F13 i386 bind not resolving

Al Dunsmuir al.dunsmuir at sympatico.ca
Tue Apr 20 21:54:20 UTC 2010 

On Tuesday, April 20, 2010, 9:25:05 AM, Adam Tkac wrote:

> On Mon, Apr 19, 2010 at 03:23:11PM -0400, Al Dunsmuir wrote:
>> With  that,  I  finally  got  a  clean  setup  on  F12 by removing the
>> forwarders stanza as described in the following BZ:

> Well, I've already identified why DNSSEC sometimes doesn't work with
> forwarders.

> Problem is when forwarder is configured not to return DNSSEC related
> resource records (like RRSIGs, DSs, DNSKEYs etc). In BIND it is
> configured by "dnssec-enable" option in named.conf. If this option
> is set to "no" then BIND can't be used as a forwarder because it won't
> return RRSIGs which leads to "must-be-secure" failures.

> This is usually not a problem with BIND 9.4 series and newer because
> dnssec-conf is set to "yes" per default. But actually it is a problem
> with BIND 9.3 and older where it is set to "no". Even if BIND 9.3 is
> outdated it is still used on many systems, good example is Red Hat
> Enterprise Linux 5 or Debian Etch, both contain BIND 9.3 series.

> So if your ISP provider uses that versions, doesn't manually set
> dnssec-enable to "yes" and you use that server as a forwarder then
> you hit "must-be-secure" errors.

Thanks Adam - that explanation makes perfect sense.

I'm  amazed at how fast F12 on my 64-bit AMD box without forwarders is
compared  to the nameservers that sympatico.ca (Bell Canada) provides.
It sounds like they are also running behind the curve with the upgrade
to DNSSEC (or at minimum have blocked useful info).

It  looks  like  I'm better off doing the full resolution myself, from
speed and security points of view!

>> Bug 577639 - bind Stopped Resolving (broken trust chain resolving)
>> 
>> Huzzah!  There are no more DNSSEC-related messages being issued by the
>> X86_64 F12 bind.
>> 
>> Unfortunately,   this  didn't cure my F13 bind - I updated 577639 with
>> my  named  log  messages.    It  might  help  to clear the named cache
>> manually  to  eliminate bogus values, but I could not find the obvious
>> directory.  A reboot made no difference.
>>
>> Hopefully  Adam  Tkac  will  be able to come up with a bind update (or
>> some debug hints) for the final cure.

> Please be patient, I'm working on that issue.
> Regards, Adam

Excellent!  When I see an F13 bind update (or under new comment under
bz 577639) I'll install and give it a spin.  Same for regression tests
under F12.

BTW,  I  found a gotcha with having the non-functional named running
in F13 - FireFox appears to use 127.0.0.1:53 for name resolution, even
if the local DNS server is not in the DNS settings for eth0!

Al

More information about the test mailing list