Bind 9.10 recursion issues

Wade Blackwell wadeb at bablam.com
Fri Dec 4 18:48:28 UTC 2020 

Good morning from the West Coast,
                It’s been a while since I’ve setup an authoritative bind
server from scratch so I may be missing something very basic. First time in
a docker container, besides the point but maybe it plays (this looks like a
configuration issue in Bind). I’m getting the following errors when trying
to resolve domains external to my own;
---snip---
17:30:04.843 REFUSED unexpected RCODE resolving './NS/IN': 172.64.32.142#53




04-Dec-2020 17:30:04.859 REFUSED unexpected RCODE resolving '
www.cat.com/A/IN': 172.64.32.142#53




04-Dec-2020 17:30:04.865 REFUSED unexpected RCODE resolving './NS/IN':
172.64.33.136#53




04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving '
E.ROOT-SERVERS.NET/AAAA/IN': 172.64.32.142#53




04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving '
G.ROOT-SERVERS.NET/AAAA/IN': 172.64.32.142#53




04-Dec-2020 17:30:04.877 REFUSED unexpected RCODE resolving '
www.cat.com/A/IN': 172.64.33.136#53




04-Dec-2020 17:30:04.883 REFUSED unexpected RCODE resolving './NS/IN':
108.162.192.142#53




04-Dec-2020 17:30:04.884 REFUSED unexpected RCODE resolving '
E.ROOT-SERVERS.NET/AAAA/IN': 108.162.192.142#53




04-Dec-2020 17:30:04.889 REFUSED unexpected RCODE resolving '
G.ROOT-SERVERS.NET/AAAA/IN': 108.162.192.142#53




04-Dec-2020 17:30:04.897 REFUSED unexpected RCODE resolving '
www.cat.com/A/IN': 108.162.192.142#53




04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving '
E.ROOT-SERVERS.NET/AAAA/IN': 172.64.33.136#53




04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving './NS/IN':
108.162.193.136#53
---end---

You’ll notice the above are Cloudflare resolvers (pete/roxy)
I get a DNSSEC related error when the same resolution is attempted on the
OpenDNS servers

---snip---
04-Dec-2020 17:30:05.084 validating ./DNSKEY: unable to find a DNSKEY which
verifies the DNSKEY RRset and also matches a trusted key for '.'




04-Dec-2020 17:30:05.085 no valid KEY resolving './DNSKEY/IN':
208.67.220.220#53




04-Dec-2020 17:30:05.108 validating ./DNSKEY: unable to find a DNSKEY which
verifies the DNSKEY RRset and also matches a trusted key for '.'




04-Dec-2020 17:30:05.108 no valid KEY resolving './DNSKEY/IN':
208.67.222.222#53
---end---

Named.conf has the correct sources for queries;

---snip---
acl permit {
                172.30.0.0/16;
---end---

Named.conf.options has the correct forwarders, recursion and query
statements (ignore syntax, pulling partials);

---snip---
                forwarders {
                                108.162.193.136;
                                172.64.33.136;
                                108.162.192.142;
                                172.64.32.142;
                                173.245.58.142;
                                208.67.220.220;
                                208.67.222.222;
                                };
                allow-recursion {
                                172.30.0.0/16;
                allow-query {
                                172.30.0.0/16;
---end---

What am I missing here (flame away…)?

    -W



“Solo puedo explicártelo a ti. No puedo entenderlo por ti”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201204/9e84c8c2/attachment.htm>

More information about the bind-users mailing list