Hi,
>> linbobo:/etc/bind# cat named.conf.local
>
> You have only zone blocks in this file, right ?
Yes,
> And you don't use views ?
I have no idea what they would do, but no. The word view is not in that file.
> Why does it first go to the public dns and then run into the dnssec problem?
> There is a direct definition for the tio.nl zone in my config file.
The public dns don't answer at all, so dnssec problem is only a consequence.
The main problem seems to be the broken forwarding.
Do you restart or flush your bind before the queries ? I suppose you do but...
:)
Just did a flush and then a query. It still seems to query the public dns and
not (exclusively) forward the request.
-------<Quote>---------------------
linbobo:/etc/bind# dig einsccmdp-01.tio.nl +trace +cd
; <<>> DiG 9.16.37-Debian <<>> einsccmdp-01.tio.nl +trace +cd
;; global options: +cmd
. 279702 IN NS c.root-servers.net.
. 279702 IN NS m.root-servers.net.
. 279702 IN NS k.root-servers.net.
. 279702 IN NS a.root-servers.net.
. 279702 IN NS b.root-servers.net.
. 279702 IN NS i.root-servers.net.
. 279702 IN NS e.root-servers.net.
. 279702 IN NS g.root-servers.net.
. 279702 IN NS d.root-servers.net.
. 279702 IN NS h.root-servers.net.
. 279702 IN NS j.root-servers.net.
. 279702 IN NS f.root-servers.net.
. 279702 IN NS l.root-servers.net.
. 279702 IN RRSIG NS 8 0 518400 20230518050000
20230505040000 60955 . Yz1mgXTG4kStmPrjvxu3iQsekhdLfu3KeyZT26ebRPDeUnRUz/ajenhi
jNj4FA6krNnCI1hfU0htq/10iADDnc35NTtGA6PodoTa8qf75l9UZ/Cc
59FRaH7sEDgjXcvts0X2R85aHofogRRcp77ufoetwSS0KZRsbJ5vBbq2
J4UIbKNHCZP0anl8+qmDmiMNy3VJYcUwePT6qDUBMe2fhktmU6w1RLSe
3xGV1dIFONSdZJeQxsJkWBXa5HnBN1Vl8iw6eDKauJDw6LL41fd8XzSk
CYfl79f92z2tVv5q3l1G8fN3C+KJ33J1Y/hivBSe2FmVuwRkbr1mddH0 4m4LLw==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
nl. 172800 IN NS ns1.dns.nl.
nl. 172800 IN NS ns3.dns.nl.
nl. 172800 IN NS ns4.dns.nl.
nl. 86400 IN DS 34112 8 2
3C5B5F9B3557455C50751A9BE9EBE9238C88E19F5F07F930976917B5 1B95CD22
nl. 86400 IN RRSIG DS 8 1 86400 20230521050000
20230508040000 60955 . ORTn1H1ik3trq8VJQAVQ1nx4rrVZNEpoy9JZ/23pOjysRe9BWlXcCIK4
9LO3olfaXGFMDMWT3RtlSO3XFc7gPw38y2yfSRN8LWMkY0LzmOoLNxLO
owY9dqQDfrvZK++EsWWmen0db3u/G07/cVWgb3IO0W9OVioQqko6ryes
S9rlwbZY7lrPcohjWbUQ/uKBnhyN9yQs0sU8b+v3EbIudSzAa2zz5Bep
ZA/XcnP+I9KNHqOREEfAuUG8moCP3VYFwarIkAgQeg/pE/typQZuxHUS
QYY6LEfUpZVVO6i0NAHmqRlOZe2LmIHPWO7FBjK6YZtxyLbNkjyWjjvr kf4bVg==
;; Received 573 bytes from 192.58.128.30#53(j.root-servers.net) in 92 ms
tio.nl. 3600 IN NS ns3.argewebhosting.nl.
tio.nl. 3600 IN NS ns1.argewebhosting.eu.
tio.nl. 3600 IN NS ns2.argewebhosting.com.
tio.nl. 3600 IN DS 33829 8 2
81029E0FCAA9E0C8B2C599485634C0BD006607BAE31F51A48AF0B3A7 EBDBB8E3
tio.nl. 3600 IN RRSIG DS 8 2 3600 20230522040659
20230508070836 50076 nl.
kTSEJYjimMe4Kvdl6kc4gPF2OLn04nhuGDp4ppYbfxwPKZEzXb3GSY68
3SPqHYTuOvwTeDnGQ1brG7l9N6EJRdgy9rG69/Irj1/aUZT27M5BBN3h
r9y7dZQAfdZVDSy7zXUgAYy9AdOf+JeLhIeVhrbxD+NYBXaJOe9r3gtj F6s=
;; Received 408 bytes from 2620:10a:80ac::200#53(ns4.dns.nl) in 12 ms
tio.nl. 3600 IN SOA ns1.argewebhosting.eu.
hostmaster\@argeweb.nl. 2023021412 10800 3600 604800 3600
tio.nl. 3600 IN RRSIG SOA 8 2 3600 20230518000000
20230427000000 11454 tio.nl.
JxpppR49YY6NXXJStWmSmQyE1CUNBS6UVQ56WUeZUL3Hs0+ADoQ/Jr6A
lo00s+d8yNg6zoMqVOCSp0yKmrSJQ1bbX3jsbyJjryL0YuDnu6sZz4ZE
JsQw4xhewJhXw9MDen2UjB0TPRp+j6N2RPgdE9dtzqYddAdmqNyE0QNu fE0=
kehjo2i9ccgil56qqhgo4o6j7igguuks.tio.nl. 3600 IN NSEC3 1 0 1 AB
KGKAK3FDJ7OR1SLCGL2M254C661KKVCU A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
kehjo2i9ccgil56qqhgo4o6j7igguuks.tio.nl. 3600 IN RRSIG NSEC3 8 3 3600
20230518000000 20230427000000 11454 tio.nl.
mSK7JoJp+VyXIOTeW1jMndxc3l2li7uj+uwf+9/ZT1/wIqb9fCcHiITk
ET4c3JR5VUa+Mq0rUrwCPUZ0DzXFmvvp0yrYoleoczsdgMxKgyfjpqgs
+XaElHEF2LWzA33CNkDO8kxaXAfTXNYaGMfTzVMOi+9NYEB3n5tjGBqJ Wcg=
oji66ft00rg1tjd4kc30vno3gbkruu91.tio.nl. 3600 IN NSEC3 1 0 1 AB
OORJ40BKUP0NDMA08HQO9NS6EMNVIKTH A RRSIG
oji66ft00rg1tjd4kc30vno3gbkruu91.tio.nl. 3600 IN RRSIG NSEC3 8 3 3600
20230518000000 20230427000000 11454 tio.nl.
VY387t4VXyf55HF9EK5l5BJupdO65JBccwQ4AAQJZ6eI/8iYak5H73Wi
Mpqu1Dw/NSuWgfYvhtfG5KFqlqyuH88pKJtt5mra6+c3NRi1F6yu4TYS
owv7naAaZy4Tv83zMcNYjivcM2wV4PCKX9nM1TQieRwB9nBx5+QnvUkX KvI=
o4n6i0v019dpao7abq7mfor6a1543t6g.tio.nl. 3600 IN NSEC3 1 0 1 AB
OJI66FT00RG1TJD4KC30VNO3GBKRUU91 CNAME RRSIG
o4n6i0v019dpao7abq7mfor6a1543t6g.tio.nl. 3600 IN RRSIG NSEC3 8 3 3600
20230518000000 20230427000000 11454 tio.nl.
FGm7FofqjWiWd+9Bj7oNaLqraLyajz7rugO7N7ctd8ZKT14qcEfGkrgV
zghw+Zpnda4Hb7aGomdsZ/XdiJorXRZRWQD5Qcirm1YEoZwAAbLyyJK0
qfn3g8SRuVH51nVOOr7WfeZRMVXOlgYSrRnYGlsGQfg/y7or/1qrGnxM 8gM=
;; Received 1029 bytes from
2a05:1500:702:0:1c00:13ff:fe00:a5#53(ns2.argewebhosting.com) in 8 ms
-------<Quote>---------------------
May 8 11:37:06 linbobo named[8601]: dumpdb started: -all
May 8 11:37:07 linbobo named[8601]: dumpdb complete
May 8 11:38:47 linbobo named[8601]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
May 8 11:38:47 linbobo named[8601]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
May 8 11:38:47 linbobo named[8601]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
May 8 11:38:47 linbobo named[8601]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
May 8 11:38:47 linbobo named[8601]: no valid RRSIG resolving
'_udp.tio.nl/DS/IN': 172.16.128.40#53
May 8 11:38:47 linbobo named[8601]: no valid RRSIG resolving
'staf.tio.nl/DS/IN': 172.16.128.40#53
May 8 11:38:47 linbobo named[8601]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
May 8 11:38:47 linbobo named[8601]: no valid RRSIG resolving
'student.tio.nl/DS/IN': 172.16.128.40#53
May 8 11:38:47 linbobo named[8601]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
May 8 11:38:47 linbobo named[8601]: no valid RRSIG resolving
'staf.tio.nl/DS/IN': 172.16.208.10#53
May 8 11:38:47 linbobo named[8601]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
May 8 11:38:47 linbobo named[8601]: no valid RRSIG resolving
'_udp.tio.nl/DS/IN': 172.16.208.10#53
May 8 11:38:47 linbobo named[8601]: broken trust chain resolving
'lb._dns-sd._udp.tio.nl/PTR/IN': 172.16.208.10#53
May 8 11:38:47 linbobo named[8601]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
May 8 11:38:47 linbobo named[8601]: no valid RRSIG resolving
'student.tio.nl/DS/IN': 172.16.208.10#53
May 8 11:38:47 linbobo named[8601]: broken trust chain resolving
'lb._dns-sd._udp.student.tio.nl/PTR/IN': 172.16.208.10#53
May 8 11:38:47 linbobo named[8601]: broken trust chain resolving
'lb._dns-sd._udp.staf.tio.nl/PTR/IN': 172.16.208.10#53
-------<Quote>---------------------
> Your tio.nl zone seems correct. Could you provide full
> /etc/bind/named.conf.options and /etc/bind/named.conf ?
Both should be almost default. I only changed the local file.
I did add the
dnssec-enable no;
line in the options file to see if that would get rid of the problem, but no.
-------<Quote>---------------------
linbobo:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable no;
// dnssec-validation auto;
listen-on-v6 { any; };
};
linbobo:/etc/bind# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-------<Quote>---------------------
I also do not understand this difference when querying the internal dns server
directly.
Why does the +trace +cd not show an answer but when I leave them out I get a
correct answer. Is that because +trace forces it to start at the root which is
irrelevant when trying to get an answer from an internal dns server?
What does +cd do? I was unable to find it in the man page.
-------<Quote>---------------------
linbobo:/etc/bind# dig einsccmdp-01.tio.nl +trace +cd @172.16.208.10
; <<>> DiG 9.16.37-Debian <<>> einsccmdp-01.tio.nl +trace +cd @172.16.208.10
;; global options: +cmd
. 86399 IN NS e.root-servers.net.
. 86399 IN NS h.root-servers.net.
. 86399 IN NS l.root-servers.net.
. 86399 IN NS i.root-servers.net.
. 86399 IN NS a.root-servers.net.
. 86399 IN NS d.root-servers.net.
. 86399 IN NS c.root-servers.net.
. 86399 IN NS b.root-servers.net.
. 86399 IN NS j.root-servers.net.
. 86399 IN NS k.root-servers.net.
. 86399 IN NS g.root-servers.net.
. 86399 IN NS m.root-servers.net.
. 86399 IN NS f.root-servers.net.
. 86399 IN RRSIG NS 8 0 518400 20230521050000
20230508040000 60955 . IQj8Wxn+xFOkybd9/KFRuzvu3983IEk4Jb1qV+9J6VczfubsSJlRN2PH
WHAqrkzC6pQc4f5GvAFYYJHnXrIK5ALuEPaA49/yQmzuU5HJAd0f6KR6
E6ZoYlMY8wklEpPWSfeWzyg1yYXlpaqraYKoNCB5OWI8r0Gx7cxbuZEf
XNk38iX7LAtVbrVUlfaCsBMvr7lhZW8f+uVr4P44OKvlbtIxTHA1rZP4
4BYP7/YPX3jJLHxPXzP/9TPstJEly0T3NI5pXjkBL1hLNJMAaESY4532
Z9mrfaFLy8JOQR3hEqM4Izkujg7BTA0sNLPjYVHvoJHjNMSOcARupqa5 VgpCBw==
;; Received 1111 bytes from 172.16.208.10#53(172.16.208.10) in 28 ms
nl. 172800 IN NS ns4.dns.nl.
nl. 172800 IN NS ns1.dns.nl.
nl. 172800 IN NS ns3.dns.nl.
nl. 86400 IN DS 34112 8 2
3C5B5F9B3557455C50751A9BE9EBE9238C88E19F5F07F930976917B5 1B95CD22
nl. 86400 IN RRSIG DS 8 1 86400 20230521050000
20230508040000 60955 . ORTn1H1ik3trq8VJQAVQ1nx4rrVZNEpoy9JZ/23pOjysRe9BWlXcCIK4
9LO3olfaXGFMDMWT3RtlSO3XFc7gPw38y2yfSRN8LWMkY0LzmOoLNxLO
owY9dqQDfrvZK++EsWWmen0db3u/G07/cVWgb3IO0W9OVioQqko6ryes
S9rlwbZY7lrPcohjWbUQ/uKBnhyN9yQs0sU8b+v3EbIudSzAa2zz5Bep
ZA/XcnP+I9KNHqOREEfAuUG8moCP3VYFwarIkAgQeg/pE/typQZuxHUS
QYY6LEfUpZVVO6i0NAHmqRlOZe2LmIHPWO7FBjK6YZtxyLbNkjyWjjvr kf4bVg==
;; Received 577 bytes from 2001:dc3::35#53(m.root-servers.net) in 16 ms
tio.nl. 3600 IN NS ns1.argewebhosting.eu.
tio.nl. 3600 IN NS ns2.argewebhosting.com.
tio.nl. 3600 IN NS ns3.argewebhosting.nl.
tio.nl. 3600 IN DS 33829 8 2
81029E0FCAA9E0C8B2C599485634C0BD006607BAE31F51A48AF0B3A7 EBDBB8E3
tio.nl. 3600 IN RRSIG DS 8 2 3600 20230522040659
20230508070836 50076 nl.
kTSEJYjimMe4Kvdl6kc4gPF2OLn04nhuGDp4ppYbfxwPKZEzXb3GSY68
3SPqHYTuOvwTeDnGQ1brG7l9N6EJRdgy9rG69/Irj1/aUZT27M5BBN3h
r9y7dZQAfdZVDSy7zXUgAYy9AdOf+JeLhIeVhrbxD+NYBXaJOe9r3gtj F6s=
;; Received 408 bytes from 185.159.199.200#53(ns4.dns.nl) in 12 ms
tio.nl. 3600 IN SOA ns1.argewebhosting.eu.
hostmaster\@argeweb.nl. 2023021412 10800 3600 604800 3600
tio.nl. 3600 IN RRSIG SOA 8 2 3600 20230518000000
20230427000000 11454 tio.nl.
JxpppR49YY6NXXJStWmSmQyE1CUNBS6UVQ56WUeZUL3Hs0+ADoQ/Jr6A
lo00s+d8yNg6zoMqVOCSp0yKmrSJQ1bbX3jsbyJjryL0YuDnu6sZz4ZE
JsQw4xhewJhXw9MDen2UjB0TPRp+j6N2RPgdE9dtzqYddAdmqNyE0QNu fE0=
kehjo2i9ccgil56qqhgo4o6j7igguuks.tio.nl. 3600 IN NSEC3 1 0 1 AB
KGKAK3FDJ7OR1SLCGL2M254C661KKVCU A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
kehjo2i9ccgil56qqhgo4o6j7igguuks.tio.nl. 3600 IN RRSIG NSEC3 8 3 3600
20230518000000 20230427000000 11454 tio.nl.
mSK7JoJp+VyXIOTeW1jMndxc3l2li7uj+uwf+9/ZT1/wIqb9fCcHiITk
ET4c3JR5VUa+Mq0rUrwCPUZ0DzXFmvvp0yrYoleoczsdgMxKgyfjpqgs
+XaElHEF2LWzA33CNkDO8kxaXAfTXNYaGMfTzVMOi+9NYEB3n5tjGBqJ Wcg=
oji66ft00rg1tjd4kc30vno3gbkruu91.tio.nl. 3600 IN NSEC3 1 0 1 AB
OORJ40BKUP0NDMA08HQO9NS6EMNVIKTH A RRSIG
oji66ft00rg1tjd4kc30vno3gbkruu91.tio.nl. 3600 IN RRSIG NSEC3 8 3 3600
20230518000000 20230427000000 11454 tio.nl.
VY387t4VXyf55HF9EK5l5BJupdO65JBccwQ4AAQJZ6eI/8iYak5H73Wi
Mpqu1Dw/NSuWgfYvhtfG5KFqlqyuH88pKJtt5mra6+c3NRi1F6yu4TYS
owv7naAaZy4Tv83zMcNYjivcM2wV4PCKX9nM1TQieRwB9nBx5+QnvUkX KvI=
o4n6i0v019dpao7abq7mfor6a1543t6g.tio.nl. 3600 IN NSEC3 1 0 1 AB
OJI66FT00RG1TJD4KC30VNO3GBKRUU91 CNAME RRSIG
o4n6i0v019dpao7abq7mfor6a1543t6g.tio.nl. 3600 IN RRSIG NSEC3 8 3 3600
20230518000000 20230427000000 11454 tio.nl.
FGm7FofqjWiWd+9Bj7oNaLqraLyajz7rugO7N7ctd8ZKT14qcEfGkrgV
zghw+Zpnda4Hb7aGomdsZ/XdiJorXRZRWQD5Qcirm1YEoZwAAbLyyJK0
qfn3g8SRuVH51nVOOr7WfeZRMVXOlgYSrRnYGlsGQfg/y7or/1qrGnxM 8gM=
;; Received 1029 bytes from
2a05:1500:600:7:1c00:55ff:fe00:f1a#53(ns3.argewebhosting.nl) in 8 ms
linbobo:/etc/bind# dig einsccmdp-01.tio.nl @172.16.208.10
; <<>> DiG 9.16.37-Debian <<>> einsccmdp-01.tio.nl @172.16.208.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32960
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;einsccmdp-01.tio.nl. IN A
;; ANSWER SECTION:
einsccmdp-01.tio.nl. 1200 IN A 172.16.212.18
;; Query time: 12 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Mon May 08 11:42:37 CEST 2023
;; MSG SIZE rcvd: 64
-------<Quote>---------------------
Bonno Bloksma
