[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: Re: dnsmasq and SOA


On Wed, Mar 07, 2018 at 10:19:32PM +0100, RODARY Jacques wrote:
> 	Sorry for my last post: I sent a draft mail instead of the corrected one.  Let's go back to my own concern: dnsmasq and soa, 
> if you don't mind. Here is my dnsmasq.conf file: 
> resolv-file=/etc/dnsmasqresolv.conf
> interface=eno1
> interface=wlp3s0
> no-dhcp-interface=enp2s0
> auth-zone=rodary.net
> auth-soa=2018022800,root.ns.rodary.net,10800,3600,10800
> dhcp-range=,,infinite
>  As you guessed enp2s0 (eth0 now) is my INET interface.
> 	Shouldn't I add a "auth-peer=" line for AXFR to ns6.gandi.net? With all my stupid previous acts, I don't dare to try it, 
> specially when it could affect outside hosts e.g. my registrar.

I never tried it myself, but the manpage says this on auth-peer:

If this option is not given, then AXFR requests will be accepted from any secondary.

The way I understand it, your configuration should work without
auth-peer, while being somewhat insecure. You may need to specify
ns6.gandi.net as secondary through auth-sec-servers, on the other hand.

Yet your configuration does not work, apparently, as 'dig +trace'
shows me this:

rodary.net.             3600    IN      SOA     ns.rodary.net.
root.ns.rodary.net. 2018022101 10800 3600 604800 3600
rodary.net.             3600    IN      NS      ns.rodary.net.
rodary.net.             3600    IN      NS      ns6.gandi.net.
;; Received 169 bytes from in 64 ms

Did your previous BIND configuration implement DNSSEC? Your dnsmasq
should not provide DS records with this config, yet Gandi resolver could
require them.


Reply to: