DNSSEC Validating Resolver and Views

John Marshall john at rwpc12.mby.riverwillow.net.au
Tue Mar 16 10:18:00 UTC 2010


On Tue, 16 Mar 2010 08:14:40 +0000 (UTC), John Marshall wrote:
>
> Client: 192.168.25.71 is querying the PTR record for its own address.
> Server: 172.25.24.16 is querying itself for the DS record for the
> 	parent of the zone which the client is querying (Why?).
>         There is no DS record in that zone.  Neither the child or
>         parent zones are signed.
>
> 16-Mar-2010 18:15:34.761 query-errors: debug 1: client 172.25.24.16#62578: view internal: query failed (SERVFAIL) for 168.192.in-addr.arpa/IN/DS at query.c:4631
> 16-Mar-2010 18:15:34.761 query-errors: debug 2: fetch completed at resolver.c:6117 for 168.192.in-addr.arpa/DS in 1.358282: SERVFAIL/success [domain:168.192.in-addr.arpa,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]
> 16-Mar-2010 18:15:34.761 query-errors: debug 1: client 192.168.25.71#43718: view guest: query failed (SERVFAIL) for 71.25.168.192.in-addr.arpa/IN/PTR at query.c:4631
> 16-Mar-2010 18:15:34.762 query-errors: debug 2: fetch completed at resolver.c:3023 for 71.25.168.192.in-addr.arpa/PTR in 2.342775: failure/no valid DS [domain:25.168.192.in-addr.arpa,referral:0,restart:2,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:1]

I should have checked syslog before posting.  It shows this going on at
the same time...

Mar 16 18:15:33 rwsrv03 named[679]: error (chase DS servers) resolving '168.192.in-addr.arpa/DS/IN': 172.25.24.17#53
Mar 16 18:15:33 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-addr.arpa/NS/IN': 204.61.216.50#53
Mar 16 18:15:33 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-addr.arpa/NS/IN': 192.35.51.32#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-addr.arpa/NS/IN': 199.212.0.63#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-addr.arpa/NS/IN': 199.71.0.63#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-addr.arpa/NS/IN': 192.42.93.32#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-addr.arpa/NS/IN': 63.243.194.2#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-addr.arpa/NS/IN': 72.52.71.2#53
Mar 16 18:15:34 rwsrv03 named[679]: error (no valid DS) resolving '71.25.168.192.in-addr.arpa/PTR/IN': 172.25.24.16#53

I don't understand this.  If the client needs an answer from
25.168.192.in-addr.arpa. and we are hosting that zone and its parent
zone (both unsigned, both in our internal view), why are we looking
higher for DS records?

If I grant the guest clients access to the internal view, all is well.
Things seem to go wobbly, unless checking is disabled, when we forward
the guest view queries to the internal view.

-- 
John Marshall



More information about the bind-users mailing list