Re: Re: Re: dnsmasq and SOA

[Reco <recoverym4n@gmail.com>]

	Hi.

On Wed, Mar 07, 2018 at 10:19:32PM +0100, RODARY Jacques wrote:
> 	Sorry for my last post: I sent a draft mail instead of the corrected one.  Let's go back to my own concern: dnsmasq and soa, 
> if you don't mind. Here is my dnsmasq.conf file: 
> resolv-file=/etc/dnsmasqresolv.conf
> 
> interface=eno1
> interface=wlp3s0
> no-dhcp-interface=enp2s0
> 
> auth-zone=rodary.net
> 
> auth-soa=2018022800,root.ns.rodary.net,10800,3600,10800
> 
> dhcp-range=10.42.0.20,10.42.0.200,infinite
> 
>  As you guessed enp2s0 (eth0 now) is my INET interface.
>  
> 	Shouldn't I add a "auth-peer=217.70.177.40" line for AXFR to ns6.gandi.net? With all my stupid previous acts, I don't dare to try it, 
> specially when it could affect outside hosts e.g. my registrar.

I never tried it myself, but the manpage says this on auth-peer:

If this option is not given, then AXFR requests will be accepted from any secondary.


The way I understand it, your configuration should work without
auth-peer, while being somewhat insecure. You may need to specify
ns6.gandi.net as secondary through auth-sec-servers, on the other hand.

Yet your configuration does not work, apparently, as 'dig +trace'
shows me this:

rodary.net.             3600    IN      SOA     ns.rodary.net.
root.ns.rodary.net. 2018022101 10800 3600 604800 3600
rodary.net.             3600    IN      NS      ns.rodary.net.
rodary.net.             3600    IN      NS      ns6.gandi.net.
;; Received 169 bytes from 217.70.177.40#53(ns6.gandi.net) in 64 ms


Did your previous BIND configuration implement DNSSEC? Your dnsmasq
should not provide DS records with this config, yet Gandi resolver could
require them.

Reco