RE: bind9 and dns forward
Hi,
@Tim,
If I use the dnssec-validation no; option then indeed it all works. Just tested it again to make sure.
And as a final solution to this problem I might accept it, but I would rather not.
@Michel,
> I reread all our mails and I miss to ask you this one (as answers via external dns masked the real problem) :
> dig tio.nl NS +cd
Ok, with /etc/resolv.conf pointing only to localhost and option dnssec-validation auto;
-----<Quote>--------------------
linbobo:/etc/bind# dig tio.nl NS +cd
; <<>> DiG 9.16.37-Debian <<>> tio.nl NS +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8565
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f9edf2abbc6bb1b4010000006478e3bce0244f2a98d3724c (good)
;; QUESTION SECTION:
;tio.nl. IN NS
;; ANSWER SECTION:
tio.nl. 3600 IN NS amsstuddc-04.student.tio.nl.
[... snip ...]
tio.nl. 3600 IN NS rtmstuddc-05.student.tio.nl.
;; Query time: 28 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 01 20:30:20 CEST 2023
;; MSG SIZE rcvd: 568
linbobo:/etc/bind# dig tio.nl NS
; <<>> DiG 9.16.37-Debian <<>> tio.nl NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57482
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: eeb3f3a1c2495cf5010000006478e3c58effeec3959e9ccc (good)
;; QUESTION SECTION:
;tio.nl. IN NS
;; Query time: 188 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 01 20:30:29 CEST 2023
;; MSG SIZE rcvd: 63
linbobo:/etc/bind#
-----<Quote>--------------------
> If you get an answer it's a dnssec problem with the error message in your logs. If there is no answer it's another problem.
Well, it seems I get an answer with the +cd option, and none without.
[...]
> And it's definitely not the good solution but you could transfer the full zone (or get a copy of the file) and serve it as master.
Nah, I do not want to do that. Too many updates on the internal zone, I would need to copy at least every 5 min. Also other reasons.
Bonno Bloksma
Reply to: