Bug in Bind 9.8 or am I doing something wrong?
Lyle Giese
lyle at lcrcomputer.net
Tue Sep 6 13:56:06 UTC 2011
I was following Mark Andrew's discussion with a user about DNSSEC and
played with it here and found an issue. Not sure if I am doing
something wrong or if there is a bug somewhere.
We have a Windows AD domain and use Bind 9.8 on our Linux servers for
most DNS resolution. In order to politely setup things, I forwarded the
queries for AD zones to the Windows server:
zone "chaseprod.local"{
type forward;
forwarders {10.0.100.205;};};
This seemed to work until I added some stuff for DNSSEC to my named.conf.
In the global option section, I have:
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
And as a general option, I added:
include "/etc/bind.keys";
Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special
options under SLES 10), resolution of a valid record in the forwarded
zone fails when I added the above dnssec options:
; <<>> DiG 9.8.0-P4 <<>> @127.0.0.1 chasew8s1.corp.chaseprod.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58140
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;chasew8s1.corp.chaseprod.local. IN A
;; AUTHORITY SECTION:
. 10794 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2011090600
1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 6 08:43:25 2011
;; MSG SIZE rcvd: 123
If I comment out dnssec-validation auto and the include for bind.keys,
the resolution for the forwarded zone works:
; <<>> DiG 9.8.0-P4 <<>> @127.0.0.1 chasew8s1.corp.chaseprod.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7529
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 3
;; QUESTION SECTION:
;chasew8s1.corp.chaseprod.local. IN A
;; ANSWER SECTION:
chasew8s1.corp.chaseprod.local. 2599 IN A 10.0.102.10
chasew8s1.corp.chaseprod.local. 2599 IN A 10.0.100.205
;; AUTHORITY SECTION:
. 517399 IN NS l.root-servers.net.
. 517399 IN NS d.root-servers.net.
. 517399 IN NS k.root-servers.net.
. 517399 IN NS i.root-servers.net.
. 517399 IN NS a.root-servers.net.
. 517399 IN NS g.root-servers.net.
. 517399 IN NS m.root-servers.net.
. 517399 IN NS b.root-servers.net.
. 517399 IN NS j.root-servers.net.
. 517399 IN NS f.root-servers.net.
. 517399 IN NS h.root-servers.net.
. 517399 IN NS e.root-servers.net.
. 517399 IN NS c.root-servers.net.
;; ADDITIONAL SECTION:
j.root-servers.net. 604029 IN AAAA 2001:503:c27::2:30
l.root-servers.net. 604031 IN A 199.7.83.42
m.root-servers.net. 604061 IN A 202.12.27.33
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 6 08:42:47 2011
;; MSG SIZE rcvd: 351
Is this a bug or am I doing something wrong?
Thanks,
Lyle Giese
LCR Computer Services, Inc.
More information about the bind-users
mailing list