Can not query localhost

Fri Jan 13 22:48:24 UTC 2023

Now you went from Oracle Linux 6 to Oracle linux 9.16 (b.t.w. no one keeps track of
which BIND version ships which which random Linux distro, it is much better to report
the BIND versions as well). In that time there has been a lot of change.  Did you copy
over just the local configuration changes or did you copy over everything?  By local
configuration changes I mean just the zone you added and any acls.  Distros expect you
to put local changes in isolated files so they can update defaults configurations without
overwriting local config.  Copying everything means that you are missing all those changes.

> On 14 Jan 2023, at 03:48, David Carvalho via bind-users <bind-users at lists.isc.org> wrote:
> 
> 
> Ok, so apparently everything seems to be running fine.
> 
> 
> I am not using dnsssec (dnssec-validation is auto ?!) and "dnssec-enable
> yes" was considered obsolete by named-checkconfg, so it is also commented.
> I had to comment 
> 
> bindkeys-file "/etc/named.iscdlv.key";

Well what was in "/etc/named.iscdlv.key” ?  I suspect it was grossly out
of date.  Anything that mentions DLV is out of date as that has been shutdown
for years and is just returning a response that says there is no content here
anymore.  Also the Root’s DNSSEC keys rolled in 2017 and if it hasn’t been updated
since before then the key is out of date.  There should be nothing in there but
public keys which are safe to publish.  Commenting it out meant that you are now
using the built in trust anchors.  Defaults for DNSSEC have changed over time
(validation is on by default) and using out of date trust anchors with newer
versions of BIND will cause DNSSEC validation failures.

> managed-keys-directory "/var/named/dynamic";
> 
> and everything worked. Still don't understand exactly why, I will continue
> to investigate, but any feedback is welcome.

Named logs why thing fail.  Examine the logs.

> Thanks
> Regards
> David
> 
> 
> 
> -----Original Message-----
> From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of David
> Carvalho via bind-users
> Sent: 13 January 2023 14:11
> To: 'Marco' <mo01 at posteo.de>; bind-users at lists.isc.org
> Subject: RE: Can not query localhost
> 
> Thanks for the reply.
> Yes
> 
> ACL active. Exact same configuration as in old server named.conf, with a
> different listening IP, of course, which belongs to my LAN ACL.
> 
> Performing "dig @localhost any my.domain" works perfectly. If querying just
> "dig @localhost" or "dig @my.ip", tcpdump shows it trying to connect to top
> level IPs And I keep getting SERVFAIL.
> 
> 
> Regards.
> David
> 
> 
> -----Original Message-----
> From: Marco <mo01 at posteo.de>
> Sent: 13 January 2023 11:33
> To: bind-users at lists.isc.org
> Cc: David Carvalho <david at di.ubi.pt>
> Subject: Re: Can not query localhost
> 
> Am 13.01.2023 schrieb David Carvalho via bind-users
> <bind-users at lists.isc.org>:
> 
>> I get SERVFAIL when querying outside my domain.
> 
> Have you enabled an ACL that allows any IP address to query your public
> zones?
> 
> You can only restrict recursive requests to your own IP addresses.
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
> 
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org