.onion and dnssec

Erich Eckner bind at eckner.net
Tue Nov 12 13:22:09 UTC 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 12 Nov 2019, Tony Finch wrote:

> Erich Eckner <bind at eckner.net> wrote:
>
>> I have also a hard time, generating some useful debug output
>> - setting `-d 9` does not give additional information in the system log.
>
> You might find it is being written to the file named.run in named's
> working directory (this is the default_debug logging channel
> configuration). I generally use `rndc trace 11` to tell named to log
> details of resolution and validation, including sent and received DNS
> mesaages. It's very verbose but it can tell you what is happening to your
> .onion queries.

Thanks! I now get the desired log. I noticed, that there were *no* queries 
sent by the dns server at all (even when asking for subdomains of 
onion.eckner.net - which were successfully resolved by tor). I 
suspected, that the slave "." zone superseeds every other zone I have, 
and confirmed that by commenting out the other (slaved opennic) tlds which 
did *not* break the resolving.

I replaced "." by a hint zone and now it works as intended:

- - opennic tlds are resolved via their slave zones (before, they were not: 
I could comment them out and still resolve)

- - normal tlds are resolved via hint root zone (I think)

- - onion. is forwarded to tor

thanks a lot!

I have another (minor) question, though:

To my understanding, the difference between "forward first;" and "forward 
only;" is, that the former caches and the latter forwards all queries. 
However, I see the same behaviour in the log for both. Where is my 
mistake?

cheers,
Erich
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3KsgIACgkQCu7JB1Xa
e1o+rg/8Cdvrih+r9bYtwGSu12GTQtzVrSJY8Xtmjcoh4O4QJPZ/CRCEP/q3ok2Z
mgDVoVp+whJRnVZJIPHJKx+Iq8PJ5Gp9RTH26gWpZ4jMxpilTnSLC9SVY5CSsMeY
CFZ6A5QEGg5I2fzZKVUa6CbKW/3AjqrcbOASoORarWEdZRIv9U/CwfS8D0o2zywW
rH4CEqVswx0SWwFtBLkY5+C/90AkEOB40W1RJymHMJK3+r+AQdnj/p3BXHwA2VbD
8R4tK3VoTWd4exuXet8JCvGHM7uJZVBfkChGy+uCBiY9oY0CHLGnc1dEp0E4QcVX
6V58YHehPgYJ4S1OQVJzk4F2I3PD4Bp47pKCxOhTwhRt9VnlYCK3XGD0sOSbccJa
KxloL3D8RLSE7l/kQk7mcnH2cdSZVCuJUPYraK38zBumwh6uFGKHiRyhYWhsBZEU
ODdDn1hPsPfe/X/cEdBMpt/zv2J7HMrm15MBYDCxw3obnmPlsibc4ztlf71yyflN
lJJvvkJgDmT+jpjazVWs/1NJd7vvTp6QrsQwPnGjQNTxmh+FDvTP6BT9qWjQxcd8
bFgqdziI7gFH26FwfzKpC9TkZFxga4Bg5PI5F2M1k0sAEe7ykwsOvukQVNZL9VYO
CD/s5qpvrmAEuI5oO49oYiY4+7tfxOrxyY0CumRoWObpmq+zRJc=
=9vdi
-----END PGP SIGNATURE-----

More information about the bind-users mailing list