Can not query localhost

David Carvalho david at di.ubi.pt
Mon Jan 16 09:38:38 UTC 2023 

Hi.
It was not oracle linux 9.16 but Bind 9.16.
The problem seemed to be about broken dnssec validation, that's why commenting those entries solved.
For now I'm not using dnssec, I will have to read about key rotation. If that is still a very manual process, I'll have to be quite confident before I mess with my servers.
Thanks.

David

-----Original Message-----
From: Mark Andrews <marka at isc.org> 
Sent: 13 January 2023 22:48
To: David Carvalho <david at di.ubi.pt>
Cc: bind-users at lists.isc.org
Subject: Re: Can not query localhost

Now you went from Oracle Linux 6 to Oracle linux 9.16 (b.t.w. no one keeps track of which BIND version ships which which random Linux distro, it is much better to report the BIND versions as well). In that time there has been a lot of change.  Did you copy over just the local configuration changes or did you copy over everything?  By local configuration changes I mean just the zone you added and any acls.  Distros expect you to put local changes in isolated files so they can update defaults configurations without overwriting local config.  Copying everything means that you are missing all those changes.

> On 14 Jan 2023, at 03:48, David Carvalho via bind-users <bind-users at lists.isc.org> wrote:
> 
> 
> Ok, so apparently everything seems to be running fine.
> 
> 
> I am not using dnsssec (dnssec-validation is auto ?!) and 
> "dnssec-enable yes" was considered obsolete by named-checkconfg, so it is also commented.
> I had to comment
> 
> bindkeys-file "/etc/named.iscdlv.key";

Well what was in "/etc/named.iscdlv.key” ?  I suspect it was grossly out of date.  Anything that mentions DLV is out of date as that has been shutdown for years and is just returning a response that says there is no content here anymore.  Also the Root’s DNSSEC keys rolled in 2017 and if it hasn’t been updated since before then the key is out of date.  There should be nothing in there but public keys which are safe to publish.  Commenting it out meant that you are now using the built in trust anchors.  Defaults for DNSSEC have changed over time (validation is on by default) and using out of date trust anchors with newer versions of BIND will cause DNSSEC validation failures.

> managed-keys-directory "/var/named/dynamic";
> 
> and everything worked. Still don't understand exactly why, I will 
> continue to investigate, but any feedback is welcome.

Named logs why thing fail.  Examine the logs.

> Thanks
> Regards
> David
> 
> 
> 
> -----Original Message-----
> From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of David 
> Carvalho via bind-users
> Sent: 13 January 2023 14:11
> To: 'Marco' <mo01 at posteo.de>; bind-users at lists.isc.org
> Subject: RE: Can not query localhost
> 
> Thanks for the reply.
> Yes
> 
> ACL active. Exact same configuration as in old server named.conf, with 
> a different listening IP, of course, which belongs to my LAN ACL.
> 
> Performing "dig @localhost any my.domain" works perfectly. If querying 
> just "dig @localhost" or "dig @my.ip", tcpdump shows it trying to 
> connect to top level IPs And I keep getting SERVFAIL.
> 
> 
> Regards.
> David
> 
> 
> -----Original Message-----
> From: Marco <mo01 at posteo.de>
> Sent: 13 January 2023 11:33
> To: bind-users at lists.isc.org
> Cc: David Carvalho <david at di.ubi.pt>
> Subject: Re: Can not query localhost
> 
> Am 13.01.2023 schrieb David Carvalho via bind-users
> <bind-users at lists.isc.org>:
> 
>> I get SERVFAIL when querying outside my domain.
> 
> Have you enabled an ACL that allows any IP address to query your 
> public zones?
> 
> You can only restrict recursive requests to your own IP addresses.
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list