Bind and systemd-resolved

[Fred Morris]

There are a lot of extraneous details in here. This is not a BIND problem.

On Mon, 18 Apr 2022, Leroy Tennison via bind-users wrote:
> When I attempt “dig -t AXFR office.example.com -k Kexample_dns.+157+18424.key” on the DNS server (Bind 9.11) sudoed to root I get:

Why do you need to be root?

> ;; Couldn't verify signature: expected a TSIG or SIG(0); Transfer 
> ;; failed.
> This is an Ubuntu 18.04 system and /etc/systemd/resolved.conf has 
> DNS=127.0.0.1 since the DNS server is running on it.  Systemd-resolved 
> has been restarted afterward.  I've tried using an actual interface 
> address but it doesn't help.  It seems dig tries to use 127.0.0.53 due 
> to its being in /etc/resolv.conf and that fails even though dig for 
> forward/reverse lookups works.

I take it you believe you have things properly configured and are implying 
that you have 127.0.0.1 configured but that it isn't updating resolv.conf 
(which contains the entry 127.0.0.53).

> If I add @127.0.0.1 to the above it 
> works.

BIND is not broken. What happens when you try 127.0.0.53?

> Is there a way to get this to work without having to do that and 
> not setting up the entire network configuration using systemd.  I 
> realize it's not a big effort to add @127.0.0.1 but the reason for the 
> issue is obscure, the error message is misleading

To be determined.

> and my distaste for 
> systemd is sufficient enough that I would prefer avoiding it as much as 
> possible.

I hear you, but avoiding doesn't seem to be making it go away.

        systemd-resolved is a system service that provides network name
        resolution to local applications. It implements a caching and
        validating DNS/DNSSEC stub resolver, as well as an LLMNR and
        MulticastDNS resolver and responder.

(And it listens on 127.0.0.53.)

Maybe you should turn it off.

--

Fred Morris, internet plumber