Re: bind9 and dns forward

To: debian-user@lists.debian.org
Subject: Re: bind9 and dns forward
From: Michel Verdier <mv524@free.fr>
Date: Thu, 01 Jun 2023 20:01:25 +0200
Message-id: <[🔎] 87r0qv2ieq.fsf@free.fr>
In-reply-to: <[🔎] AM6PR04MB5095E02AFCD7F266272DA5849D499@AM6PR04MB5095.eurprd04.prod.outlook.com> (Bonno Bloksma's message of "Thu, 1 Jun 2023 16:08:28 +0000")
References: <AM6PR04MB50950098FC30BF288508987E9D6B9@AM6PR04MB5095.eurprd04.prod.outlook.com> <875y9fqjbt.fsf@free.fr> <AM6PR04MB5095508A88EE5DF291C629A89D6F9@AM6PR04MB5095.eurprd04.prod.outlook.com> <87o7n2ncbd.fsf@free.fr> <VI1PR04MB5104CB7C1B1A80DDF89292E19D729@VI1PR04MB5104.eurprd04.prod.outlook.com> <87o7myt0ww.fsf@free.fr> <AM6PR04MB5095173A16A9FEA0947844BD9D719@AM6PR04MB5095.eurprd04.prod.outlook.com> <878rdzf5fh.fsf@free.fr> <AM6PR04MB5095F6BE6C5B8B5B9A80B8879D7C9@AM6PR04MB5095.eurprd04.prod.outlook.com> <AM6PR04MB50951ABCD64433E3670C53509D7C9@AM6PR04MB5095.eurprd04.prod.outlook.com> <87jzwzb2h5.fsf@free.fr> <[🔎] AM6PR04MB509549850A51DB0A792E222B9D499@AM6PR04MB5095.eurprd04.prod.outlook.com> <[🔎] 87bkhz48hs.fsf@free.fr> <[🔎] AM6PR04MB5095E02AFCD7F266272DA5849D499@AM6PR04MB5095.eurprd04.prod.outlook.com>

Le 1 juin 2023 Bonno Bloksma a écrit :

> I can do that, but ... that is only for inbound traffic TO my dns server on this network.
> That part is working without any problem. Changing that will not change anything for the clients on this network.

You are right. I simply used to fix explicitely interfaces for
security and it's not the point here.

> My bind instance can reach the company dns server buy claims the response is false/insecure
> Does that maybe mean that my bind gets a "normal" response from the company
> dns whereas the external dns at toplevel .nl. (being the parent zone) tells
> that any response from a tio.nl dns server should be a secure response. And
> therefore bind does not accept it?

I reread all our mails and I miss to ask you this one (as answers via
external dns masked the real problem) :

dig tio.nl NS +cd

If you get an answer it's a dnssec problem with the error message in your
logs. If there is no answer it's another problem.

> Where does bind store this info and can I overrule it?

I am not sure but I think bind only cache in memory.
And it's definitely not the good solution but you could transfert the
full zone (or get a copy of the file) and serve it as master.

Reply to:

Follow-Ups:
- RE: bind9 and dns forward
  - From: Bonno Bloksma <b.bloksma@tio.nl>

References:
- RE: bind9 and dns forward
  - From: Bonno Bloksma <b.bloksma@tio.nl>
- Re: bind9 and dns forward
  - From: Michel Verdier <mv524@free.fr>
- RE: bind9 and dns forward
  - From: Bonno Bloksma <b.bloksma@tio.nl>

Prev by Date: Monthly FAQ for Debian-user list (Unmodified 1/6/2023)
Next by Date: Error Messages
Previous by thread: RE: bind9 and dns forward
Next by thread: RE: bind9 and dns forward
Index(es):
- Date
- Thread