DNSSEC Validating Resolver and Views

John Marshall john at rwpc12.mby.riverwillow.net.au
Tue Mar 16 08:14:40 UTC 2010 

Context: BIND 9.7.0

I have made use of views on a single server for providing
suitable/selective responses to internal, external and guest clients.
This setup has been working for years but is now broken for clients
querying from a guest network (via the guest view) unless the queries
have checking disabled.

- The guest network is not local to the server.
- Internal view and guest view clients are allowed recursion.
- The breakage only relates to queries for internal zones from guest
  clients.
- Queries for internal zones from (local) internal clients are fine.
- In the guest view, queries for most zones are forwarded to the
  server's internal address (internal view) but queries for some
  zones are forwarded to the server's external address (external view)
- The name servers for all of the internal zones live in an internal
  signed zone.  That zone is visible to the guest and internal views
  and its key is listed in trusted-keys{}.
- The zones being queried (below) are unsigned.

Client: 192.168.25.71 is querying the PTR record for its own address.
Server: 172.25.24.16 is querying itself for the DS record for the
	parent of the zone which the client is querying (Why?).
        There is no DS record in that zone.  Neither the child or
        parent zones are signed.

16-Mar-2010 18:15:34.761 query-errors: debug 1: client 172.25.24.16#62578: view internal: query failed (SERVFAIL) for 168.192.in-addr.arpa/IN/DS at query.c:4631
16-Mar-2010 18:15:34.761 query-errors: debug 2: fetch completed at resolver.c:6117 for 168.192.in-addr.arpa/DS in 1.358282: SERVFAIL/success [domain:168.192.in-addr.arpa,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]
16-Mar-2010 18:15:34.761 query-errors: debug 1: client 192.168.25.71#43718: view guest: query failed (SERVFAIL) for 71.25.168.192.in-addr.arpa/IN/PTR at query.c:4631
16-Mar-2010 18:15:34.762 query-errors: debug 2: fetch completed at resolver.c:3023 for 71.25.168.192.in-addr.arpa/PTR in 2.342775: failure/no valid DS [domain:25.168.192.in-addr.arpa,referral:0,restart:2,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:1]

Is the problem due to the fact that the name servers live in a signed
zone?  This view configuration has worked for years.  I configured
DNSSEC on the server about 18 months ago.  I guess I've just been lucky?

Again, these queries still work fine with +cd passed to dig, so I'm
obviously missing something with respect to DNSSEC configuration.  I
only just noticed this today (we don't use the guest network much) so I
don't know whether this problem surfaced with 9.7.0 or DNSSEC things
happening higher up.

-- 
John Marshall

More information about the bind-users mailing list