Path: csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail From: Mark Andrews Newsgroups: comp.protocols.dns.bind Subject: Re: DNS error, from a newbee to the real experts.. Date: Sun, 19 Jul 2020 11:10:33 +1000 Lines: 489 Approved: bind-users@lists.isc.org Message-ID: References: <60E4DDC6-A2AF-4BDC-AA8C-D166CDE53234@isc.org> NNTP-Posting-Host: lists.isc.org Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\)) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: usenet.stanford.edu 1595121041 29737 149.20.1.60 (19 Jul 2020 01:10:41 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bind-users@lists.isc.org To: Weeltin Return-Path: X-Original-To: bind-users@lists.isc.org Delivered-To: bind-users@lists.isc.org In-Reply-To: X-Mailer: Apple Mail (2.3445.9.6) X-BeenThere: bind-users@lists.isc.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: BIND Users Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: <60E4DDC6-A2AF-4BDC-AA8C-D166CDE53234@isc.org> X-Mailman-Original-References: Xref: csiph.com comp.protocols.dns.bind:15986 Your problem comes from the fact that BIND 9.14 has DNSSEC validation = enabled by default (unless disabled at configure time or in named.conf) = and the answers from the grafted on namespace (.home) fail DNSSEC = validation as there is not a insecure delegation for .home to break the = DNSSEC chain of trust. You can use validate-except to teach there = recursive server to not validate parts of the namespace but it is NOT = RECOMMENDED as it doesn=E2=80=99t help validating clients. e.g.=20 validate-except { home; }; I would stop trying to use .home as it has not been delegated for home = use. Use home.arpa instead which has been reserved for home use and has = a insecure delegation to break the DNSSEC chain of trust pointing at = servers which only return NXDOMAIN for names under home.arpa. This is = the same delegation model used for the RFC 1918 reverse zone. Note that = DS is absent from the list of types at the delegation point in the NSEC = record. There was an attempt made to delegate .home this way but it = floundered on ICANN/IETF politics. e.g. home.arpa. 172800 IN NS blackhole-1.iana.org. home.arpa. 172800 IN NS blackhole-2.iana.org. home.arpa. 86400 IN NSEC in-addr.arpa. NS RRSIG = NSEC home.arpa. 86400 IN RRSIG NSEC 8 2 86400 = 20200731120000 20200718110000 57156 arpa. = lSqLNz1E/6WkAUDAJDnvo9X248B+PAWM34s0S0PJFjPi4YLoE//6zSR6 = Dgm0T+2qV2KrgvYbOzHV9Z/lRopFxSEJSSwoHgrUmfofXmIbQiKgQHBi = g9dvL8yeJm0cRe6QMuM1q/D/3+AnPv5OQNBhC6+UEA+enO3JtDbvjr/H = XfPPvfDfozacZkHPe+AYpJbmT7qfHv8Gw/BeeNtDex9jMoDbJ2l0BLT1 = UTPKE9+Abrh3RawcKBF3BbLNWU6AhIkOLZRADGMjcZg1M/IHUk/rOWXV = EMZihg1+5I4GSmaRDN0jTX9g5jr822EZfaZLmCKlcGYMMHVOkMUA7k0r +v/Zrg=3D=3D If you are using forward zones (not recommended) set =E2=80=9Cforward = only;=E2=80=9D as you don=E2=80=99t want to fallback to querying servers = on the global Internet when grafting on namespace. If you do use a = forward zone then the servers being forwarded to need to either a) serve = the *entire* namespace under the forward zone, or b) be configured as = recursive servers. zone home.arpa { type forward; forward only; forwarders {192.168.14.20;}; }; I would recommend using secondary zone rather than forward zones for = grafting on namespaces, just ensure that the all slave servers are = receiving NOTIFY messages (use also-notify) so that they receive changes = fast. Fast propagation of changes is needed in a home environment. = Secondary zone also provide a break in the DNSSEC chain of trust as far = as the recursive server is concerned. They however do not break the = DNSSEC chain of trust for any DNSSEC validating clients of the recursive = server. zone home.arpa { type secondary; primaries {192.168.14.20;}; file =E2=80=9Chome.arpa.db=E2=80=9D; ... }; zone home.arpa { type primary; file =E2=80=9Chome.arpa.db=E2=80=9D; also-notify { address list; }; ... }; Also forget any garbage that recursive servers should not also serve = zones. People have take the advice that listed authoritative servers = shouldn=E2=80=99t be recursive (which is good advise when serving zones = to the public) and inverted it to come up with bad advice. Mark > On 18 Jul 2020, at 05:18, Weeltin wrote: >=20 > Hello all, >=20 > I=E2=80=99m trying to implement a DNS structure, containing a = recursive and authoritative server, but in doing so, I have run into a = small problem. I can make DNS queries from a client toward the net, but = when I try to do the same toward my internal domain, I get no result. I = have spent days trying to figure out what is going on, but to no avail, = I there for hope that someone on this list can point me in the right = direction or right out tell what is wrong. >=20 > /Weeltin. >=20 > -----DIG troubleshoots >=20 > [weeltin@c1 ~]$ cat /etc/resolv.conf=20 > # Generated by NetworkManager > nameserver 192.168.14.10 >=20 > [weeltin@c1 ~]$ dig google.com > ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> google.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48932 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >=20 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: c1bc4a11c40bd755905c8c705f11f5ffe699cc0116ed8ba5 (good) > ;; QUESTION SECTION: > ;google.com. IN A >=20 > ;; ANSWER SECTION: > google.com. 300 IN A 216.58.211.142 >=20 > ;; Query time: 179 msec > ;; SERVER: 192.168.14.10#53(192.168.14.10) > ;; WHEN: Fri Jul 17 15:03:27 EDT 2020 > ;; MSG SIZE rcvd: 83 >=20 >=20 > [weeltin@c1 ~]$ dig c1.example.home > ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> c1.example.home > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62602 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: = 1 >=20 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: cf8876e3b35138f47040188e5f11f64a91445aa4f8310f5a (good) > ;; QUESTION SECTION: > ;c1.example.home. IN A >=20 > ;; AUTHORITY SECTION: > . 10800 IN SOA a.root-servers.net. = nstld.verisign-grs.com. 2020071701 1800 900 604800 86400 >=20 > ;; Query time: 263 msec > ;; SERVER: 192.168.14.10#53(192.168.14.10) > ;; WHEN: Fri Jul 17 15:04:42 EDT 2020 > ;; MSG SIZE rcvd: 147 >=20 >=20 >=20 > [weeltin@c1 ~]$ dig @192.168.14.20 c1.example.home >=20 > ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> @192.168.14.20 = c1.example.home > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20704 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available >=20 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 747289c94876cf349034aec35f11f794a29c6747bb6a694f (good) > ;; QUESTION SECTION: > ;c1.example.home. IN A >=20 > ;; ANSWER SECTION: > c1.example.home. 604800 IN A 192.168.14.1 >=20 > ;; Query time: 0 msec > ;; SERVER: 192.168.14.20#53(192.168.14.20) > ;; WHEN: Fri Jul 17 15:10:12 EDT 2020 > ;; MSG SIZE rcvd: 88 >=20 >=20 >=20 >=20 >=20 > ----- informations and configurations ---- >=20 > OS: Alpine 3.12 >=20 > Bind: bind 9.14.12 >=20 > =20 > Ns1: 192.168.14.10 (recursive) >=20 > Ns2: 192.168.14.20 (authoritative) >=20 > C1: 192.168.14.1 (client) >=20 > =20 > --- recursive config (NS1) >=20 > // recursive named.conf > // >=20 > acl trusted { >=20 > 192.168.14.0/24; >=20 > localhost; >=20 > }; >=20 >=20 > acl rfc1918 { >=20 > 10.0.0.0/8; >=20 > 172.16.0.0/12; >=20 > !192.168.14.0/24; >=20 > 192.168.0.0/16; >=20 > }; >=20 >=20 > acl rfc5735 { >=20 > 0.0.0.0/8; >=20 > 169.254.0.0/16; >=20 > 192.0.0.0/24; >=20 > 192.0.2.0/24; >=20 > 192.88.99.0/24; >=20 > 198.18.0.0/15; >=20 > 198.51.100.0/24; >=20 > 203.0.113.0/24; >=20 > 224.0.0.0/4; >=20 > }; >=20 >=20 > options { >=20 > directory "/var/bind"; >=20 > listen-on { > 127.0.0.1; >=20 > 192.168.14.10; >=20 > }; >=20 > listen-on-v6 { >=20 > none; >=20 > }; >=20 > allow-query { >=20 > trusted; >=20 > }; >=20 > //query-source address * port 53; >=20 > allow-query-cache { >=20 > trusted; >=20 > }; >=20 > blackhole { >=20 > rfc1918; >=20 > rfc5735; >=20 > }; >=20 > allow-transfer { >=20 > none; >=20 > }; >=20 > pid-file "/var/run/named/named.pid"; >=20 >=20 > // Changing this is NOT RECOMMENDED; see the notes above and = in >=20 > // named.conf.recursive. >=20 > allow-recursion { >=20 > trusted; >=20 > }; >=20 > recursion yes; >=20 > }; >=20 > zone "." IN { >=20 > type hint; >=20 > file "root.cache"; >=20 > }; >=20 >=20 > zone "localhost" IN { >=20 > type master; >=20 > file "pri/localhost.zone"; >=20 > allow-update { none; }; >=20 > notify no; >=20 > }; >=20 >=20 > zone "127.in-addr.arpa" IN { >=20 > type master; >=20 > file "pri/127.zone"; >=20 > allow-update { none; }; >=20 > notify no; >=20 > }; >=20 >=20 > zone "example.home" { >=20 > type forward; >=20 > forwarders { 192.168.14.20; }; >=20 > }; >=20 >=20 >=20 > --- authoritative config (NS2)=20 > // authoritative named.conf > // > acl trusted { > 192.168.14.0/24; > localhost; > }; >=20 > acl rfc1918 { > 10.0.0.0/8; > 172.16.0.0/12; > !192.168.14.0/24; > 192.168.0.0/16; > }; >=20 > acl rfc5735 { > 0.0.0.0/8; > 169.254.0.0/16; > 192.0.0.0/24; > 192.0.2.0/24; > 192.88.99.0/24; > 198.18.0.0/15; > 198.51.100.0/24; > 203.0.113.0/24; > 224.0.0.0/4; > }; >=20 > options { > directory "/var/bind"; >=20 > // Configure the IPs to listen on here. > listen-on { > 127.0.0.1; > 192.168.14.20; > }; > listen-on-v6 { > none; > }; >=20 > allow-query { > trusted; > }; >=20 > //query-source address * port 53; >=20 > allow-query-cache { > trusted; > }; >=20 > blackhole {=20 > rfc5735; > rfc1918; > }; >=20 > allow-transfer { > none; > }; >=20 > // Cryptographic authentication of DNS information=20 > // ENABLE LATER > //dnssec-enable yes; > //dnssec-validation yes; >=20 > pid-file "/var/run/named/named.pid"; >=20 > // Changing this is NOT RECOMMENDED for a authoritative = nameserver > allow-recursion { none; }; > recursion no; > }; >=20 > zone "example.home" { > type master; > file "/etc/bind/db.example.home.zone"; > }; >=20 > zone "14.168.192.in-addr.arpa" { > type master; > file "/etc/bind/db.14.168.192.zone"; > }; >=20 >=20 >=20 > ; ZONE file for example.home. > ; > $TTL 604800 > @ IN SOA ns2.example.home. hostmaster.example.home. ( > 2 ; Serial > 604800 ; Refresh 1week > 86400 ; Retry > 2419200 ; Expire 28days > 604800 ; Negative Cache TTL > ) > ;; name servers (NS) > ;; only authoritative servers > @ IN NS ns2.example.home. > ns2 IN A 192.168.14.20 > ;; hosts (A) > ns1 IN A 192.168.14.10 > c1 IN A 192.168.14.1 >=20 > ;; alias (CNAME) > client IN CNAME c1 >=20 >=20 >=20 > ; ZONE file for 14.168.192.in-addr.arpa. > ; > $TTL 604800 > @ IN SOA ns2.example.home. hostmaster.example.home. ( > 1 ; Serial > 604800 ; Refresh 1week > 86400 ; Retry > 2419200 ; Expire 28days > 604800 ; Negative Cache TTL > ) > ;; name servers (NS) > ;; only authoritative servers > @ IN NS ns2.example.home. > 20 IN PTR ns2.example.home. > ;; pointer records (PTR) > 1 IN PTR c1.example.home. > 10 IN PTR ns1.example.home. >=20 > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to = unsubscribe from this list >=20 > ISC funds the development of this software with paid support = subscriptions. Contact us at https://www.isc.org/contact/ for more = information. >=20 >=20 > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org