issue with dnssec, UDP using master/slave config
brads
brads at nyctelecomm.com
Wed Mar 4 19:31:23 UTC 2015
I am trying to configure DNSSEC as a master/slave. Following signing the
zone and uploading the DS record to my provider, I am able to see what
appears to be the proper output from dnssec-verify
dnssec-verify -o ex-mailer.com ex-mailer.com.external.signed
Loading zone 'ex-mailer.com' from file 'ex-mailer.com.external.signed'
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
but 3rd party tools such as http://dnsviz.net/d/ex-mailer.com/dnssec/ and/or
http://dnssec-debugger.verisignlabs.com/ex-mailer.com say that my
configuration is very incorrect and that UDP is not responding
netstat -an|grep 53
tcp4 0 0 127.0.0.1.953 *.* LISTEN
tcp4 0 0 127.0.0.1.53 *.* LISTEN
tcp6 0 0 ::1.53 *.* LISTEN
tcp4 0 0 107.191.60.48.53 *.* LISTEN
tcp6 0 0 2001:19f0:7000:8.53 *.* LISTEN
udp4 0 0 127.0.0.1.53 *.*
udp6 0 0 ::1.53 *.*
udp4 0 0 107.191.60.48.53 *.*
udp6 0 0 2001:19f0:7000:8.53 *.*
But, after 10 min or so, UDP on my IPv4 address begins to fail and the port
will close. I get these errors following
# tail -f /var/log/named/named.log
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket:
permission denied
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket:
permission denied
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket:
permission denied
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket:
permission denied
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0
failed; interface ignored
^C
# updatedb
>>> WARNING
>>> Executing updatedb as root. This WILL reveal all filenames
>>> on your machine to all login users, which is a security risk.
# locate named.pid
/var/run/named/named.pid
Yet dig appears to query just fine:
dig ex-mailer.com ANY @108.61.190.64
; <<>> DiG 9.9.5 <<>> ex-mailer.com ANY @108.61.190.64
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23061
;; flags: qr aa rd; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 5
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ex-mailer.com. IN ANY
;; ANSWER SECTION:
ex-mailer.com. 86400 IN SOA yoda.ex-mailer.com.
admin\@ex-mailer.com. 2015030403 10800 3600 604800 3600
ex-mailer.com. 86400 IN RRSIG SOA 8 2 86400 20170303030000
20150304023700 19359 ex-mailer.com.
ov7ZA0ny6tYRsYIzupUsT6J8ncZRVqvZxwwxl2qonQ3Ou8hsblsZyDh7
sGehaI7To4w3dKWRlCoQoKCTE7McFHEv54ch4fOZv4dbZ2xgtXGdRHxp
YoH4pNFQLnCMrU3hJSwcihYZb2P2q2Pf4qJu1qS/zxum3XyUO20xMu91
1hFyNsmBA2n4cNYfnMfZ6orQzhMzw72wzM+rMMkZhhQKtdWC5KO5Lzkx
nRHpkGo4poMjuDoUidNwusANrkIlYVM1+NGLohaO5iQjJE7H5/m+I41v
RoEdVycc5ujy9KANbmeLSXFYxH34s7H2N15d7Y2EfP/QMzSt9U/m+sbO wH5PBg==
ex-mailer.com. 86400 IN NS r2d2.ex-mailer.com.
ex-mailer.com. 86400 IN NS yoda.ex-mailer.com.
ex-mailer.com. 86400 IN RRSIG NS 8 2 86400 20170303030000
20150304023700 19359 ex-mailer.com.
TG+HCKFevosp6b3dncH3wCrRh0iWr7Ud7nujCZpBZR8k/AET926adfY0
4YGdM8ZElAzLhPrjxE2DSLvueOFZAAnQZvNHyF7aAdz9qD73wK4iuK/d
d4ZrUW8XrUWLUUNnJIIwofbUteX71zHcK44tsoqjBEXphS7YKCao/pAx
QzyzzvRzbs0F18wviXvg1j+IDVdXV4spH6KiMluZuk/YHSm8FzbHbKps
LYjxd40F0WLqSqdFavFklRzbudZLgsCYt6YaI8ZI/HXxFbJL6SoQs631
9M4ZfJWxv7S56lAZzShwxUR0zIaMhqVW2jBCyTiI5VgP23yZciQxzuSJ dCywCw==
ex-mailer.com. 86400 IN A 108.61.175.20
ex-mailer.com. 86400 IN RRSIG A 8 2 86400 20170303030000
20150304023700 19359 ex-mailer.com.
ItLLkwdtNC0edk7v+7YYrhRmUwAy8LARmKfWMz/RWp4C3Jksv9m6Y78r
QEJv0ydRxlQInd/CJjjHdDKxIyjXABqcSadJMMiEAz9Kj74oR5mPS+Aq
LxZ6Lnua3KR5Soo9u9c5yvoQWzUrT+4pGGwiPofSf0A9QGJrGcN3a6kJ
96X/gmLkkYz6URO6gUR6c2eUb1fw7NcAEcDKsmMtSx9K/lYCy2fqX/su
cqaUnEFUw9Qtzfw7stp2cJiNRomH3mpLGO+pbZteUFy6fUocVNbI7cF7
XahL8ObLK/HUkT/KgqJ01qzOD8Qgb2Auh6ofLLQ3+ZazhPAqqUhKpsOH gmFB3Q==
ex-mailer.com. 86400 IN MX 0 r2d2.ex-mailer.com.
ex-mailer.com. 86400 IN RRSIG MX 8 2 86400 20170303030000
20150304023700 19359 ex-mailer.com.
g2m2Hl/p0epz87M1YKJqnyHmtIrvTJ/u3iXmwUNS7kvkQFslx0D5oC3j
2djykF4wNt+SG/+HUP2W9sMM5q5g2xnfLtZOp2A112w9qSjcv6Zl2Kve
/dcI/EUHdI2wnwqIJ9qNrW2BK7xTxmd6+6SZLFwtDeDjPcj1zllBQhjg
SkxRK1AlAYxf2nZfjw3rkSkKasudz3shuBJLwbKvtrqilaBy2Bo869FG
fe2SKnZ+8BQzaKSX/yPfCNVgKeakQNT9qeLNypYBsdyFUpNflHYv8R05
Okfd3O39VtLqbogbDGowidGBrgXBNDIHzLeNrVY+NKn40OpgkE7rpcSM MG51IQ==
ex-mailer.com. 86400 IN TXT "v=spf1" "mx"
"a:r2d2.ex-mailer.com" "-all"
ex-mailer.com. 86400 IN RRSIG TXT 8 2 86400 20170303030000
20150304023700 19359 ex-mailer.com.
jzu0VfjjfMagvAAjbH9Ygp11rFMdD+t/7kf+ou/NZxXBYyui0h8nta5J
6hoJ+LDWSdRzakt5ukTwjvMpLA0D/SLzFilumb0pv8zjqHToLA0nVp97
Zrjpb6+p0V6lawrxIRr3hJYtsjsg7Isn6hU141osqEXPjC/KGsUIsfNc
7xCPpD0mxJgjWOu+Kyy402B+9lKGFsk8MF30EXtQB3TepJwTJTxzxKBv
cLzHyc15rkzZjLYj89qDGjg/+xLzOx75b5kj1VduFQ+Yn9qtAmjeGaJf
7VTJFno5HkVEkei1pelIrhkKTiL9ApHOfFlFp2yF1VECuGsjqcgc3Tmv vrY7Uw==
ex-mailer.com. 3600 IN NSEC imap.ex-mailer.com. A NS SOA
MX TXT RRSIG NSEC DNSKEY
ex-mailer.com. 3600 IN RRSIG NSEC 8 2 3600 20170303030000
20150304023700 19359 ex-mailer.com.
Kvs1M3jU7LM1xCcw8xgTOP8WpQWNRWXlSL66MdELR3t4nZQeSP4Pn6py
UWjHeYlS4A/8sizEUr19MQEMt9OC5vX3jQn4qQPAgu9bHy16gLlqUWMK
WPLzjMANB19tU4bN0VUoppUROI3p/qG2BzFb6dcuKnG1YNLwRMTe96BF
kaAQMO+wAb8/Dgbb4o5OmWNnX1AkEJNdDTBYgyuRUHdO91/nPSW2SEdP
RFoEq1sTDTVrg+9q4V7HN2pKkW7Vn0yGzLPrSEhtt3qWhqXbjdkxeGD3
p4iOVYL/6jLh04XtOvjot86cWqF3LneA63tQWrKEUGVSJmsMqpNk7CEK hELUGA==
ex-mailer.com. 86400 IN DNSKEY 256 3 8
AwEAAbOBP2dTaro0A16tyQxcmCkg7DLUkpgF1coRKYip5MpmyZxN2JAj
cIfueVY31kKRT8V0kbCYeDCRhkdaAPopqOdgWkUUp5HFzUK8plFJQ1Lg
0GFUe0wC7lVmBIGnQpwQjMm1nZy/JqzZZ4bj/tQYY+NMMptlUd+TPTJb
rJAsLKjS7Zy2WFD74YIN6MvaopJKM3XP68+pUctfryjgUpAkm8Vmyr1a
D+VM7/DiznO7BptzOCQiNGMPVF55aJYsiMcpH5LNOOR1bnhMYHkL04q/
w3FOQ5oaIimG7nedqBuPdjaw9b9Qu6jfdESqM1MwN8tMYMsPdf0CkGrJ Nyx2yjwkJzM=
ex-mailer.com. 86400 IN DNSKEY 257 3 8
AwEAAcoMxXKkYNHeFLlzyt83/r1LAUi5aSi6IqhA6SjYZ2vov4A2im6V
/cRpN1GGUdQjoL2fO42j9dy69f+XkrknYj8gBSKQg8n8xcCm16OC4cJ0
jJogAD9r2LQnAe1ehFSnilMEk2brUPfmsZe7/5Hz83dhUBS+iWQA/csx
5JMA0VNhzwQXI1yStn+efHuRuz5vEp0oByXTgO9xfDIzbo0OpU1GOE1r
klPFbOdADGP5tAfKfw4ovaq347PBCkb/E2tNyv6EV8k42Exe8bBd3JCV
V5I0e+8qCxiLZAWKQeEibQIXbDzHhPpFC3uzEI2pCawUSt9czx0+ksd0 wmI2370Gd4U=
ex-mailer.com. 86400 IN RRSIG DNSKEY 8 2 86400
20170303030000 20150304023700 19359 ex-mailer.com.
kv+2qpf1SeuVivagYCBMaVWaJkU4eHEE6pUgz6dPq/teO4143zIvS1g+
u+i1mA/vwncVSfSZxUTRluR99XmlZ40ppx32w6cUSEyW2kHV/1cw0ONH
2mX9ryITjSzxSWFkIkZCxlSq3caYNQ91KxbrZEeWmPAhYSP7EeEJNuJb
SweJnH91FJQDVTiI8ONVvvVXzN7GqYp0hjVyte5QILxZh3YD8jRo9wku
8tlwBh96bD7xd5SgavTfd4S3E0sLVwFKTqK8aFRdWQ0sSg0wIkWDhn11
wBFiMO5G7MyBkM18CYwvMn17py+wZkMeW2S1F2ijsAWrJQjFXmkUOhd1 lejWKg==
ex-mailer.com. 86400 IN RRSIG DNSKEY 8 2 86400
20170303030000 20150304023700 55009 ex-mailer.com.
jJAJnymOxsjDXvIj8IoKcLJ9OpkDuBTOyVIMEpfslFpGpueiXSvYb7XQ
roJep32cbGzRpvwK5iaeMkh3j+y0olnvRQ385tsHn3VRc0+Tbzw2BBx0
TXxu1NLldTjnU/tqgP8sWeb3p3AUFo59WmWMiyitNFc8sC7iE2jhVJDY
SXYsEl2gTXL0v7bcW0AgfzsyLyvurj6RnmDH3RqvCmIFMvemtzrsFnEu
al32eueA6y/3b45wpixsPB9sHFaAcHw1KHLKtpaVvLq12K9P7MBME1Mk
YnCdkPtFBGctjHgLuJ2H+tIwBCuxNjAsGL/ZVjDAp5ahgieU+8yOh++C r6IPCw==
;; ADDITIONAL SECTION:
r2d2.ex-mailer.com. 86400 IN A 107.191.60.48
r2d2.ex-mailer.com. 86400 IN AAAA 2001:19f0:7000:8945::64
yoda.ex-mailer.com. 86400 IN A 108.61.175.48
yoda.ex-mailer.com. 86400 IN AAAA 2001:19f0:6c00:8141::64
;; Query time: 131 msec
;; SERVER: 108.61.190.64#53(108.61.190.64)
;; WHEN: Wed Mar 04 03:40:47 EST 2015
;; MSG SIZE rcvd: 3301
Configs:
https://bpaste.net/show/c5d456aa89d2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150304/1ca99341/attachment-0001.html>
More information about the bind-users
mailing list