Querying directly a nameserver works, while forwarding not
Daniele Imbrogino
d.imbrogino at gmail.com
Thu Dec 6 15:46:42 UTC 2012
I'm testing new configuration on VirtualBox following the advice of not
forwarding.
Furthermore, I exclude any reference to DNSSEC.
So, in these conditions and assuming an empty cache, if I query for a
remote domain name, my server should query a root-server and then iterate,
right?
Well, Wireshark shows me outcoming queries and incoming responses to/from
root-servers, but "dig www.apple.com" (for example) fails with a timeout.
"syslog" has a lot of "DNS format error ... non-improving referral" and
"error (FORMERR) resolving" entries.
This is my very vary basic "named.conf" file
options {
directory "/var/cache/bind";
}
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
I've also updated "db.root" from ftp.internic.net/domain/db.cache
2012/12/5 Sten Carlsen <stenc at s-carlsen.dk>
>
> On 05/12/12 18:29, Hauke Lampe wrote:
>
> On 05.12.2012 14:59, Daniele Imbrogino wrote:
>
> resolv.conf contains only 127.0.0.1 as nameserver.
>
> The syslog contains a lot of errors as "insecurity proof failed", "no
> valid
> RRSIG", "got insecure response" that I don't understand.
>
>
> Your forwarder probably doesn't handle DNSSEC responses well. Therefore
> your BIND cannot validate the answers and returns a failure code.
>
> Either update the forwarder/enable DNSSEC (older versions of BIND 9
> require "dnssec-enable yes;" in the options clause), or disable DNSSEC
> validation in your local BIND (set "dnssec-validation no;").
>
> Or consider not doing forwarding, that usually gives fewer problems if
> possible.
>
>
>
>
> Hauke
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>
> "MALE BOVINE MANURE!!!"
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121206/188417da/attachment.html>
More information about the bind-users
mailing list