Bind 9.10 recursion issues
Lyle Giese
lyle at lcrcomputer.net
Fri Dec 4 19:18:33 UTC 2020
Why are you using forwarders? These cloudflare servers are not
authoritive for cat.com and don't seem to be open resolvers either.
Lyle Giese
LCR Computer Services, Inc.
On 12/4/20 12:48 PM, Wade Blackwell wrote:
> Good morning from the West Coast,
> It’s been a while since I’ve setup an authoritative
> bind server from scratch so I may be missing something very basic.
> First time in a docker container, besides the point but maybe it plays
> (this looks like a configuration issue in Bind). I’m getting the
> following errors when trying to resolve domains external to my own;
> ---snip---
> 17:30:04.843 REFUSED unexpected RCODE resolving './NS/IN':
> 172.64.32.142#53
> 04-Dec-2020 17:30:04.859 REFUSED unexpected RCODE resolving
> 'www.cat.com/A/IN <http://www.cat.com/A/IN>': 172.64.32.142#53
> 04-Dec-2020 17:30:04.865 REFUSED unexpected RCODE resolving './NS/IN':
> 172.64.33.136#53
> 04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving
> 'E.ROOT-SERVERS.NET/AAAA/IN <http://E.ROOT-SERVERS.NET/AAAA/IN>':
> 172.64.32.142#53
> 04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving
> 'G.ROOT-SERVERS.NET/AAAA/IN <http://G.ROOT-SERVERS.NET/AAAA/IN>':
> 172.64.32.142#53
> 04-Dec-2020 17:30:04.877 REFUSED unexpected RCODE resolving
> 'www.cat.com/A/IN <http://www.cat.com/A/IN>': 172.64.33.136#53
> 04-Dec-2020 17:30:04.883 REFUSED unexpected RCODE resolving './NS/IN':
> 108.162.192.142#53
> 04-Dec-2020 17:30:04.884 REFUSED unexpected RCODE resolving
> 'E.ROOT-SERVERS.NET/AAAA/IN <http://E.ROOT-SERVERS.NET/AAAA/IN>':
> 108.162.192.142#53
> 04-Dec-2020 17:30:04.889 REFUSED unexpected RCODE resolving
> 'G.ROOT-SERVERS.NET/AAAA/IN <http://G.ROOT-SERVERS.NET/AAAA/IN>':
> 108.162.192.142#53
> 04-Dec-2020 17:30:04.897 REFUSED unexpected RCODE resolving
> 'www.cat.com/A/IN <http://www.cat.com/A/IN>': 108.162.192.142#53
> 04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving
> 'E.ROOT-SERVERS.NET/AAAA/IN <http://E.ROOT-SERVERS.NET/AAAA/IN>':
> 172.64.33.136#53
> 04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving './NS/IN':
> 108.162.193.136#53
> ---end---
>
> You’ll notice the above are Cloudflare resolvers (pete/roxy)
> I get a DNSSEC related error when the same resolution is attempted on
> the OpenDNS servers
>
> ---snip---
> 04-Dec-2020 17:30:05.084 validating ./DNSKEY: unable to find a DNSKEY
> which verifies the DNSKEY RRset and also matches a trusted key for '.'
> 04-Dec-2020 17:30:05.085 no valid KEY resolving './DNSKEY/IN':
> 208.67.220.220#53
> 04-Dec-2020 17:30:05.108 validating ./DNSKEY: unable to find a DNSKEY
> which verifies the DNSKEY RRset and also matches a trusted key for '.'
> 04-Dec-2020 17:30:05.108 no valid KEY resolving './DNSKEY/IN':
> 208.67.222.222#53
> ---end---
>
> Named.conf has the correct sources for queries;
>
> ---snip---
> acl permit {
> 172.30.0.0/16 <http://172.30.0.0/16>;
> ---end---
>
> Named.conf.options has the correct forwarders, recursion and query
> statements (ignore syntax, pulling partials);
>
> ---snip---
> forwarders {
> 108.162.193.136;
> 172.64.33.136;
> 108.162.192.142;
> 172.64.32.142;
> 173.245.58.142;
> 208.67.220.220;
> 208.67.222.222;
> };
> allow-recursion {
> 172.30.0.0/16 <http://172.30.0.0/16>;
> allow-query {
> 172.30.0.0/16 <http://172.30.0.0/16>;
> ---end---
>
> What am I missing here (flame away…)?
>
> -W
>
> “Solo puedo explicártelo a ti. No puedo entenderlo por ti”
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201204/1ce69632/attachment-0001.htm>
More information about the bind-users
mailing list