Bug in Bind 9.8 or am I doing something wrong?
Mark Andrews
marka at isc.org
Tue Sep 6 22:18:23 UTC 2011
In message <4E662676.1070206 at lcrcomputer.net>, Lyle Giese writes:
> I was following Mark Andrew's discussion with a user about DNSSEC and
> played with it here and found an issue. Not sure if I am doing
> something wrong or if there is a bug somewhere.
>
> We have a Windows AD domain and use Bind 9.8 on our Linux servers for
> most DNS resolution. In order to politely setup things, I forwarded the
> queries for AD zones to the Windows server:
>
> zone "chaseprod.local"{
> type forward;
> forwarders {10.0.100.205;};};
Use a namespace delegated to you. You don't own .local. Additionally
.local is reserved for mDNS which is a seperate beast to DNS.
Named doesn't yet have the ability to disable DNSSEC validation
for specified namespaces.
Alternatively sign chaseprod.local and distribute trust anchors for
it if you really intend to hijack namespace you don't own.
Mark
> This seemed to work until I added some stuff for DNSSEC to my named.conf.
>
> In the global option section, I have:
>
> dnssec-enable yes;
> dnssec-validation auto;
> dnssec-lookaside auto;
>
> And as a general option, I added:
>
> include "/etc/bind.keys";
>
> Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special
> options under SLES 10), resolution of a valid record in the forwarded
> zone fails when I added the above dnssec options:
>
>
> ; <<>> DiG 9.8.0-P4 <<>> @127.0.0.1 chasew8s1.corp.chaseprod.local
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58140
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;chasew8s1.corp.chaseprod.local. IN A
>
> ;; AUTHORITY SECTION:
> . 10794 IN SOA a.root-servers.net. nstld.veris
> ign-grs.com. 2011090600
> 1800 900 604800 86400
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Sep 6 08:43:25 2011
> ;; MSG SIZE rcvd: 123
>
> If I comment out dnssec-validation auto and the include for bind.keys,
> the resolution for the forwarded zone works:
>
>
> ; <<>> DiG 9.8.0-P4 <<>> @127.0.0.1 chasew8s1.corp.chaseprod.local
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7529
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 3
>
> ;; QUESTION SECTION:
> ;chasew8s1.corp.chaseprod.local. IN A
>
> ;; ANSWER SECTION:
> chasew8s1.corp.chaseprod.local. 2599 IN A 10.0.102.10
> chasew8s1.corp.chaseprod.local. 2599 IN A 10.0.100.205
>
> ;; AUTHORITY SECTION:
> . 517399 IN NS l.root-servers.net.
> . 517399 IN NS d.root-servers.net.
> . 517399 IN NS k.root-servers.net.
> . 517399 IN NS i.root-servers.net.
> . 517399 IN NS a.root-servers.net.
> . 517399 IN NS g.root-servers.net.
> . 517399 IN NS m.root-servers.net.
> . 517399 IN NS b.root-servers.net.
> . 517399 IN NS j.root-servers.net.
> . 517399 IN NS f.root-servers.net.
> . 517399 IN NS h.root-servers.net.
> . 517399 IN NS e.root-servers.net.
> . 517399 IN NS c.root-servers.net.
>
> ;; ADDITIONAL SECTION:
> j.root-servers.net. 604029 IN AAAA 2001:503:c27::2:30
> l.root-servers.net. 604031 IN A 199.7.83.42
> m.root-servers.net. 604061 IN A 202.12.27.33
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Sep 6 08:42:47 2011
> ;; MSG SIZE rcvd: 351
>
> Is this a bug or am I doing something wrong?
>
> Thanks,
> Lyle Giese
> LCR Computer Services, Inc.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list