A tale of two nameservers - resolution problems
Robert Moskowitz
rgm at htt-consult.com
Tue Sep 1 13:31:23 UTC 2015
On 09/01/2015 09:20 AM, John Miller wrote:
> If you check pcap, logs, etc., is the server's following delegation
> for 0.centos.pool.ntp.org? Where do outbound packets stop?
I don't believe this and I have some serious problems.
Part of my challenge is I am running the new server on an armv7 board
that does not have a rtc. So when the system boots, the time is jan 1
1970. The first thing you want to run is ntp to set the time, but
requires named running and resolving.
For the 'fun' of it, I used 'date' to set the time to now, and then no
problem resolving 0.centos.pool.ntp.org. So there is something about
that resolution that does not like the early date.
So I am caught in a time bind here!
Is there anyway to get bind not to be particular about system time at first?
>
> John
>
> On Tue, Sep 1, 2015 at 9:09 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>> I have one nameserver running bind 9.8.2 and a new one running 9.9.4.
>>
>> Both can resolve www.ietf.org
>>
>> Only the 9.8.2 can resolve 0.centos.pool.ntp.org
>>
>> I literally rsynced all the of the conf and zone files from the old to the
>> new, then changed all of the server name references. I have done this
>> before. I have another box running the 9.8.2 code that I built the same way
>> and it resolves both fqdns just fine.
>>
>> I am a lost at what is the problem. Both have the same named.conf:
>>
>> //
>> //
>>
>> include "/etc/named/named.acl";
>>
>> options
>> {
>> listen-on port 53 { any; };
>> listen-on-v6 port 53 { any; };
>>
>> allow-query { localhost; };
>> allow-query-cache { localhost; };
>> recursion no;
>>
>> directory "/var/named";
>> dump-file "/var/named/data/cache_dump.db";
>> statistics-file "/var/named/data/named_stats.txt";
>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>
>> // dnssec-enable yes;
>> // dnssec-validation yes;
>> // dnssec-lookaside auto;
>>
>> dnssec-enable no;
>> dnssec-validation no;
>>
>> /* Path to ISC DLV key */
>> // bindkeys-file "/etc/named.iscdlv.key";
>>
>> // managed-keys-directory "/var/named/dynamic";
>>
>>
>> };
>> logging
>> {
>> /* If you want to enable debugging, eg. using the 'rndc trace' command,
>> * named will try to write the 'named.run' file in the $directory
>> (/var/named).
>> * By default, SELinux policy does not allow named to modify the
>> /var/named directory,
>> * so put the default debug log file in data/ :
>> */
>> channel default_debug {
>> file "data/named.run";
>> severity dynamic;
>> };
>> };
>>
>> view "internal"
>> {
>>
>> include "/etc/named/named.internal";
>>
>> };
>> view "external"
>> {
>>
>> include "/etc/named/named.external";
>>
>> };
>>
>> include "/etc/named/rndc.key";
>>
>> ==============
>> and named.internal has:
>>
>> /* This view will contain zones you want to serve only to "internal" clients
>> * that have addresses that are not on your directly attached LAN interface
>> subnets:
>> */
>> match-clients { httnets; };
>> match-destinations { httnets; };
>> allow-query { httnets; };
>> allow-query-cache { httnets; };
>> allow-recursion { httnets; };
>> recursion yes;
>> empty-zones-enable yes;
>>
>> // include "/etc/named/named.trusted.key";
>> include "/etc/named.rfc1912.zones";
>>
>> zone "." IN {
>> type hint;
>> file "named.root";
>> };
>>
>> // These are your "authoritative" internal zones:
>>
>> zone "htt-consult.com" {
>> type master;
>> file "httin-consult.com.zone";
>> };
>>
>> etc.
>>
>>
>> ==============
>>
>>
>> Is the dnssec disabled possibly the problem? Like required now?
More information about the bind-users
mailing list