Bind and systemd-resolved

Mark Andrews marka at isc.org
Mon May 2 08:38:50 UTC 2022 


> On 2 May 2022, at 18:13, Reindl Harald <h.reindl at thelounge.net> wrote:
> 
> 
> 
> Am 01.05.22 um 23:54 schrieb Nick Tait via bind-users:
>> On 1/05/2022 9:13 pm, Reindl Harald wrote:
>>> Am 01.05.22 um 06:38 schrieb Nick Tait via bind-users:
>>>> I'm not 100% sure, but I wonder if disabling systemd-resolved may create issues if, for example, you are using netplan with systemd-networkd as the renderer? E.g. Will it still be possible to pick up DNS servers from IPv6 router advertisements?
>>> pick up some nameservers from wherever is exactly what you *don't want* in case you have named running on your machine as resolver
>>> 
>>> you want 127.0.0.1 act as your resolver no matter what
>> Well, not always... If your local BIND service isn't a recursive resolver
> 
> irrelevant in context of this topic and worth exactly the same as saying "if you don't use bind at all" and honestly i don't get why you responed to that thread nearly a week later at all
> 
> below again the thread start and it's irrelevant what can be in some completly different context when the problem here is systemd-resolved
> 
> -------------------
> 
> When I attempt “dig -t AXFR office.example.com -k Kexample_dns.+157+18424.key” on the DNS server (Bind 9.11) sudoed to root I get:
> 
> ;; Couldn't verify signature: expected a TSIG or SIG(0)
> ; Transfer failed.
> 
> This is an Ubuntu 18.04 system and /etc/systemd/resolved.conf has DNS=127.0.0.1 since the DNS server is running on it.  Systemd-resolved has been restarted afterward.  I've tried using an actual interface address but it doesn't help.  It seems dig tries to use 127.0.0.53 due to its being in /etc/resolv.conf and that fails even though dig for forward/reverse lookups works.
> 
> If I add @127.0.0.1 to the above it works.  Is there a way to get this to work without having to do that and not setting up the entire network configuration using systemd.  I realize it's not a big effort to add @127.0.0.1 but the reason for the issue is obscure, the error message is misleading and my distaste for systemd is sufficient enough that I would prefer avoiding it as much as possible.  Thanks for any input.

When you are talking to 127.0.0.53 you are talking to systemd and it isn’t configured for TSIG.  I don’t even think it knows about TSIG based on the error message as it indicates one wasn’t present.

When you are talking to 127.0.0.1 you are talking to named and it is configured for TSIG.

When you tell dig to use TSIG and it doesn’t get TSIG in the response it fails the query and complains.  dig also hides most of the extraneous details when performing an AXFR.  Add +all to get show these if you want to see them.  Add +qr to see the query.

Mark

> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list