Re: dnsmasq and SOA

To: Reco <recoverym4n@gmail.com>, debian-user@lists.debian.org
Subject: Re: dnsmasq and SOA
From: Jacques Rodary <rodaryj@free.fr>
Date: Thu, 8 Mar 2018 18:58:18 +0100
Message-id: <[🔎] 28d076f1-7f33-e6e8-a503-cd7bda5e37a0@free.fr>
In-reply-to: <[🔎] 20180308085118.uire3qhcwzsnqtpq@p5k.home>
References: <[🔎] 20180301063654.b3s65pefbtu4vqmn@p5k.home> <[🔎] 1520457572.7912.1.camel@free.fr> <[🔎] 20180308085118.uire3qhcwzsnqtpq@p5k.home>



On 08/03/2018 09:51, Reco wrote:

	Hi.

On Wed, Mar 07, 2018 at 10:19:32PM +0100, RODARY Jacques wrote:

	Sorry for my last post: I sent a draft mail instead of the corrected one.  Let's go back to my own concern: dnsmasq and soa,
if you don't mind. Here is my dnsmasq.conf file:
resolv-file=/etc/dnsmasqresolv.conf

interface=eno1
interface=wlp3s0
no-dhcp-interface=enp2s0

auth-zone=rodary.net

auth-soa=2018022800,root.ns.rodary.net,10800,3600,10800

	Shouldn't I add a "auth-peer=217.70.177.40" line for AXFR to ns6.gandi.net? With all my stupid previous acts, I don't dare to try it,
specially when it could affect outside hosts e.g. my registrar.

I never tried it myself, but the manpage says this on auth-peer:

If this option is not given, then AXFR requests will be accepted from any secondary.


The way I understand it, your configuration should work without
auth-peer, while being somewhat insecure. You may need to specify
ns6.gandi.net as secondary through auth-sec-servers, on the other hand.

Yet your configuration does not work, apparently, as 'dig +trace'
shows me this:

rodary.net.             3600    IN      SOA     ns.rodary.net.
root.ns.rodary.net. 2018022101 10800 3600 604800 3600
rodary.net.             3600    IN      NS      ns.rodary.net.
rodary.net.             3600    IN      NS      ns6.gandi.net.
;; Received 169 bytes from 217.70.177.40#53(ns6.gandi.net) in 64 ms

Today "dig in soa rodary.net" gives me:

rodary.net. 600 IN SOA . root.ns.rodary.net.2018022801 10800 3600 10800 600Which is neither the answer I had yesterday, neither yours (by the wayI don't find how to use the "dig +trace" command), and "dig in nsrodary.net" which gave me ns.rodary.net and ns6.gandi.net , gives meonly ns.rodary.net now, and "dig in ns/soa rodary.net @ns6.gandi.net"has no answer, but "recursion requested but not available"

Did your previous BIND configuration implement DNSSEC?

No.

ns6.gandi.net was NS in my main zone file; so I think I will tryauth-sec-servers=ns6.gandi.net as it was in my BIND setup

    Jacques

Reply to:

Follow-Ups:
- Re: dnsmasq and SOA
  - From: Jacques Rodary <rodaryj@free.fr>

References:
- Re: Re: dnsmasq and SOA
  - From: Reco <recoverym4n@gmail.com>
- Re: Re: Re: dnsmasq and SOA
  - From: RODARY Jacques <rodaryj@free.fr>
- Re: Re: Re: dnsmasq and SOA
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: Re: set default print options on printer
Next by Date: Re: Multifunction (printer + scanner) recommendation?
Previous by thread: Re: Re: Re: dnsmasq and SOA
Next by thread: Re: dnsmasq and SOA
Index(es):
- Date
- Thread