A tale of two nameservers - resolution problems

Tue Sep 1 13:31:23 UTC 2015

On 09/01/2015 09:20 AM, John Miller wrote:
> If you check pcap, logs, etc., is the server's following delegation
> for 0.centos.pool.ntp.org? Where do outbound packets stop?

I don't believe this and I have some serious problems.

Part of my challenge is I am running the new server on an armv7 board 
that does not have a rtc.  So when the system boots, the time is jan 1 
1970.  The first thing you want to run is ntp to set the time, but 
requires named running and resolving.

For the 'fun' of it, I used 'date' to set the time to now, and then no 
problem resolving 0.centos.pool.ntp.org.  So there is something about 
that resolution that does not like the early date.

So I am caught in a time bind here!

Is there anyway to get bind not to be particular about system time at first?

>
> John
>
> On Tue, Sep 1, 2015 at 9:09 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>> I have one nameserver running bind 9.8.2 and a new one running 9.9.4.
>>
>> Both can resolve www.ietf.org
>>
>> Only the 9.8.2 can resolve 0.centos.pool.ntp.org
>>
>> I literally rsynced all the of the conf and zone files from the old to the
>> new, then changed all of the server name references.  I have done this
>> before.  I have another box running the 9.8.2 code that I built the same way
>> and it resolves both fqdns just fine.
>>
>> I am a lost at what is the problem.  Both have the same named.conf:
>>
>> //
>> //
>>
>>      include "/etc/named/named.acl";
>>
>> options
>> {
>>      listen-on port 53 { any; };
>>      listen-on-v6 port 53 { any; };
>>
>>      allow-query        { localhost; };
>>      allow-query-cache    { localhost; };
>>      recursion no;
>>
>>      directory     "/var/named";
>>      dump-file     "/var/named/data/cache_dump.db";
>>          statistics-file "/var/named/data/named_stats.txt";
>>          memstatistics-file "/var/named/data/named_mem_stats.txt";
>>
>> //    dnssec-enable yes;
>> //    dnssec-validation yes;
>> //    dnssec-lookaside auto;
>>
>>      dnssec-enable no;
>>      dnssec-validation no;
>>
>>      /* Path to ISC DLV key */
>> //    bindkeys-file "/etc/named.iscdlv.key";
>>
>> //    managed-keys-directory "/var/named/dynamic";
>>
>>
>> };
>> logging
>> {
>> /*      If you want to enable debugging, eg. using the 'rndc trace' command,
>>   *      named will try to write the 'named.run' file in the $directory
>> (/var/named).
>>   *      By default, SELinux policy does not allow named to modify the
>> /var/named directory,
>>   *      so put the default debug log file in data/ :
>>   */
>>          channel default_debug {
>>                  file "data/named.run";
>>                  severity dynamic;
>>          };
>> };
>>
>> view "internal"
>> {
>>
>>      include "/etc/named/named.internal";
>>
>> };
>> view    "external"
>> {
>>
>>      include "/etc/named/named.external";
>>
>> };
>>
>> include "/etc/named/rndc.key";
>>
>> ==============
>> and named.internal has:
>>
>> /* This view will contain zones you want to serve only to "internal" clients
>>   * that have addresses that are not on your directly attached LAN interface
>> subnets:
>>   */
>>      match-clients        { httnets; };
>>      match-destinations    { httnets; };
>>      allow-query        { httnets; };
>>      allow-query-cache    { httnets; };
>>      allow-recursion        { httnets; };
>>      recursion yes;
>>      empty-zones-enable yes;
>>
>> //    include "/etc/named/named.trusted.key";
>>          include "/etc/named.rfc1912.zones";
>>
>>      zone "." IN {
>>          type hint;
>>          file "named.root";
>>      };
>>
>>      // These are your "authoritative" internal zones:
>>
>>      zone "htt-consult.com" {
>>          type master;
>>          file "httin-consult.com.zone";
>>      };
>>
>> etc.
>>
>>
>> ==============
>>
>>
>> Is the dnssec disabled possibly the problem?  Like required now?