DNS on F13

Rick Sewill rsewill at gmail.com
Thu Nov 11 04:04:03 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>> Le 10/11/2010 00:14, Paolo Galtieri a écrit :
>>>>>>> I had configured a local DNS server under F12 and everything was
>>>>>>> working
>>>>>>> fine.  I upgraded the system to F13 and
>>>>>>> setup DNS again.  Now I see the following errors.
>>>>>>>
>>>>>>> Nov  9 15:46:28 darkstar named[17913]:   validating @0xb4e48968:
>>>>>>> dlv.isc.org<http://dlv.isc.org>   SOA: got insecure response; parent
>>>>>>> indicates it should be secure
>>>>>>> Nov  9 15:46:28 darkstar named[17913]: error (insecurity proof
>>>>>>> failed)
>>>>>>> resolving 'dlv.isc.org/DLV/IN<http://dlv.isc.org/DLV/IN>':
>>>>>>> 168.158.8.15#53
>>>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb49766e8:
>>>>>>> dlv.isc.org<http://dlv.isc.org>   SOA: got insecure response; parent
>>>>>>> indicates it should be secure
>>>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb4977160:
>>>>>>> dlv.isc.org<http://dlv.isc.org>   SOA: got insecure response; parent
>>>>>>> indicates it should be secure
>>>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb4977bd8:
>>>>>>> dlv.isc.org<http://dlv.isc.org>   SOA: got insecure response; parent
>>>>>>> indicates it should be secure
>>>>>>> Nov  9 15:48:02 darkstar named[17913]: error (no valid RRSIG)
>>>>>>> resolving
>>>>>>> 'howtoforge.com.dlv.isc.org/DS/IN
>>>>>>> <http://howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53
>>>>>>> Nov  9 15:48:02 darkstar named[17913]: error (insecurity proof
>>>>>>> failed)
>>>>>>> resolving 'howtoforge.com.dlv.isc.org/DLV/IN
>>>>>>> <http://howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53
>>>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb4724d60:
>>>>>>> dlv.isc.org<http://dlv.isc.org>   SOA: got insecure response; parent
>>>>>>> indicates it should be secure
>>>>>>> Nov  9 15:48:02 darkstar named[17913]: error (no valid RRSIG)
>>>>>>> resolving
>>>>>>> 'www.howtoforge.com.dlv.isc.org/DS/IN
>>>>>>> <http://www.howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53
>>>>>>> Nov  9 15:48:02 darkstar named[17913]: error (insecurity proof
>>>>>>> failed)
>>>>>>> resolving 'www.howtoforge.com.dlv.isc.org/DLV/IN
>>>>>>> <http://www.howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53
>>>>>>>
>>>>>>> I have 2 servers configured in the forwarders section of named.conf
>>>>>>>
>>>>>>> forwarders { 68.2.16.30; 168.158.8.15; };

I didn't see anything wrong in your named.conf or named.rfc1912.zones

I tried dig, found in bind-utils-9.7.1-2.P2.fc13.x86_64.

When I did,
[root at rsewill etc]# dig +dnssec @168.158.8.15  energy.gov

; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> +dnssec @168.158.8.15
energy.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 28148
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;energy.gov.                    IN      A

;; Query time: 78 msec
;; SERVER: 168.158.8.15#53(168.158.8.15)
;; WHEN: Wed Nov 10 21:33:15 2010
;; MSG SIZE  rcvd: 39

It appears I didn't get a valid answer.

When I just changed the nameserver,
[root at rsewill etc]# dig +dnssec @68.2.16.30  energy.gov

; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> +dnssec @68.2.16.30
energy.gov
; (1 server found)
<...>
;; Query time: 99 msec
;; SERVER: 68.2.16.30#53(68.2.16.30)
;; WHEN: Wed Nov 10 21:34:23 2010
;; MSG SIZE  rcvd: 1720

I got a very large, which looks valid to me, answer.

If I leave off the +dnssec option,
[root at rsewill etc]# dig @168.158.8.15  energy.gov

; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> @168.158.8.15 energy.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31441
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;energy.gov.                    IN      A

;; ANSWER SECTION:
energy.gov.             2380    IN      A       205.254.148.200

;; Query time: 79 msec
;; SERVER: 168.158.8.15#53(168.158.8.15)
;; WHEN: Wed Nov 10 21:37:37 2010
;; MSG SIZE  rcvd: 44

I seem to get a valid answer.
The bind I am using is
[root at rsewill etc]# rpm -q bind
bind-9.7.1-2.P2.fc13.x86_64

What version of bind are you using?

I have two questions about the name server at 168.158.8.15
1) Do we know if that name server supports dnssec?

2) If it supports dnssec, can we find out what name server
   (software and version) is being used so we can search the
   Internet to see if that name server is supposed to be
   interoperable with bind-9.x.x when doing dnssec?

I am wondering why FC12 worked.
I don't know what version of bind (rpm -q bind) is in FC12.

I can see 3 possibilities why FC12 bind might have worked
1) perhaps the name server at 168.158.8.15 has a bug when doing dnssec,
   but was interoperable with the bind found in FC12, but not bind FC13.

2) Perhaps there is an error introduced into FC13

3) Perhaps, if 168.158.8.15 is not doing dnssec, FC12 bind
   would fall back to normal DNS.  I'd be surprised if FC13 bind
   didn't also fall back to normal DNS...unless there is an option
   in your /etc/named.conf telling FC13 bind to only do dnssec.
   I am still parsing those options in /etc/named.conf...if someone
   who already has experience with this can answer, it would be nice.

I don't know where to go from here.
If I had access to another platform (not Fedora), running bind 9.x.x,
and having bind-utils-9.x.x, I might like to compare and see if that
named (and dig command) have the same problem.

I'd probably do google searches to try and find cases where
dig +dnssec fails for various reasons.

I might look for a mailing list for bind or dnssec, to see if they have
any help.

Otherwise, I am stuck.  Sorry.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzbazMACgkQyc8Kn0p/AZSEDACeIWFJgaOa8JV5pR/Rph6QKlbg
EA0An1WSVF2IqJgCxzrORhyEoXHX0oo2
=X3qx
-----END PGP SIGNATURE-----


More information about the users mailing list