Issues with Stub Zone
Ben Lavender
ben at airnet.org.uk
Wed May 8 19:51:08 UTC 2019
Thanks for your reply Chris,
When querying the SOA for that domain I successfully receive the full
SOA details including the addition NS and A record for the authoritative
server of the domain.
The stub server can contact the primary zone but only by IP, DNS
resolution fails unless I add in a record in /etc/hosts.
Also the stub zone file updates correctly. I have tested static-stubs
and they work as expected but stubs don't when recursion is enabled on
the BIND server.
Ben
On 08/05/2019 17:02, Chris Buxton wrote:
> Remembering that a stub zone is a cache hint, more information is needed.
>
> o What do the two "master" DNS servers say when asked for the SOA record of 'benlavender.co.uk'?
> o Are there A or AAAA records in the Additional section? If so, can the indicated IP addresses be reached?
>
> It may be that the behavior you're expecting is more in line with type "static-stub" than with type "stub".
>
> Regards,
> Chris Buxton
>
>> On May 7, 2019, at 4:08 PM, Ben Lavender <ben at airnet.org.uk> wrote:
>>
>> Hi,
>>
>> I've been trying to configure a stub zone using both BIND 9.8x and 9.9x for some split-brain internal DNS.
>>
>> The problem I have is that any client that requests the NS or SOA records for this zone gets SERVFAIL. The BIND server populates the /var/named/slaves/benlavender.co.uk.DB file with the SOA and NS records straight away and can query them over UDP 53 to the masters if need be.
>>
>> I've had a look through the logs that are used in this config but the only issues I see are in /lame-servers.log shows some IPv6 failures and that the client is getting a SERVFAIL back in the /default.log:
>>
>> 05-May-2019 22:58:32.846 client 192.168.1.4#51612 (benlavender.co.uk): query failed (SERVFAIL) for benlavender.co.uk/IN/NS at query.c:7038
>>
>> The config I'm using in /etc/named.conf is:
>>
>> //
>> // named.conf
>> //
>> // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
>> // server as a caching only nameserver (as a localhost DNS resolver only).
>> //
>> // See /usr/share/doc/bind*/sample/ for example named configuration files.
>> //
>> // See the BIND Administrator's Reference Manual (ARM) for details about the
>> // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
>>
>> options {
>> listen-on port 53 { 127.0.0.1; 172.16.4.31;};
>> listen-on-v6 port 53 { ::1; };
>> directory "/var/named";
>> dump-file "/var/named/data/cache_dump.db";
>> statistics-file "/var/named/data/named_stats.txt";
>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>> recursing-file "/var/named/data/named.recursing";
>> secroots-file "/var/named/data/named.secroots";
>> allow-query { localhost; 172.16.4.2; 172.16.4.3; 192.168.1.4;};
>>
>> /*
>> - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
>> - If you are building a RECURSIVE (caching) DNS server, you need to enable
>> recursion.
>> - If your recursive DNS server has a public IP address, you MUST enable access
>> control to limit queries to your legitimate users. Failing to do so will
>> cause your server to become part of large scale DNS amplification
>> attacks. Implementing BCP38 within your network would greatly
>> reduce such attack surface
>> */
>> recursion yes;
>>
>> dnssec-enable yes;
>> dnssec-validation yes;
>>
>> /* Path to ISC DLV key */
>> bindkeys-file "/etc/named.iscdlv.key";
>>
>> managed-keys-directory "/var/named/dynamic";
>>
>> pid-file "/run/named/named.pid";
>> session-keyfile "/run/named/session.key";
>> };
>>
>> logging {
>> channel default_file {
>> file "/var/named/default.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel general_file {
>> file "/var/named/general.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel database_file {
>> file "/var/named/database.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel security_file {
>> file "/var/named/security.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel config_file {
>> file "/var/named/config.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel resolver_file {
>> file "/var/named/resolver.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel xfer-in_file {
>> file "/var/named/xfer-in.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel xfer-out_file {
>> file "/var/named/xfer-out.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel notify_file {
>> file "/var/named/notify.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel client_file {
>> file "/var/named/client.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel unmatched_file {
>> file "/var/named/unmatched.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel queries_file {
>> file "/var/named/queries.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel network_file {
>> file "/var/named/network.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel update_file {
>> file "/var/named/update.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel dispatch_file {
>> file "/var/named/dispatch.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel dnssec_file {
>> file "/var/named/dnssec.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>> channel lame-servers_file {
>> file "/var/named/lame-servers.log" versions 3 size 5m;
>> severity debug;
>> print-time yes;
>> };
>>
>> category default { default_file; };
>> category general { general_file; };
>> category database { database_file; };
>> category security { security_file; };
>> category config { config_file; };
>> category resolver { resolver_file; };
>> category xfer-in { xfer-in_file; };
>> category xfer-out { xfer-out_file; };
>> category notify { notify_file; };
>> category client { client_file; };
>> category unmatched { unmatched_file; };
>> category queries { queries_file; };
>> category network { network_file; };
>> category update { update_file; };
>> category dispatch { dispatch_file; };
>> category dnssec { dnssec_file; };
>> category lame-servers { lame-servers_file; };
>> };
>>
>> zone "." IN {
>> type hint;
>> file "named.ca";
>> };
>>
>> zone benlavender.co.uk IN {
>> type stub;
>> masters {172.16.4.2; 172.16.4.3;};
>> file "slaves/benlavender.co.uk.SEC";
>> multi-master yes;
>> };
>>
>> include "/etc/named.rfc1912.zones";
>> include "/etc/named.root.key";
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list