Remembering that a stub zone is a cache hint, more information is needed.
o What do the two "master" DNS servers say when asked for the SOA record of
'benlavender.co.uk'?
o Are there A or AAAA records in the Additional section? If so, can the
indicated IP addresses be reached?
It may be that the behavior you're expecting is more in line with type
"static-stub" than with type "stub".
Regards,
Chris Buxton
> On May 7, 2019, at 4:08 PM, Ben Lavender <b...@airnet.org.uk> wrote:
>
> Hi,
>
> I've been trying to configure a stub zone using both BIND 9.8x and 9.9x for
> some split-brain internal DNS.
>
> The problem I have is that any client that requests the NS or SOA records for
> this zone gets SERVFAIL. The BIND server populates the
> /var/named/slaves/benlavender.co.uk.DB file with the SOA and NS records
> straight away and can query them over UDP 53 to the masters if need be.
>
> I've had a look through the logs that are used in this config but the only
> issues I see are in /lame-servers.log shows some IPv6 failures and that the
> client is getting a SERVFAIL back in the /default.log:
>
> 05-May-2019 22:58:32.846 client 192.168.1.4#51612 (benlavender.co.uk): query
> failed (SERVFAIL) for benlavender.co.uk/IN/NS at query.c:7038
>
> The config I'm using in /etc/named.conf is:
>
> //
> // named.conf
> //
> // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
> // server as a caching only nameserver (as a localhost DNS resolver only).
> //
> // See /usr/share/doc/bind*/sample/ for example named configuration files.
> //
> // See the BIND Administrator's Reference Manual (ARM) for details about the
> // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
>
> options {
> listen-on port 53 { 127.0.0.1; 172.16.4.31;};
> listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> recursing-file "/var/named/data/named.recursing";
> secroots-file "/var/named/data/named.secroots";
> allow-query { localhost; 172.16.4.2; 172.16.4.3; 192.168.1.4;};
>
> /*
> - If you are building an AUTHORITATIVE DNS server, do NOT enable
> recursion.
> - If you are building a RECURSIVE (caching) DNS server, you need to
> enable
> recursion.
> - If your recursive DNS server has a public IP address, you MUST
> enable access
> control to limit queries to your legitimate users. Failing to do
> so will
> cause your server to become part of large scale DNS amplification
> attacks. Implementing BCP38 within your network would greatly
> reduce such attack surface
> */
> recursion yes;
>
> dnssec-enable yes;
> dnssec-validation yes;
>
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
>
> managed-keys-directory "/var/named/dynamic";
>
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> };
>
> logging {
> channel default_file {
> file "/var/named/default.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel general_file {
> file "/var/named/general.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel database_file {
> file "/var/named/database.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel security_file {
> file "/var/named/security.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel config_file {
> file "/var/named/config.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel resolver_file {
> file "/var/named/resolver.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel xfer-in_file {
> file "/var/named/xfer-in.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel xfer-out_file {
> file "/var/named/xfer-out.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel notify_file {
> file "/var/named/notify.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel client_file {
> file "/var/named/client.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel unmatched_file {
> file "/var/named/unmatched.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel queries_file {
> file "/var/named/queries.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel network_file {
> file "/var/named/network.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel update_file {
> file "/var/named/update.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel dispatch_file {
> file "/var/named/dispatch.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel dnssec_file {
> file "/var/named/dnssec.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel lame-servers_file {
> file "/var/named/lame-servers.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
>
> category default { default_file; };
> category general { general_file; };
> category database { database_file; };
> category security { security_file; };
> category config { config_file; };
> category resolver { resolver_file; };
> category xfer-in { xfer-in_file; };
> category xfer-out { xfer-out_file; };
> category notify { notify_file; };
> category client { client_file; };
> category unmatched { unmatched_file; };
> category queries { queries_file; };
> category network { network_file; };
> category update { update_file; };
> category dispatch { dispatch_file; };
> category dnssec { dnssec_file; };
> category lame-servers { lame-servers_file; };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> zone benlavender.co.uk IN {
> type stub;
> masters {172.16.4.2; 172.16.4.3;};
> file "slaves/benlavender.co.uk.SEC";
> multi-master yes;
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
