Re: Question about authoritative server and AA Authoritative Answer

2024-01-16 Thread Mark Andrews 


> On 16 Jan 2024, at 02:32, pub.dieme...@laposte.net wrote:
> 
> ‌
> 
> Dear Mark,
> 
> I am sorry but I don'y understand you reply.
> 
> 
> RFC 1034, § 6.2.2 the AA bit is set.
> I have a non-recursive authoritative server and the AA bit is not set. My 
> example is similar to RFC 1034. Why, on the RFC the AA bit is set but not on 
> my example ?

Because you were not querying the authoritative server, you where querying the 
recursive server in the screen shots.  When you queried the authoritative 
server (see dns-authoritative-question.md) you got AA in the response.

The answers from the recursive server:

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

vs the answers from the authoritative server:

;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

> On my screenshots, where do you see negative answers ?

The ones where the answer count was zero (look for "ANSWER: 0,”).

> De : "Mark Andrews"
> A : pub.dieme...@laposte.net,"bind users"
> Envoyé: dimanche 14 Janvier 2024 23:54
> Objet : Re: Question about authoritative server and AA Authoritative Answer
>   
> 
> > On 15 Jan 2024, at 09:04, Michel Diemer via bind-users wrote:
> >
> > ‌Ders bind users,
> >
> > I have already asked a similar question which was more about DNS in general 
> > , this one is very specific about the AA bit.
> >
> > Today's question is : « "dig pc1.reseau1.lan ns" show AUTHORITY: 1 and "dig 
> > pc1.reseau1.lan" shows AUTHORITY: 0. Which setting or knowledge am I 
> > missing ? If possible, how to get AA answers for QNAME queries ? »
> 
> The difference is because you have positive and negative answers. The 
> authority section has information about how long the negative response can be 
> cached for. See RFC 2308.
> 
> As for AA ask the authoritative server rather than the recursive server. See 
> RFC 1035. Also see the examples where AA is set in RFC 1034 and their 
> descriptions.
> 
> AA Authoritative Answer - this bit is valid in responses,
> and specifies that the responding name server is an
> authority for the domain name in question section.
> 
> Note that the contents of the answer section may have
> multiple owner names because of aliases. The AA bit
> corresponds to the name which matches the query name, or
> the first owner name in the answer section.
> 
> 
> > I have set up two virtual machines on a virtual local network using Oracle 
> > VirtualBox. One machine is a DNS authoritative-only server. The zone is 
> > named "reseau1.lan" and defined only in bind9 zone files. If I really have 
> > to, I will name it "reseau1.home.arpa" according to RFC 8375. (I chose .lan 
> > inspired by RFC 6762 appendix G). The IP address of the DNS server is 
> > 172.16.0.254 and the IP address of pc1 is 172.16.0.21.
> 
> 
> > dig soa reseau1.lan : the AA bit is set, which is what I am looking for
> >
> > <540085300119embeddedImage.png>͏‌ ͏‌ ͏‌
> >
> > dig pc1.reseau1.lan ns : the AA bit is set
> >
> > <620630300119embeddedImage.png>͏‌ ͏‌ ͏‌ ͏‌
> >
> > dig pc1.reseau1.lan : the AA bit is not set. Why ? Which setting or 
> > knowledge am I missing ?
> >
> > <8504625embeddedImage.png>
> >
> > Below my "named.conf.options" file
> >
> > <1311990100238embeddedImage.png>͏‌
> >
> >
> > ͏‌ ͏‌ ͏‌ ͏‌
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> > this list
> >
> > ISC funds the development of this software with paid support subscriptions. 
> > Contact us at https://www.isc.org/contact/ for more information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>  

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DiG DoH TLS Error

2024-01-16 Thread r1wcp42w--- via bind-users 

Hello,


I am trying to resolve a DNS record with DNS over HTTPS with DiG on our 
DNS server. However DiG is returning a TLS error. See following 
anonymized result


 ➜ dig +trace +https @dns.example.com www.example.com
;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com 
failed: TLS error.

;; no servers could be reached

;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com 
failed: TLS error.

;; no servers could be reached

;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com 
failed: TLS error.

;; no servers could be reached



I can confirm that the server can be reached and with openssl s_client 
-connect, the certificate returned OK result


Connecting to 192.168.132.5
CONNECTED(0003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R3
verify return:1
depth=0 CN=*.example.com
verify return:1
---
Certificate chain
 0 s:CN=*.example.com
   i:C=US, O=Let's Encrypt, CN=R3
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan  2024 GMT; NotAfter: Apr  2024 GMT
 1 s:C=US, O=Let's Encrypt, CN=R3
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 
2025 GMT

---
Server certificate
-BEGIN CERTIFICATE-

-END CERTIFICATE-
subject=CN=*.example.com
issuer=C=US, O=Let's Encrypt, CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2816 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 384 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol  : TLSv1.3
Cipher: TLS_AES_128_GCM_SHA256
Session-ID: 
Session-ID-ctx:
Resumption PSK: 
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
 .

Start Time: 1705398062
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK


Any idea what is causing the TLS error?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users