using master/slave config

brads Wed, 04 Mar 2015 11:34:11 -0800

I am trying to configure DNSSEC as a master/slave. Following signing the
zone and uploading the DS record to my provider, I am able to see what
appears to be the proper output from dnssec-verify


 

dnssec-verify -o ex-mailer.com ex-mailer.com.external.signed

Loading zone 'ex-mailer.com' from file 'ex-mailer.com.external.signed'

Verifying the zone using the following algorithms: RSASHA256.

Zone fully signed:

Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked

                      ZSKs: 1 active, 0 stand-by, 0 revoked

but 3rd party tools such as http://dnsviz.net/d/ex-mailer.com/dnssec/ and/or
http://dnssec-debugger.verisignlabs.com/ex-mailer.com say that my
configuration is very incorrect and that UDP is not responding

 

netstat -an|grep 53

tcp4       0      0 127.0.0.1.953          *.*                    LISTEN

tcp4       0      0 127.0.0.1.53           *.*                    LISTEN

tcp6       0      0 ::1.53                 *.*                    LISTEN

tcp4       0      0 107.191.60.48.53       *.*                    LISTEN

tcp6       0      0 2001:19f0:7000:8.53    *.*                    LISTEN

udp4       0      0 127.0.0.1.53           *.*

udp6       0      0 ::1.53                 *.*

udp4       0      0 107.191.60.48.53       *.*

udp6       0      0 2001:19f0:7000:8.53    *.*

 

 

But, after 10 min or so, UDP on my IPv4 address begins to fail and the port
will close. I get these errors following

 

# tail -f /var/log/named/named.log

04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored

04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored

04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket:
permission denied

04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket:
permission denied

04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored

04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored

04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket:
permission denied

04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket:
permission denied

04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored

04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored

^C

# updatedb

>>> WARNING

>>> Executing updatedb as root.  This WILL reveal all filenames

>>> on your machine to all login users, which is a security risk.

# locate named.pid

/var/run/named/named.pid

 

 

Yet dig appears to query just fine:

 

dig ex-mailer.com ANY @108.61.190.64

 

; <<>> DiG 9.9.5 <<>> ex-mailer.com ANY @108.61.190.64

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23061

;; flags: qr aa rd; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 5

;; WARNING: recursion requested but not available

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;ex-mailer.com.                 IN      ANY

 

;; ANSWER SECTION:

ex-mailer.com.          86400   IN      SOA     yoda.ex-mailer.com.
admin\@ex-mailer.com. 2015030403 10800 3600 604800 3600

ex-mailer.com.          86400   IN      RRSIG   SOA 8 2 86400 20170303030000
20150304023700 19359 ex-mailer.com.
ov7ZA0ny6tYRsYIzupUsT6J8ncZRVqvZxwwxl2qonQ3Ou8hsblsZyDh7
sGehaI7To4w3dKWRlCoQoKCTE7McFHEv54ch4fOZv4dbZ2xgtXGdRHxp
YoH4pNFQLnCMrU3hJSwcihYZb2P2q2Pf4qJu1qS/zxum3XyUO20xMu91
1hFyNsmBA2n4cNYfnMfZ6orQzhMzw72wzM+rMMkZhhQKtdWC5KO5Lzkx
nRHpkGo4poMjuDoUidNwusANrkIlYVM1+NGLohaO5iQjJE7H5/m+I41v
RoEdVycc5ujy9KANbmeLSXFYxH34s7H2N15d7Y2EfP/QMzSt9U/m+sbO wH5PBg==

ex-mailer.com.          86400   IN      NS      r2d2.ex-mailer.com.

ex-mailer.com.          86400   IN      NS      yoda.ex-mailer.com.

ex-mailer.com.          86400   IN      RRSIG   NS 8 2 86400 20170303030000
20150304023700 19359 ex-mailer.com.
TG+HCKFevosp6b3dncH3wCrRh0iWr7Ud7nujCZpBZR8k/AET926adfY0
4YGdM8ZElAzLhPrjxE2DSLvueOFZAAnQZvNHyF7aAdz9qD73wK4iuK/d
d4ZrUW8XrUWLUUNnJIIwofbUteX71zHcK44tsoqjBEXphS7YKCao/pAx
QzyzzvRzbs0F18wviXvg1j+IDVdXV4spH6KiMluZuk/YHSm8FzbHbKps
LYjxd40F0WLqSqdFavFklRzbudZLgsCYt6YaI8ZI/HXxFbJL6SoQs631
9M4ZfJWxv7S56lAZzShwxUR0zIaMhqVW2jBCyTiI5VgP23yZciQxzuSJ dCywCw==

ex-mailer.com.          86400   IN      A       108.61.175.20

ex-mailer.com.          86400   IN      RRSIG   A 8 2 86400 20170303030000
20150304023700 19359 ex-mailer.com.
ItLLkwdtNC0edk7v+7YYrhRmUwAy8LARmKfWMz/RWp4C3Jksv9m6Y78r
QEJv0ydRxlQInd/CJjjHdDKxIyjXABqcSadJMMiEAz9Kj74oR5mPS+Aq
LxZ6Lnua3KR5Soo9u9c5yvoQWzUrT+4pGGwiPofSf0A9QGJrGcN3a6kJ
96X/gmLkkYz6URO6gUR6c2eUb1fw7NcAEcDKsmMtSx9K/lYCy2fqX/su
cqaUnEFUw9Qtzfw7stp2cJiNRomH3mpLGO+pbZteUFy6fUocVNbI7cF7
XahL8ObLK/HUkT/KgqJ01qzOD8Qgb2Auh6ofLLQ3+ZazhPAqqUhKpsOH gmFB3Q==

ex-mailer.com.          86400   IN      MX      0 r2d2.ex-mailer.com.

ex-mailer.com.          86400   IN      RRSIG   MX 8 2 86400 20170303030000
20150304023700 19359 ex-mailer.com.
g2m2Hl/p0epz87M1YKJqnyHmtIrvTJ/u3iXmwUNS7kvkQFslx0D5oC3j
2djykF4wNt+SG/+HUP2W9sMM5q5g2xnfLtZOp2A112w9qSjcv6Zl2Kve
/dcI/EUHdI2wnwqIJ9qNrW2BK7xTxmd6+6SZLFwtDeDjPcj1zllBQhjg
SkxRK1AlAYxf2nZfjw3rkSkKasudz3shuBJLwbKvtrqilaBy2Bo869FG
fe2SKnZ+8BQzaKSX/yPfCNVgKeakQNT9qeLNypYBsdyFUpNflHYv8R05
Okfd3O39VtLqbogbDGowidGBrgXBNDIHzLeNrVY+NKn40OpgkE7rpcSM MG51IQ==

ex-mailer.com.          86400   IN      TXT     "v=spf1" "mx"
"a:r2d2.ex-mailer.com" "-all"

ex-mailer.com.          86400   IN      RRSIG   TXT 8 2 86400 20170303030000
20150304023700 19359 ex-mailer.com.
jzu0VfjjfMagvAAjbH9Ygp11rFMdD+t/7kf+ou/NZxXBYyui0h8nta5J
6hoJ+LDWSdRzakt5ukTwjvMpLA0D/SLzFilumb0pv8zjqHToLA0nVp97
Zrjpb6+p0V6lawrxIRr3hJYtsjsg7Isn6hU141osqEXPjC/KGsUIsfNc
7xCPpD0mxJgjWOu+Kyy402B+9lKGFsk8MF30EXtQB3TepJwTJTxzxKBv
cLzHyc15rkzZjLYj89qDGjg/+xLzOx75b5kj1VduFQ+Yn9qtAmjeGaJf
7VTJFno5HkVEkei1pelIrhkKTiL9ApHOfFlFp2yF1VECuGsjqcgc3Tmv vrY7Uw==

ex-mailer.com.          3600    IN      NSEC    imap.ex-mailer.com. A NS SOA
MX TXT RRSIG NSEC DNSKEY

ex-mailer.com.          3600    IN      RRSIG   NSEC 8 2 3600 20170303030000
20150304023700 19359 ex-mailer.com.
Kvs1M3jU7LM1xCcw8xgTOP8WpQWNRWXlSL66MdELR3t4nZQeSP4Pn6py
UWjHeYlS4A/8sizEUr19MQEMt9OC5vX3jQn4qQPAgu9bHy16gLlqUWMK
WPLzjMANB19tU4bN0VUoppUROI3p/qG2BzFb6dcuKnG1YNLwRMTe96BF
kaAQMO+wAb8/Dgbb4o5OmWNnX1AkEJNdDTBYgyuRUHdO91/nPSW2SEdP
RFoEq1sTDTVrg+9q4V7HN2pKkW7Vn0yGzLPrSEhtt3qWhqXbjdkxeGD3
p4iOVYL/6jLh04XtOvjot86cWqF3LneA63tQWrKEUGVSJmsMqpNk7CEK hELUGA==

ex-mailer.com.          86400   IN      DNSKEY  256 3 8
AwEAAbOBP2dTaro0A16tyQxcmCkg7DLUkpgF1coRKYip5MpmyZxN2JAj
cIfueVY31kKRT8V0kbCYeDCRhkdaAPopqOdgWkUUp5HFzUK8plFJQ1Lg
0GFUe0wC7lVmBIGnQpwQjMm1nZy/JqzZZ4bj/tQYY+NMMptlUd+TPTJb
rJAsLKjS7Zy2WFD74YIN6MvaopJKM3XP68+pUctfryjgUpAkm8Vmyr1a
D+VM7/DiznO7BptzOCQiNGMPVF55aJYsiMcpH5LNOOR1bnhMYHkL04q/
w3FOQ5oaIimG7nedqBuPdjaw9b9Qu6jfdESqM1MwN8tMYMsPdf0CkGrJ Nyx2yjwkJzM=

ex-mailer.com.          86400   IN      DNSKEY  257 3 8
AwEAAcoMxXKkYNHeFLlzyt83/r1LAUi5aSi6IqhA6SjYZ2vov4A2im6V
/cRpN1GGUdQjoL2fO42j9dy69f+XkrknYj8gBSKQg8n8xcCm16OC4cJ0
jJogAD9r2LQnAe1ehFSnilMEk2brUPfmsZe7/5Hz83dhUBS+iWQA/csx
5JMA0VNhzwQXI1yStn+efHuRuz5vEp0oByXTgO9xfDIzbo0OpU1GOE1r
klPFbOdADGP5tAfKfw4ovaq347PBCkb/E2tNyv6EV8k42Exe8bBd3JCV
V5I0e+8qCxiLZAWKQeEibQIXbDzHhPpFC3uzEI2pCawUSt9czx0+ksd0 wmI2370Gd4U=

ex-mailer.com.          86400   IN      RRSIG   DNSKEY 8 2 86400
20170303030000 20150304023700 19359 ex-mailer.com.
kv+2qpf1SeuVivagYCBMaVWaJkU4eHEE6pUgz6dPq/teO4143zIvS1g+
u+i1mA/vwncVSfSZxUTRluR99XmlZ40ppx32w6cUSEyW2kHV/1cw0ONH
2mX9ryITjSzxSWFkIkZCxlSq3caYNQ91KxbrZEeWmPAhYSP7EeEJNuJb
SweJnH91FJQDVTiI8ONVvvVXzN7GqYp0hjVyte5QILxZh3YD8jRo9wku
8tlwBh96bD7xd5SgavTfd4S3E0sLVwFKTqK8aFRdWQ0sSg0wIkWDhn11
wBFiMO5G7MyBkM18CYwvMn17py+wZkMeW2S1F2ijsAWrJQjFXmkUOhd1 lejWKg==

ex-mailer.com.          86400   IN      RRSIG   DNSKEY 8 2 86400
20170303030000 20150304023700 55009 ex-mailer.com.
jJAJnymOxsjDXvIj8IoKcLJ9OpkDuBTOyVIMEpfslFpGpueiXSvYb7XQ
roJep32cbGzRpvwK5iaeMkh3j+y0olnvRQ385tsHn3VRc0+Tbzw2BBx0
TXxu1NLldTjnU/tqgP8sWeb3p3AUFo59WmWMiyitNFc8sC7iE2jhVJDY
SXYsEl2gTXL0v7bcW0AgfzsyLyvurj6RnmDH3RqvCmIFMvemtzrsFnEu
al32eueA6y/3b45wpixsPB9sHFaAcHw1KHLKtpaVvLq12K9P7MBME1Mk
YnCdkPtFBGctjHgLuJ2H+tIwBCuxNjAsGL/ZVjDAp5ahgieU+8yOh++C r6IPCw==

 

;; ADDITIONAL SECTION:

r2d2.ex-mailer.com.     86400   IN      A       107.191.60.48

r2d2.ex-mailer.com.     86400   IN      AAAA    2001:19f0:7000:8945::64

yoda.ex-mailer.com.     86400   IN      A       108.61.175.48

yoda.ex-mailer.com.     86400   IN      AAAA    2001:19f0:6c00:8141::64

 

;; Query time: 131 msec

;; SERVER: 108.61.190.64#53(108.61.190.64)

;; WHEN: Wed Mar 04 03:40:47 EST 2015

;; MSG SIZE  rcvd: 3301

 

 

 

 

Configs:

 

https://bpaste.net/show/c5d456aa89d2

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

issue with dnssec, UDP using master/slave config

Reply via email to