Querying directly a nameserver works, while forwarding not

Daniele Imbrogino d.imbrogino at gmail.com
Thu Dec 6 15:46:42 UTC 2012 

I'm testing new configuration on VirtualBox following the advice of not
forwarding.
Furthermore, I exclude any reference to DNSSEC.

So, in these conditions and assuming an empty cache, if I query for a
remote domain name, my server should query a root-server and then iterate,
right?
Well, Wireshark shows me outcoming queries and incoming responses to/from
root-servers, but "dig www.apple.com" (for example) fails with a timeout.

"syslog" has a lot of "DNS format error ... non-improving referral" and
"error (FORMERR) resolving" entries.

This is my very vary basic "named.conf" file

options {
        directory "/var/cache/bind";
}

zone "." {
        type hint;
        file "/etc/bind/db.root";
};

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

I've also updated "db.root" from ftp.internic.net/domain/db.cache


2012/12/5 Sten Carlsen <stenc at s-carlsen.dk>

>
> On 05/12/12 18:29, Hauke Lampe wrote:
>
> On 05.12.2012 14:59, Daniele Imbrogino wrote:
>
> resolv.conf contains only 127.0.0.1 as nameserver.
>
> The syslog contains a lot of errors as "insecurity proof failed", "no
> valid
> RRSIG", "got insecure response" that I don't understand.
>
>
> Your forwarder probably doesn't handle DNSSEC responses well. Therefore
> your BIND cannot validate the answers and returns a failure code.
>
> Either update the forwarder/enable DNSSEC (older versions of BIND 9
> require "dnssec-enable yes;" in the options clause), or disable DNSSEC
> validation in your local BIND (set "dnssec-validation no;").
>
> Or consider not doing forwarding, that usually gives fewer problems if
> possible.
>
>
>
>
> Hauke
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>
>        "MALE BOVINE MANURE!!!"
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121206/188417da/attachment.html>

More information about the bind-users mailing list