DNS on F13

Paolo Galtieri pgaltieri at gmail.com
Wed Nov 10 20:41:14 UTC 2010


On 11/10/10 11:24, Rick Sewill wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/10/2010 10:28 AM, Paolo Galtieri wrote:
>> On 11/10/10 00:13, François Patte wrote:
>> Le 10/11/2010 00:14, Paolo Galtieri a écrit :
>>>>> I had configured a local DNS server under F12 and everything was working
>>>>> fine.  I upgraded the system to F13 and
>>>>> setup DNS again.  Now I see the following errors.
>>>>>
>>>>> Nov  9 15:46:28 darkstar named[17913]:   validating @0xb4e48968:
>>>>> dlv.isc.org<http://dlv.isc.org>   SOA: got insecure response; parent
>>>>> indicates it should be secure
>>>>> Nov  9 15:46:28 darkstar named[17913]: error (insecurity proof failed)
>>>>> resolving 'dlv.isc.org/DLV/IN<http://dlv.isc.org/DLV/IN>': 168.158.8.15#53
>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb49766e8:
>>>>> dlv.isc.org<http://dlv.isc.org>   SOA: got insecure response; parent
>>>>> indicates it should be secure
>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb4977160:
>>>>> dlv.isc.org<http://dlv.isc.org>   SOA: got insecure response; parent
>>>>> indicates it should be secure
>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb4977bd8:
>>>>> dlv.isc.org<http://dlv.isc.org>   SOA: got insecure response; parent
>>>>> indicates it should be secure
>>>>> Nov  9 15:48:02 darkstar named[17913]: error (no valid RRSIG) resolving
>>>>> 'howtoforge.com.dlv.isc.org/DS/IN
>>>>> <http://howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53
>>>>> Nov  9 15:48:02 darkstar named[17913]: error (insecurity proof failed)
>>>>> resolving 'howtoforge.com.dlv.isc.org/DLV/IN
>>>>> <http://howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53
>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb4724d60:
>>>>> dlv.isc.org<http://dlv.isc.org>   SOA: got insecure response; parent
>>>>> indicates it should be secure
>>>>> Nov  9 15:48:02 darkstar named[17913]: error (no valid RRSIG) resolving
>>>>> 'www.howtoforge.com.dlv.isc.org/DS/IN
>>>>> <http://www.howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53
>>>>> Nov  9 15:48:02 darkstar named[17913]: error (insecurity proof failed)
>>>>> resolving 'www.howtoforge.com.dlv.isc.org/DLV/IN
>>>>> <http://www.howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53
>>>>>
>>>>> I have 2 servers configured in the forwarders section of named.conf
>>>>>
>>>>> forwarders { 68.2.16.30; 168.158.8.15; };
>>>>>
>>>>> It only complains about the second one.
>>>>>
>>>>> I found Bug 577639 which seems related, but it's marked closed notabug.
>>>>>
>>>>> So if it's not a bug why am I seeing these errors and how do I go about
>>>>> resolving them?
>>>>>
>>>>> Is this a configuration issue on my side, or is this an issue with my ISP?
>>>>>
>>>>> The file "/etc/named.iscdlv.key" contains the correct key.
>>>>>
>>>>> Any assistance is appreciated.
>>
>> Did you test if it is not related to selinux?
>>
>>
>> I don't believe it has anything to do with SElinux since the errors only
>> show up for one of the 2 DNS servers I have listed in the forwarders
>> entry.  Also I don't get any SElinux alert messages.
>
>> Paolo
>
> May we see your /etc/named.conf file please?
>
> I am wondering if you have an old /etc/named.conf file.
> Please look for /etc/named.conf.rpmnew, and if it's there,
> please compare the two files, save your current /etc/named.conf,
> and mv /etc/named.conf.rpmnew /etc/named.conf
>
> When I do,
> [root at rsewill ~]# service named start
> Starting named:                                            [  OK  ]
> followed by
> [root at rsewill ~]# host -a energy.gov localhost
> <Too much stuff got printed to reproduce here without reason>
> <Output looks reasonable>
>
> I do not have bind-chroot installed.  Are you using bind-chroot?
>
> For this test, I am using
> [root at rsewill ~]# rpm -q bind
> bind-9.7.1-2.P2.fc13.x86_64
> What version of bind are you using please?
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkza40YACgkQyc8Kn0p/AZRDHQCglJg1SNUT0qN/PAWKyE1+CDHJ
> VbQAn1ueb1AKs4SUXIj2iZi3CJapPrdP
> =yyT5
> -----END PGP SIGNATURE-----

I am using bind-chroot.  As was using it under F12 also.  I have 
attached both the named.conf and the named.rfc1912.zones files.
What initially triggered the post was that suddenly all name resolution 
stopped.  If I bypassed my DNS server everything worked fine.  I 
restarted named and everything started to work again.  When I looked at 
/var/log/messages to see if there were any messages explaining why my 
DNS server had failed I saw all these error messages.

Paolo
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: named.conf
Url: http://lists.fedoraproject.org/pipermail/users/attachments/20101110/8a3865d4/attachment-0002.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: named.rfc1912.zones
Url: http://lists.fedoraproject.org/pipermail/users/attachments/20101110/8a3865d4/attachment-0003.pl 


More information about the users mailing list