broken trust chain on forwarder
Miguel Mucio Santos Moreira
miguel at prodemge.gov.br
Fri Sep 30 18:36:19 UTC 2016
Dears,
I understood John has an invalid internal domain called stc.corp (Microsoft AD).
Some users will use a new Recursive DNS Server he said before and this new Recursive DNS needs to querie records on the internet and on the stc.corp Authoritative Server, then he created a forward zone in recursive server to stc.corp Authoritative Server.
When he disables DNSSEC on recursive server the problem doesn't happen.
Right John?
If you can't sign stc.corp zone because it's not yours, my workaround solution I've sent an email before probably is gonna work.
See you!
--
Miguel Mucio Santos Moreira
Gerente
GSR - Gerência de Serviços de Rede
(31)3339-1401
PRODEMGE - Companhia de Tecnologia da Informação do Estado de Minas Gerais
Aviso:
Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é
dirigida, podendo conter informação confidencial e legalmente protegida.
Se você não for destinatário dela, desde já fica notificado de
abster-se a divulgar, copiar, distribuir, examinar ou, de qualquer
forma, utilizar a informação contida nesta mensagem, por ser ilegal.
Caso você tenha recebido por engano, pedimos que responda essa mensagem
informando o acontecido.
Em 30/09/2016 13:04:33, John Ratliff escreveu:
> I am building a new recursive DNS server. I have it set to forward records
for a single zone to our HQ DNS servers. When I try to resolve a record, I
get errors like this:
Sep 30 11:25:39 bltn-dns-04 named[2012]: validating @0x7fb51810b8f0:
stc.corp SOA: got insecure response; parent indicates it should be secure
Sep 30 11:25:39 bltn-dns-04 named[2012]: error (no valid RRSIG) resolving
'inelhqnagios.stc.corp/DS/IN': 10.21.0.101#53
Sep 30 11:25:39 bltn-dns-04 named[2012]: validating @0x7fb520545fe0:
stc.corp SOA: got insecure response; parent indicates it should be secure
Sep 30 11:25:39 bltn-dns-04 named[2012]: error (no valid RRSIG) resolving
'inelhqnagios.stc.corp/DS/IN': 10.21.0.100#53
Sep 30 11:25:39 bltn-dns-04 named[2012]: error (no valid DS) resolving
'inelhqnagios.stc.corp/A/IN': 10.21.0.100#53
Sep 30 11:25:39 bltn-dns-04 named[2012]: validating @0x7fb51810ac60:
inelhqnagios.stc.corp A: bad cache hit (inelhqnagios.stc.corp/DS)
Sep 30 11:25:39 bltn-dns-04 named[2012]: error (broken trust chain)
resolving 'inelhqnagios.stc.corp/A/IN': 10.21.0.101#53
This seems to indicate that the servers at 10.21.0.100 and 101 are telling
me that stc.corp domain is DNSSEC enabled. However, the new server fails
to find any DS or RRSIG records, so validating this claim is not possible.
Is this interpretation accurate? Are the errors I'm seeing here the result
of a misconfigured DNS server at our HQ?
I've seen on the internet people suggest disabling DNSSEC validation. That
seems to be an extreme solution to this problem. It works, but my
understanding is that this would disable DNSSEC validation globally, not
just for a single zone.
The HQ DNS servers at 10.21.0.100 and 101 are Microsoft DNS servers over
which I have no control, if that information is relevant.
I am running bind9 9.9.5 on Debian 8 with this single zone defined in an
otherwise stock debian bind9 configuration. I can post the remainder of my
config if it would be of use.
zone "stc.corp" IN {
type forward;
forwarders { 10.21.0.100; 10.21.0.101; };
forward only;
};
Thanks.
--John
_______________________________________________
Please visit > https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160930/47ce005e/attachment-0001.html>
More information about the bind-users
mailing list