Bind and systemd-resolved
Fred Morris
m3047 at m3047.net
Mon Apr 18 16:56:03 UTC 2022
There are a lot of extraneous details in here. This is not a BIND problem.
On Mon, 18 Apr 2022, Leroy Tennison via bind-users wrote:
> When I attempt “dig -t AXFR office.example.com -k Kexample_dns.+157+18424.key” on the DNS server (Bind 9.11) sudoed to root I get:
Why do you need to be root?
> ;; Couldn't verify signature: expected a TSIG or SIG(0); Transfer
> ;; failed.
> This is an Ubuntu 18.04 system and /etc/systemd/resolved.conf has
> DNS=127.0.0.1 since the DNS server is running on it. Systemd-resolved
> has been restarted afterward. I've tried using an actual interface
> address but it doesn't help. It seems dig tries to use 127.0.0.53 due
> to its being in /etc/resolv.conf and that fails even though dig for
> forward/reverse lookups works.
I take it you believe you have things properly configured and are implying
that you have 127.0.0.1 configured but that it isn't updating resolv.conf
(which contains the entry 127.0.0.53).
> If I add @127.0.0.1 to the above it
> works.
BIND is not broken. What happens when you try 127.0.0.53?
> Is there a way to get this to work without having to do that and
> not setting up the entire network configuration using systemd. I
> realize it's not a big effort to add @127.0.0.1 but the reason for the
> issue is obscure, the error message is misleading
To be determined.
> and my distaste for
> systemd is sufficient enough that I would prefer avoiding it as much as
> possible.
I hear you, but avoiding doesn't seem to be making it go away.
systemd-resolved is a system service that provides network name
resolution to local applications. It implements a caching and
validating DNS/DNSSEC stub resolver, as well as an LLMNR and
MulticastDNS resolver and responder.
(And it listens on 127.0.0.53.)
Maybe you should turn it off.
--
Fred Morris, internet plumber
More information about the bind-users
mailing list