DNS on F13
Paolo Galtieri
pgaltieri at gmail.com
Thu Nov 11 04:32:13 UTC 2010
On 11/10/10 21:04, Rick Sewill wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>>>>> Le 10/11/2010 00:14, Paolo Galtieri a écrit :
>>>>>>>> I had configured a local DNS server under F12 and everything was
>>>>>>>> working
>>>>>>>> fine. I upgraded the system to F13 and
>>>>>>>> setup DNS again. Now I see the following errors.
>>>>>>>>
>>>>>>>> Nov 9 15:46:28 darkstar named[17913]: validating @0xb4e48968:
>>>>>>>> dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent
>>>>>>>> indicates it should be secure
>>>>>>>> Nov 9 15:46:28 darkstar named[17913]: error (insecurity proof
>>>>>>>> failed)
>>>>>>>> resolving 'dlv.isc.org/DLV/IN<http://dlv.isc.org/DLV/IN>':
>>>>>>>> 168.158.8.15#53
>>>>>>>> Nov 9 15:48:02 darkstar named[17913]: validating @0xb49766e8:
>>>>>>>> dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent
>>>>>>>> indicates it should be secure
>>>>>>>> Nov 9 15:48:02 darkstar named[17913]: validating @0xb4977160:
>>>>>>>> dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent
>>>>>>>> indicates it should be secure
>>>>>>>> Nov 9 15:48:02 darkstar named[17913]: validating @0xb4977bd8:
>>>>>>>> dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent
>>>>>>>> indicates it should be secure
>>>>>>>> Nov 9 15:48:02 darkstar named[17913]: error (no valid RRSIG)
>>>>>>>> resolving
>>>>>>>> 'howtoforge.com.dlv.isc.org/DS/IN
>>>>>>>> <http://howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53
>>>>>>>> Nov 9 15:48:02 darkstar named[17913]: error (insecurity proof
>>>>>>>> failed)
>>>>>>>> resolving 'howtoforge.com.dlv.isc.org/DLV/IN
>>>>>>>> <http://howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53
>>>>>>>> Nov 9 15:48:02 darkstar named[17913]: validating @0xb4724d60:
>>>>>>>> dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent
>>>>>>>> indicates it should be secure
>>>>>>>> Nov 9 15:48:02 darkstar named[17913]: error (no valid RRSIG)
>>>>>>>> resolving
>>>>>>>> 'www.howtoforge.com.dlv.isc.org/DS/IN
>>>>>>>> <http://www.howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53
>>>>>>>> Nov 9 15:48:02 darkstar named[17913]: error (insecurity proof
>>>>>>>> failed)
>>>>>>>> resolving 'www.howtoforge.com.dlv.isc.org/DLV/IN
>>>>>>>> <http://www.howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53
>>>>>>>>
>>>>>>>> I have 2 servers configured in the forwarders section of named.conf
>>>>>>>>
>>>>>>>> forwarders { 68.2.16.30; 168.158.8.15; };
>
> I didn't see anything wrong in your named.conf or named.rfc1912.zones
>
> I tried dig, found in bind-utils-9.7.1-2.P2.fc13.x86_64.
>
> When I did,
> [root at rsewill etc]# dig +dnssec @168.158.8.15 energy.gov
>
> ;<<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13<<>> +dnssec @168.158.8.15
> energy.gov
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 28148
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;energy.gov. IN A
>
> ;; Query time: 78 msec
> ;; SERVER: 168.158.8.15#53(168.158.8.15)
> ;; WHEN: Wed Nov 10 21:33:15 2010
> ;; MSG SIZE rcvd: 39
>
> It appears I didn't get a valid answer.
>
> When I just changed the nameserver,
> [root at rsewill etc]# dig +dnssec @68.2.16.30 energy.gov
>
> ;<<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13<<>> +dnssec @68.2.16.30
> energy.gov
> ; (1 server found)
> <...>
> ;; Query time: 99 msec
> ;; SERVER: 68.2.16.30#53(68.2.16.30)
> ;; WHEN: Wed Nov 10 21:34:23 2010
> ;; MSG SIZE rcvd: 1720
>
> I got a very large, which looks valid to me, answer.
>
> If I leave off the +dnssec option,
> [root at rsewill etc]# dig @168.158.8.15 energy.gov
>
> ;<<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13<<>> @168.158.8.15 energy.gov
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31441
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;energy.gov. IN A
>
> ;; ANSWER SECTION:
> energy.gov. 2380 IN A 205.254.148.200
>
> ;; Query time: 79 msec
> ;; SERVER: 168.158.8.15#53(168.158.8.15)
> ;; WHEN: Wed Nov 10 21:37:37 2010
> ;; MSG SIZE rcvd: 44
>
> I seem to get a valid answer.
> The bind I am using is
> [root at rsewill etc]# rpm -q bind
> bind-9.7.1-2.P2.fc13.x86_64
>
> What version of bind are you using?
>
> I have two questions about the name server at 168.158.8.15
> 1) Do we know if that name server supports dnssec?
>
> 2) If it supports dnssec, can we find out what name server
> (software and version) is being used so we can search the
> Internet to see if that name server is supposed to be
> interoperable with bind-9.x.x when doing dnssec?
>
> I am wondering why FC12 worked.
> I don't know what version of bind (rpm -q bind) is in FC12.
>
> I can see 3 possibilities why FC12 bind might have worked
> 1) perhaps the name server at 168.158.8.15 has a bug when doing dnssec,
> but was interoperable with the bind found in FC12, but not bind FC13.
>
> 2) Perhaps there is an error introduced into FC13
>
> 3) Perhaps, if 168.158.8.15 is not doing dnssec, FC12 bind
> would fall back to normal DNS. I'd be surprised if FC13 bind
> didn't also fall back to normal DNS...unless there is an option
> in your /etc/named.conf telling FC13 bind to only do dnssec.
> I am still parsing those options in /etc/named.conf...if someone
> who already has experience with this can answer, it would be nice.
>
> I don't know where to go from here.
> If I had access to another platform (not Fedora), running bind 9.x.x,
> and having bind-utils-9.x.x, I might like to compare and see if that
> named (and dig command) have the same problem.
>
> I'd probably do google searches to try and find cases where
> dig +dnssec fails for various reasons.
>
> I might look for a mailing list for bind or dnssec, to see if they have
> any help.
>
> Otherwise, I am stuck. Sorry.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkzbazMACgkQyc8Kn0p/AZSEDACeIWFJgaOa8JV5pR/Rph6QKlbg
> EA0An1WSVF2IqJgCxzrORhyEoXHX0oo2
> =X3qx
> -----END PGP SIGNATURE-----
I'm using bind-9.7.1-2.P2.fc13.i686 same as you. I really appreciate
your help. I'm starting to suspect that it's something to do with
dnssec support with the ISP.
Thanks again,
Paolo
More information about the users
mailing list