Fw: RE: dnssec enabled recursive server

Pamela Rock prock111 at yahoo.com
Sat Oct 24 16:23:20 UTC 2009


As suggested...

root at localhost:~/ uname -a
Linux localhost.localdomain 2.6.18-164.2.1.el5 #1 SMP Mon Sep 21 04:37:42 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

 
> Here is a hint of what is in the info and debug log...
> 
> ** info **
> 23-Oct-2009 16:47:23.543 general: error: socket.c:4922:
> unexpected error:
> 23-Oct-2009 16:47:23.543 general: error: 22/Invalid
> argument
> 23-Oct-2009 16:47:25.249 general: error: socket.c:4922:
> unexpected error:
> 23-Oct-2009 16:47:25.249 general: error: 22/Invalid
> argument
> 23-Oct-2009 16:47:27.064 general: error: socket.c:4922:
> unexpected error:
> 23-Oct-2009 16:47:27.064 general: error: 22/Invalid
> argument
> 23-Oct-2009 16:47:28.785 general: error: socket.c:4922:
> unexpected error:
> 23-Oct-2009 16:47:28.785 general: error: 22/Invalid
> argument
> 
> ** debug **
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): start
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): try
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): cancelqueries
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): getaddresses
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): query
> 23-Oct-2009 16:47:27.064 resolver: debug 3: resquery
> 0x2aaaab2f4010 (fctx 0x2aaaab2ed010(123xyz.TLD/ANY)): send
> 23-Oct-2009 16:47:27.064 general: error: socket.c:4922:
> unexpected error:
> 23-Oct-2009 16:47:27.064 general: error: 22/Invalid
> argument
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): done
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): stopeverything
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): cancelqueries
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): sendevents
> 23-Oct-2009 16:47:27.064 query-errors: debug 1: client
> 10.10.10.10#40629: query failed (SERVFAIL) for
> 123xyz.TLD/IN/ANY at query.c:4619
> 23-Oct-2009 16:47:27.064 client: debug 3: client
> 10.10.10.10#40629: error
> 23-Oct-2009 16:47:27.064 client: debug 3: client
> 10.10.10.10#40629: send
> 23-Oct-2009 16:47:27.064 client: debug 3: client
> 10.10.10.10#40629: sendto
> 23-Oct-2009 16:47:27.064 client: debug 3: client
> 10.10.10.10#40629: senddone
> 23-Oct-2009 16:47:27.064 client: debug 3: client
> 10.10.10.10#40629: next
> 23-Oct-2009 16:47:27.064 client: debug 3: client
> 10.10.10.10#40629: endrequest
> 23-Oct-2009 16:47:27.064 query-errors: debug 2: fetch
> completed at resolver.c:3015 for 123xyz.TLD/ANY in 0.000527:
> unexpected error/success
> [domain:.,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fetch
> 0x2b8f4e85c830 (fctx 0x2aaaab2ed010(123xyz.TLD/ANY)):
> destroyfetch
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): shutdown
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): doshutdown
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): stopeverything
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): cancelqueries
> 23-Oct-2009 16:47:27.064 resolver: debug 3: fctx
> 0x2aaaab2ed010(123xyz.TLD/ANY'): destroy
> 23-Oct-2009 16:47:27.078 client: debug 3: client
> 10.10.10.10#38984: UDP request
> 23-Oct-2009 16:47:27.078 security: debug 3: client
> 10.10.10.10#38984: request is not signed
> 23-Oct-2009 16:47:27.078 security: debug 3: client
> 10.10.10.10#38984: recursion available
> 23-Oct-2009 16:47:27.078 client: debug 3: client
> 10.10.10.10#38984: query
> 23-Oct-2009 16:47:27.078 security: debug 3: client
> 10.10.10.10#38984: query (cache) 'TLD/DNSKEY/IN' approved
> 23-Oct-2009 16:47:27.078 client: debug 3: client
> 10.10.10.10#38984: send
> 23-Oct-2009 16:47:27.078 client: debug 3: client
> 10.10.10.10#38984: sendto
> 23-Oct-2009 16:47:27.078 client: debug 3: client
> 10.10.10.10#38984: senddone
> 23-Oct-2009 16:47:27.078 client: debug 3: client
> 10.10.10.10#38984: next
> 23-Oct-2009 16:47:27.078 client: debug 3: client
> 10.10.10.10#38984: endrequest
> 23-Oct-2009 16:47:27.078 client: debug 3: client @0xc49c30:
> udprecv
> 23-Oct-2009 16:47:28.784 client: debug 3: client
> 10.10.10.10#50188: UDP request
> 23-Oct-2009 16:47:28.784 security: debug 3: client
> 10.10.10.10#50188: request is not signed
> 23-Oct-2009 16:47:28.784 security: debug 3: client
> 10.10.10.10#50188: recursion available
> 23-Oct-2009 16:47:28.784 client: debug 3: client
> 10.10.10.10#50188: query
> 23-Oct-2009 16:47:28.784 security: debug 3: client
> 10.10.10.10#50188: query (cache) 'www.123xyz.TLD/ANY/IN'
> approved
> 23-Oct-2009 16:47:28.785 client: debug 3: client
> 10.10.10.10#50188: replace
> 23-Oct-2009 16:47:28.785 general: debug 3: clientmgr
> @0x2b8f4e86a3b8: createclients
> 23-Oct-2009 16:47:28.785 general: debug 3: clientmgr
> @0x2b8f4e86a3b8: recycle
> 23-Oct-2009 16:47:28.785 resolver: debug 1: createfetch:
> www.123xyz.TLD ANY
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): create
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): join
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fetch
> 0x2b8f4e85c830 (fctx 0x2aaaab167010(www.123xyz.TLD/ANY)):
> created
> 23-Oct-2009 16:47:28.785 client: debug 3: client @0xd50050:
> udprecv
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): start
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): try
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): cancelqueries
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): getaddresses
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): query
> 23-Oct-2009 16:47:28.785 resolver: debug 3: resquery
> 0x2aaaab16e010 (fctx 0x2aaaab167010(www.123xyz.TLD/ANY)):
> send
> 23-Oct-2009 16:47:28.785 general: error: socket.c:4922:
> unexpected error:
> 23-Oct-2009 16:47:28.785 general: error: 22/Invalid
> argument
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): done
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): stopeverything
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): cancelqueries
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): sendevents
> 23-Oct-2009 16:47:28.785 query-errors: debug 1: client
> 10.10.10.10#50188: query failed (SERVFAIL) for
> www.123xyz.TLD/IN/ANY at query.c:4619
> 23-Oct-2009 16:47:28.785 client: debug 3: client
> 10.10.10.10#50188: error
> 23-Oct-2009 16:47:28.785 client: debug 3: client
> 10.10.10.10#50188: send
> 23-Oct-2009 16:47:28.785 client: debug 3: client
> 10.10.10.10#50188: sendto
> 23-Oct-2009 16:47:28.785 client: debug 3: client
> 10.10.10.10#50188: senddone
> 23-Oct-2009 16:47:28.785 client: debug 3: client
> 10.10.10.10#50188: next
> 23-Oct-2009 16:47:28.785 client: debug 3: client
> 10.10.10.10#50188: endrequest
> 23-Oct-2009 16:47:28.785 query-errors: debug 2: fetch
> completed at resolver.c:3015 for www.123xyz.TLD/ANY in
> 0.000483: unexpected error/success
> [domain:.,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fetch
> 0x2b8f4e85c830 (fctx 0x2aaaab167010(www.123xyz.TLD/ANY)):
> destroyfetch
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): shutdown
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): doshutdown
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): stopeverything
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): cancelqueries
> 23-Oct-2009 16:47:28.785 resolver: debug 3: fctx
> 0x2aaaab167010(www.123xyz.TLD/ANY'): destroy
> 23-Oct-2009 16:47:28.802 client: debug 3: client
> 10.10.10.10#56597: UDP request
> 23-Oct-2009 16:47:28.802 security: debug 3: client
> 10.10.10.10#56597: request is not signed
> 23-Oct-2009 16:47:28.802 security: debug 3: client
> 10.10.10.10#56597: recursion available
> 23-Oct-2009 16:47:28.802 client: debug 3: client
> 10.10.10.10#56597: query
> 23-Oct-2009 16:47:28.802 security: debug 3: client
> 10.10.10.10#56597: query (cache) 'TLD/DNSKEY/IN' approved
> 23-Oct-2009 16:47:28.802 client: debug 3: client
> 10.10.10.10#56597: send
> 23-Oct-2009 16:47:28.802 client: debug 3: client
> 10.10.10.10#56597: sendto
> 23-Oct-2009 16:47:28.802 client: debug 3: client
> 10.10.10.10#56597: senddone
> 23-Oct-2009 16:47:28.802 client: debug 3: client
> 10.10.10.10#56597: next
> 23-Oct-2009 16:47:28.802 client: debug 3: client
> 10.10.10.10#56597: endrequest
> 23-Oct-2009 16:47:28.802 client: debug 3: client @0xd25b00:
> udprecv
> 
> 
> 
> 
> --- On Fri, 10/23/09, Alexa Petrean <apetrean at bluecatnetworks.com>
> wrote:
> 
> > From: Alexa Petrean <apetrean at bluecatnetworks.com>
> > Subject: RE: dnssec enabled recursive server
> > To: "Pamela Rock" <prock111 at yahoo.com>
> > Date: Friday, October 23, 2009, 4:12 PM
> > I suppose you flushed the cache on
> > the resolver too (rndc flush). If not, you might need
> to do
> > it.
> > Btw: any error message in the syslog file? It might
> be
> > helpful to enable DNSSEC logging too, for debugging
> > purposes.
> > 
> > -----Original Message-----
> > From: Pamela Rock [mailto:prock111 at yahoo.com]
> > 
> > Sent: Friday, October 23, 2009 4:05 PM
> > To: Alexa Petrean
> > Subject: RE: dnssec enabled recursive server
> > 
> > Yes.  This is in my named.conf file.
> > 
> > trusted-keys {
> > "TLD." 257 3 7 "AwE...";
> > 
> > 
> > 
> > --- On Fri, 10/23/09, Alexa Petrean <apetrean at bluecatnetworks.com>
> > wrote:
> > 
> > > From: Alexa Petrean <apetrean at bluecatnetworks.com>
> > > Subject: RE: dnssec enabled recursive server
> > > To: bind-users at isc.org
> > > Date: Friday, October 23, 2009, 3:59 PM
> > > Have you configured the trusted
> > > anchor for the signed TLD on your
> > > recursive server?
> > > 
> > > -----Original Message-----
> > > From: bind-users-bounces at lists.isc.org
> > > [mailto:bind-users-bounces at lists.isc.org]
> > > On Behalf Of Pamela Rock
> > > Sent: Friday, October 23, 2009 3:07 PM
> > > To: bind-users at isc.org
> > > Subject: dnssec enabled recursive server
> > > 
> > > This environment is in a lab.
> > > 
> > > I have a DNSSEC enabled server with a signed
> .TLD
> > zone
> > > (again, in a
> > > lab).  I have a client that can accurately run
> > queries
> > > against the
> > > signed .TLD zone.
> > > 
> > > So this works...
> > > 
> > >     DNSSEC Enabled Client => DNSSEC Enabled
> > > .TLD
> > > 
> > > I'm trying to put a recursive BIND 9.6.1-P1
> server
> > between
> > > .TLD and the
> > > client.
> > > 
> > >     DNSSEC Enabled Client => Recursive BIND
> > > => DNSSEC Enabled .TLD
> > > 
> > > I setup the cache file on the recursive BIND to
> point
> > all
> > > root servers
> > > to the DNSSEC Enabled .TLD.  I enabled
> dnssec-enable
> > > and
> > > dnssec-validation in the named.conf.  I pulled
> the
> > > keys from DNSSEC
> > > Enabled .TLD using dig +dnssec com
> @test.server.TLD
> > and put
> > > them in the
> > > named.conf.  Yet my recursive DNSSEC 9.6.1
> server
> > does
> > > not answer DNSSEC
> > > queries from the client.
> > > 
> > > Any hints or clues to how to make the recursive
> DNSSEC
> > work
> > > would be
> > > appreciated.  Thanks in advanced.
> > > 
> > > 
> > >       
> > > _______________________________________________
> > > bind-users mailing list
> > > bind-users at lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/bind-users
> > > _______________________________________________
> > > bind-users mailing list
> > > bind-users at lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/bind-users
> > > 
> > 
> > 
> >       
> > 
> 
> 
>       
> 


      



More information about the bind-users mailing list