Bind/Named 9.9 auth-nxdomain question

Thu Nov 9 18:35:11 UTC 2017

Hello,

I'm have a question:

IF(Ignoring RFC 1035 #do not shoot the messenger)

I need to make an authoritative server that gives 'AA' flags to every 
query, I would need to set only auth-nxdomain right?

I'm running this config:

# 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

options {
     directory "/var/bind/";
     check-names master ignore;
     check-names slave ignore;
     check-names response ignore;

     auth-nxdomain yes;
     minimal-responses yes;
     version "Dont Do It";
     allow-recursion { 127.0.0.1/8; my-query-ip/32; };
     allow-new-zones yes;
     lame-ttl 1800;
     max-cache-ttl 43200;
     max-cache-size 100M;
     notify explicit;
     cleaning-interval 900;
     max-ncache-ttl 18000;
     pid-file "/var/run/named/named.pid";
     listen-on { any; };
     listen-on-v6 { any; };
};

view "internet" IN {
     match-clients { any; };
};

logging {
   channel default_file { file "/var/bind/logs/default.log" versions 3 
size 50m; severity info; print-time yes; };
   channel general_file { file "/var/bind/logs/general.log" versions 3 
size 50m; severity info; print-time yes; };
   channel database_file { file "/var/bind/logs/database.log" versions 3 
size 50m; severity error; print-time yes; };
   channel security_file { file "/var/bind/logs/security.log" versions 3 
size 50m; severity info; print-time yes; };
   channel config_file { file "/var/bind/logs/config.log" versions 3 
size 50m; severity critical; print-time yes; };
   channel resolver_file { file "/var/bind/logs/resolver.log" versions 3 
size 50m; severity critical; print-time yes; };
   channel xfer-in_file { file "/var/bind/logs/xfer-in.log" versions 3 
size 50m; severity critical; print-time yes; };
   channel xfer-out_file { file "/var/bind/logs/xfer-out.log" versions 3 
size 50m; severity critical; print-time yes; };
   channel notify_file { file "/var/bind/logs/notify.log" versions 3 
size 50m; severity critical; print-time yes; };
   channel client_file { file "/var/bind/logs/client.log" versions 3 
size 50m; severity critical; print-time yes; };
   channel unmatched_file { file "/var/bind/logs/unmatched.log" versions 
3 size 50m; severity critical; print-time yes; };
   channel queries_file { file "/var/bind/logs/queries.log" versions 3 
size 50m; severity info; print-time yes; };
   channel network_file { file "/var/bind/logs/network.log" versions 3 
size 50m; severity critical; print-time yes; };
   channel update_file { file "/var/bind/logs/update.log" versions 3 
size 50m; severity critical; print-time yes; };
   channel dispatch_file { file "/var/bind/logs/dispatch.log" versions 3 
size 50m; severity critical; print-time yes; };
   channel dnssec_file { file "/var/bind/logs/dnssec.log" versions 3 
size 50m; severity critical; print-time yes; };

   category default { default_file; };
   category general { general_file; };
   category database { database_file; };
   category security { security_file; };
   category config { config_file; };
   category resolver { resolver_file; };
   category xfer-in { xfer-in_file; };
   category xfer-out { xfer-out_file; };
   category notify { notify_file; };
   category client { client_file; };
   category unmatched { unmatched_file; };
   category queries { queries_file; };
   category network { network_file; };
   category update { update_file; };
   category dispatch { dispatch_file; };
   category dnssec { dnssec_file; };
   category lame-servers { null; };
};

key "rndckey" {
       algorithm hmac-md5;
       secret "my-little-key";
};

# 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

$ dig @my-local-ip typingsomerandomwords.doesntwork

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @my-local-ip 
typingsomerandomwords.doesntwork
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26340
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;typingsomerandomwords.doesntwork. IN A

;; Query time: 199 msec
;; SERVER: my-local-ip#53(my-local-ip)
;; WHEN: Thu Nov  9 18:29:37 2017
;; MSG SIZE  rcvd: 50

# 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

09-Nov-2017 16:29:22.392 client my-query-ip#39791 
(typingsomerandomwords.doesntwork): view internet: query: 
typingsomerandomwords.doesntwork IN A + (my-local-ip)
09-Nov-2017 16:29:22.392 createfetch: typingsomerandomwords.doesntwork A
09-Nov-2017 16:29:27.581 client my-query-ip#39791 
(typingsomerandomwords.doesntwork): view internet: query: 
typingsomerandomwords.doesntwork IN A + (my-local-ip)
09-Nov-2017 16:29:27.581 createfetch: typingsomerandomwords.doesntwork A
09-Nov-2017 16:29:32.392 client my-query-ip.19#39791 
(typingsomerandomwords.doesntwork): view internet: query: 
typingsomerandomwords.doesntwork IN A + (my-local-ip)
09-Nov-2017 16:29:32.392 createfetch: typingsomerandomwords.doesntwork A
09-Nov-2017 16:29:32.393 client my-query-ip#39791 
(typingsomerandomwords.doesntwork): view internet: query failed 
(*SERVFAIL*) for typingsomerandomwords.doesntwork/IN/A *at query.c:7007*

# 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I'm stuck into this, the docs doesn't say auth-nxdomain is not available 
to auth servers and I know it's a bad idea, but it's a bad idea that can 
be achieved by DLZ drivers via queries and the config should behave in a 
similar way (or the doc should be a bit more clear about who can use and 
how it works).

-- 

................................................................................................................................................................................................... 

<https://www.kinghost.com.br> 	

	Filipe Cifali Stangler| ANALISTA DE INFRAESTRUTURA
cifali at kinghost.com.br <mailto:cifali at kinghost.com.br> | 
www.kinghost.com.br <https://www.kinghost.com.br>
Tire suas dúvidas gratuitamente: *0800.881.5464*
Capitais e polos regionais: *4003.5464*
Atendimento fora do Brasil e Celulares: *(51) 3301.5464*

banner - email <http://kingho.st/assinatura>
Este e-mail e seus anexos são confidenciais e podem conter informações 
privilegiadas ou protegidas contra
divulgação e/ou reprodução. Se você não é o destinatário identificado 
acima, por favor, apague esta mensagem
de seu sistema e notifique o remetente imediatamente.

This e-mail message or any attachment thereto are confidential and may 
be privileged or otherwise protected
from disclosure and/or reproduction. If you are not intendet recipient, 
please delete it from your system and
notify the sender immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171109/59b9e677/attachment-0001.html>