DNS on F13

Paolo Galtieri pgaltieri at gmail.com
Thu Nov 11 04:32:13 UTC 2010


On 11/10/10 21:04, Rick Sewill wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>>>>> Le 10/11/2010 00:14, Paolo Galtieri a écrit :
>>>>>>>> I had configured a local DNS server under F12 and everything was
>>>>>>>> working
>>>>>>>> fine.  I upgraded the system to F13 and
>>>>>>>> setup DNS again.  Now I see the following errors.
>>>>>>>>
>>>>>>>> Nov  9 15:46:28 darkstar named[17913]:   validating @0xb4e48968:
>>>>>>>> dlv.isc.org<http://dlv.isc.org>    SOA: got insecure response; parent
>>>>>>>> indicates it should be secure
>>>>>>>> Nov  9 15:46:28 darkstar named[17913]: error (insecurity proof
>>>>>>>> failed)
>>>>>>>> resolving 'dlv.isc.org/DLV/IN<http://dlv.isc.org/DLV/IN>':
>>>>>>>> 168.158.8.15#53
>>>>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb49766e8:
>>>>>>>> dlv.isc.org<http://dlv.isc.org>    SOA: got insecure response; parent
>>>>>>>> indicates it should be secure
>>>>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb4977160:
>>>>>>>> dlv.isc.org<http://dlv.isc.org>    SOA: got insecure response; parent
>>>>>>>> indicates it should be secure
>>>>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb4977bd8:
>>>>>>>> dlv.isc.org<http://dlv.isc.org>    SOA: got insecure response; parent
>>>>>>>> indicates it should be secure
>>>>>>>> Nov  9 15:48:02 darkstar named[17913]: error (no valid RRSIG)
>>>>>>>> resolving
>>>>>>>> 'howtoforge.com.dlv.isc.org/DS/IN
>>>>>>>> <http://howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53
>>>>>>>> Nov  9 15:48:02 darkstar named[17913]: error (insecurity proof
>>>>>>>> failed)
>>>>>>>> resolving 'howtoforge.com.dlv.isc.org/DLV/IN
>>>>>>>> <http://howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53
>>>>>>>> Nov  9 15:48:02 darkstar named[17913]:   validating @0xb4724d60:
>>>>>>>> dlv.isc.org<http://dlv.isc.org>    SOA: got insecure response; parent
>>>>>>>> indicates it should be secure
>>>>>>>> Nov  9 15:48:02 darkstar named[17913]: error (no valid RRSIG)
>>>>>>>> resolving
>>>>>>>> 'www.howtoforge.com.dlv.isc.org/DS/IN
>>>>>>>> <http://www.howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53
>>>>>>>> Nov  9 15:48:02 darkstar named[17913]: error (insecurity proof
>>>>>>>> failed)
>>>>>>>> resolving 'www.howtoforge.com.dlv.isc.org/DLV/IN
>>>>>>>> <http://www.howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53
>>>>>>>>
>>>>>>>> I have 2 servers configured in the forwarders section of named.conf
>>>>>>>>
>>>>>>>> forwarders { 68.2.16.30; 168.158.8.15; };
>
> I didn't see anything wrong in your named.conf or named.rfc1912.zones
>
> I tried dig, found in bind-utils-9.7.1-2.P2.fc13.x86_64.
>
> When I did,
> [root at rsewill etc]# dig +dnssec @168.158.8.15  energy.gov
>
> ;<<>>  DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13<<>>  +dnssec @168.158.8.15
> energy.gov
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 28148
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;energy.gov.                    IN      A
>
> ;; Query time: 78 msec
> ;; SERVER: 168.158.8.15#53(168.158.8.15)
> ;; WHEN: Wed Nov 10 21:33:15 2010
> ;; MSG SIZE  rcvd: 39
>
> It appears I didn't get a valid answer.
>
> When I just changed the nameserver,
> [root at rsewill etc]# dig +dnssec @68.2.16.30  energy.gov
>
> ;<<>>  DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13<<>>  +dnssec @68.2.16.30
> energy.gov
> ; (1 server found)
> <...>
> ;; Query time: 99 msec
> ;; SERVER: 68.2.16.30#53(68.2.16.30)
> ;; WHEN: Wed Nov 10 21:34:23 2010
> ;; MSG SIZE  rcvd: 1720
>
> I got a very large, which looks valid to me, answer.
>
> If I leave off the +dnssec option,
> [root at rsewill etc]# dig @168.158.8.15  energy.gov
>
> ;<<>>  DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13<<>>  @168.158.8.15 energy.gov
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31441
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;energy.gov.                    IN      A
>
> ;; ANSWER SECTION:
> energy.gov.             2380    IN      A       205.254.148.200
>
> ;; Query time: 79 msec
> ;; SERVER: 168.158.8.15#53(168.158.8.15)
> ;; WHEN: Wed Nov 10 21:37:37 2010
> ;; MSG SIZE  rcvd: 44
>
> I seem to get a valid answer.
> The bind I am using is
> [root at rsewill etc]# rpm -q bind
> bind-9.7.1-2.P2.fc13.x86_64
>
> What version of bind are you using?
>
> I have two questions about the name server at 168.158.8.15
> 1) Do we know if that name server supports dnssec?
>
> 2) If it supports dnssec, can we find out what name server
>     (software and version) is being used so we can search the
>     Internet to see if that name server is supposed to be
>     interoperable with bind-9.x.x when doing dnssec?
>
> I am wondering why FC12 worked.
> I don't know what version of bind (rpm -q bind) is in FC12.
>
> I can see 3 possibilities why FC12 bind might have worked
> 1) perhaps the name server at 168.158.8.15 has a bug when doing dnssec,
>     but was interoperable with the bind found in FC12, but not bind FC13.
>
> 2) Perhaps there is an error introduced into FC13
>
> 3) Perhaps, if 168.158.8.15 is not doing dnssec, FC12 bind
>     would fall back to normal DNS.  I'd be surprised if FC13 bind
>     didn't also fall back to normal DNS...unless there is an option
>     in your /etc/named.conf telling FC13 bind to only do dnssec.
>     I am still parsing those options in /etc/named.conf...if someone
>     who already has experience with this can answer, it would be nice.
>
> I don't know where to go from here.
> If I had access to another platform (not Fedora), running bind 9.x.x,
> and having bind-utils-9.x.x, I might like to compare and see if that
> named (and dig command) have the same problem.
>
> I'd probably do google searches to try and find cases where
> dig +dnssec fails for various reasons.
>
> I might look for a mailing list for bind or dnssec, to see if they have
> any help.
>
> Otherwise, I am stuck.  Sorry.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkzbazMACgkQyc8Kn0p/AZSEDACeIWFJgaOa8JV5pR/Rph6QKlbg
> EA0An1WSVF2IqJgCxzrORhyEoXHX0oo2
> =X3qx
> -----END PGP SIGNATURE-----
I'm using bind-9.7.1-2.P2.fc13.i686 same as you.  I really appreciate 
your help.  I'm starting to suspect that it's something to do with 
dnssec support with the ISP.

Thanks again,
Paolo


More information about the users mailing list