Re: bind9 and dns forward

To: debian-user@lists.debian.org
Subject: Re: bind9 and dns forward
From: Michel Verdier <mv524@free.fr>
Date: Fri, 02 Jun 2023 00:28:46 +0200
Message-id: <[🔎] 87r0qu25ee.fsf@free.fr>
In-reply-to: <[🔎] AM6PR04MB50950B1A4A296A819C706A6C9D499@AM6PR04MB5095.eurprd04.prod.outlook.com> (Bonno Bloksma's message of "Thu, 1 Jun 2023 18:40:46 +0000")
References: <AM6PR04MB50950098FC30BF288508987E9D6B9@AM6PR04MB5095.eurprd04.prod.outlook.com> <875y9fqjbt.fsf@free.fr> <AM6PR04MB5095508A88EE5DF291C629A89D6F9@AM6PR04MB5095.eurprd04.prod.outlook.com> <87o7n2ncbd.fsf@free.fr> <VI1PR04MB5104CB7C1B1A80DDF89292E19D729@VI1PR04MB5104.eurprd04.prod.outlook.com> <87o7myt0ww.fsf@free.fr> <AM6PR04MB5095173A16A9FEA0947844BD9D719@AM6PR04MB5095.eurprd04.prod.outlook.com> <878rdzf5fh.fsf@free.fr> <AM6PR04MB5095F6BE6C5B8B5B9A80B8879D7C9@AM6PR04MB5095.eurprd04.prod.outlook.com> <AM6PR04MB50951ABCD64433E3670C53509D7C9@AM6PR04MB5095.eurprd04.prod.outlook.com> <87jzwzb2h5.fsf@free.fr> <[🔎] AM6PR04MB509549850A51DB0A792E222B9D499@AM6PR04MB5095.eurprd04.prod.outlook.com> <[🔎] 87bkhz48hs.fsf@free.fr> <[🔎] AM6PR04MB5095E02AFCD7F266272DA5849D499@AM6PR04MB5095.eurprd04.prod.outlook.com> <[🔎] 87r0qv2ieq.fsf@free.fr> <[🔎] AM6PR04MB50950B1A4A296A819C706A6C9D499@AM6PR04MB5095.eurprd04.prod.outlook.com>

Le 1 juin 2023 Bonno Bloksma a écrit :

>> If you get an answer it's a dnssec problem with the error message in your logs. If there is no answer it's another problem.
> Well, it seems I get an answer with the +cd option, and none without.

Yes. If I do :

# dig tio.nl A +dnssec +multiline

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> tio.nl A +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15946
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: b5616e99dab9dfa2010000006479183bc71c1f369d50dcb2 (good)
;; QUESTION SECTION:
;tio.nl.			IN A

;; ANSWER SECTION:
tio.nl.			3600 IN	A 188.166.202.179
tio.nl.			3600 IN	RRSIG A 8 2 3600 (
				20230615000000 20230525000000 11454 tio.nl.
				M3ZcaxHNXwnmZ5SQnvMcPsUDPLQLpyl0RO7azsSWoUTx
				6CgENJbWQuMqHyiQlzxeSnzVbfFIlKdbsBACFylJUhsT
				Mby5rp8ouOr8XOK2wC+qJvgYbl5SJwXePu0f1XgCxoAg
				P5/6ZnnXpo4gidVtxfUB68Ed5T6yxo23o0eI5gE= )

I get external dns answer with a nice dnssec. Can you do :

dig @172.16.208.10 tio.nl A +dnssec +multiline

to see if your internal dns answer the same rrsig

Reply to:

References:
- RE: bind9 and dns forward
  - From: Bonno Bloksma <b.bloksma@tio.nl>
- Re: bind9 and dns forward
  - From: Michel Verdier <mv524@free.fr>
- RE: bind9 and dns forward
  - From: Bonno Bloksma <b.bloksma@tio.nl>
- Re: bind9 and dns forward
  - From: Michel Verdier <mv524@free.fr>
- RE: bind9 and dns forward
  - From: Bonno Bloksma <b.bloksma@tio.nl>

Prev by Date: RE: bind9 and dns forward
Next by Date: A hypervisor for a headless server?
Previous by thread: RE: bind9 and dns forward
Next by thread: debian
Index(es):
- Date
- Thread