DNS error, from a newbee to the real experts..

Tue Jul 21 15:39:41 UTC 2020

>From what you posted, it appears when you query the recursive server NS1
(192.168.14.10), it returns no error, it gives back NXDOMAIN with the AD
flag. That would indicate DNSSEC worked. That does not match the log
messages you posted, that would indicate there's a DNSSEC validation error,
and you should have received SERVFAIL.

On Mon, Jul 20, 2020 at 11:47 PM Weeltin <weeltinl at gmail.com> wrote:

> Hi Josh,
>
> Thanks for your answer, it made me go trough all the config again, just to
> make sure that it wasnt pointing to the authoritative server anywhere but
> in the configuration of the recursive server
>
> I saw that "“recursion requested but not available" when i send the query
> against the authoritative. Kind a expected that, since it aint allowed to
> do recursion.
>
> as requested i made the dig on the the authoritative server i get the
> correct answer, so i expect it has loaded the zonefiles correctly.
>
> ns2:/home/weeltin# dig @127.0.0.01 example.home
>
> ; <<>> DiG 9.14.12 <<>> @127.0.0.01 example.home
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45487
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: b9129ece5d9fbc3e6f01a2215f15a461388d4af048be37fa (good)
> ;; QUESTION SECTION:
> ;example.home. IN A
>
> ;; AUTHORITY SECTION:
> example.home. 604800 IN SOA ns2.example.home. hostmaster.example.home. 2
> 604800 86400 2419200 604800
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jul 20 14:04:17 UTC 2020
> ;; MSG SIZE  rcvd: 120
>
>
> just to be sure, i rand the dig command again on my client
>
> [weeltin at c1 ~]$ dig c1.example.home
>
> ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> c1.example.home
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1787
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 862cc48a975a32a324cd14e65f15ba5e3f2c972d1f753586 (good)
> ;; QUESTION SECTION:
> ;c1.example.home. IN A
>
> ;; AUTHORITY SECTION:
> . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020072000
> 1800 900 604800 86400
>
> ;; Query time: 1043 msec
> ;; SERVER: 192.168.14.10#53(192.168.14.10)
> ;; WHEN: Mon Jul 20 11:38:06 EDT 2020
> ;; MSG SIZE  rcvd: 147
>
>
> Log output from NS1 (recursive)
> <truncate>
> Jul 20 15:38:05 ns1 daemon.info named[4022]:   validating
> example.home/SOA: got insecure response; parent indicates it should be
> secure
> Jul 20 15:38:05 ns1 daemon.info named[4022]: no valid RRSIG resolving
> 'c1.example.home/DS/IN': 192.168.14.20#53
> Jul 20 15:38:06 ns1 daemon.info named[4022]: insecurity proof failed
> resolving 'c1.example.home/A/IN': 192.168.14.20#53
> </truncate>
>
> and there is no log entries on the authoritative server
>
> /Weeltin
>
> On Sun, Jul 19, 2020 at 6:05 AM Josh Kuo <josh.kuo at gmail.com> wrote:
>
>> When querying your internal domain, I see the query actually ends with
>> “recursion requested but not available”, it looks like you are querying
>> directly against your auth server, so I would check the setting to ensure
>> the zone file is actually loaded correctly.
>>
>> What Mark answered is assuming you are querying the recursive which then
>> returned SERVFAIL due to DNSSEC validation, but I do not see that in the
>> information you provided.
>>
>> Can you run dig on the auth server itself, dig @ 127.0.0.1 for
>> example.home, and see what it returns?
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200721/e2ff7766/attachment.htm>