Help with dig to check NS servers for DNSSEC setup
Eduardo Bonsi
beartcom at pacbell.net
Mon Nov 14 22:01:45 UTC 2011
Since my servers are getting status "refused" from outside, could
someone shine me a light what is wrong here? Here is a copy of my named
conf file for the master.
Thanks!
//
// Include keys file
key rndc-key {
algorithm hmac-md5;
secret "yyxx-not-the-real-key-xmc/xxx/z/x==";
};
//
//
// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.
//
// Default controls
controls {
inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
};
//
//20
//21
//
options {
directory "/var/named";
version "Undisclosed";
//
// If there is a firewall between you and name servers you want
// to talk to, you might need to un-comment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 uses an unprivileged
// port by default.
//query-source address 192.168.1.cc port 53;
//
dnssec-enable yes;
dnssec-validation yes;
forward first;
transfer-format one-answer;
forwarders {
68.94.156.1 port 53;
68.94.157.1 port 53;
};
dnssec-lookaside . trust-anchor dlv.isc.org.;
};
//44
//45
//
//
statistics-channels {
inet * port 8053 allow { 127.0.0.1; };
};
//
// ACL statement
acl trusted {
192.168.1.254;
192.168.1.0/24;
localhost;
localnets;
};
view "internal" {
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
allow-query { any; };
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
allow-query {
any;
};
file "named.local";
allow-update {
none;
};
allow-transfer {
none;
};
};
//
//90
//100
// internal zones
//
zone "bonsi.org" IN {
type master;
allow-query {
any;
};
notify yes;
file "/var/named/db.bonsi.org";
also-notify {
192.168.1.cc;
};
};
zone "1.168.192.in-addr.arpa" IN {
type master;
allow-query {
any;
};
notify no;
file "/var/named/db.192.168.1";
also-notify {
192.168.1.cc;
};
};
zone "168.192.in-addr.arpa" IN {
type master;
allow-query {
any;
};
file "/var/named/db.192.168";
also-notify {
192.168.1.cc;
};
};
match-clients {any; };
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.internal.hosts";
};
allow-query {
any;
};
also-notify {
192.168.1.cc;
};
};
//150
// www.external zones
//
view "external" {
zone "bonsi.org" {
type master;
allow-query {
any;
};
file "/var/named/bonsi.org.external.hosts";
notify yes;
also-notify {
192.168.1.cc;
};
};
recursion no;
zone "ns1.bonsi.org" {
type master;
allow-query {
any;
};
file "ns1.bonsi.org.external.hosts";
also-notify {
192.168.1.cc;
};
};
match-clients { any; };
zone "sub.bonsi.org" {
type master;
allow-query { any; };
file "sub.bonsi.org.external.hosts";
};
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.com.external.hosts";
};
zone "45.200.63.in-addr.arpa" {
type master;
allow-query {
any;
};
file "63.200.45.external.rev";
also-notify {
192.168.1.cc;
};
};
allow-query {
any;
};
also-notify {
63.200.45.19;
};
};
//
server 192.168.1.cc {
keys {
rndc-key;
};
};
//
trusted-keys {
dlv.isc.org. 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
dlv.isc.org. 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};
//
logging {
channel dnssec_log {
file "log/dnssec" size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
category dnssec {
dnssec_log;
default_syslog;
default_debug;
default_stderr;
};
};
On 11/14/11 12:44 PM, Adamiec, Lawrence wrote:
> Here are some results using the same commands you used.
>
>
>
> # dig bonsi.org
>
> ;<<>> DiG 9.6.1-P3<<>> bonsi.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;bonsi.org. IN A
>
> ;; Query time: 666 msec
> ;; SERVER: 64.131.119.11#53(64.131.119.11)
> ;; WHEN: Mon Nov 14 14:41:54 2011
> ;; MSG SIZE rcvd: 27
>
>
>
> # dig @63.200.45.18 ns1.bonsi.org soa
>
> ;<<>> DiG 9.6.1-P3<<>> @63.200.45.18 ns1.bonsi.org soa
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 986
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;ns1.bonsi.org. IN SOA
>
> ;; Query time: 75 msec
> ;; SERVER: 63.200.45.18#53(63.200.45.18)
> ;; WHEN: Mon Nov 14 14:42:25 2011
> ;; MSG SIZE rcvd: 31
>
> #
>
>> -----Original Message-----
>> From: bind-users-bounces+ladamiec=kentlaw.edu at lists.isc.org
> [mailto:bind-users-
>> bounces+ladamiec=kentlaw.edu at lists.isc.org] On Behalf Of Eduardo Bonsi
>> Sent: Monday, November 14, 2011 14:39
>> To: bind-users at isc.org
>> Subject: Help with dig to check NS servers for DNSSEC setup
>>
>> I am checking my DNS setup from inside using dig and I am getting
>> everything ok but I need a second opinion from outside of the server
> to
>> see if my ns1 and ns2 are responding ok to setup DNSSEC.
>>
>> Thanks!
>>
>> user:~ user1$ dig bonsi.org
>>
>> ;<<>> DiG 9.6-ESV-R4-P3<<>> bonsi.org
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35880
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;bonsi.org. IN A
>>
>> ;; ANSWER SECTION:
>> bonsi.org. 3600 IN A 63.200.45.21
>>
>> ;; AUTHORITY SECTION:
>> bonsi.org. 3600 IN NS ns2.bonsi.org.
>> bonsi.org. 3600 IN NS ns1.bonsi.org.
>>
>> ;; ADDITIONAL SECTION:
>> ns2.bonsi.org. 3600 IN A 63.200.45.19
>>
>> ;; Query time: 14 msec
>> ;; SERVER: 63.200.45.18#53(63.200.45.18)
>> ;; WHEN: Mon Nov 14 12:09:43 2011
>> ;; MSG SIZE rcvd: 95
>> ********************************************************************
>> user:~ user1$ dig @63.200.45.18 ns1.bonsi.org soa
>>
>> ;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.18 ns1.bonsi.org soa
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31586
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;ns1.bonsi.org. IN SOA
>>
>> ;; ANSWER SECTION:
>> ns1.bonsi.org. 3600 IN SOA ns1.bonsi.org.
> hostmaster.bonsi.org.
>> 2011101403 10800 3600 604800 3600
>>
>> ;; AUTHORITY SECTION:
>> ns1.bonsi.org. 3600 IN NS ns1.bonsi.org.
>>
>> ;; Query time: 14 msec
>> ;; SERVER: 63.200.45.18#53(63.200.45.18)
>> ;; WHEN: Mon Nov 14 12:10:19 2011
>> ;; MSG SIZE rcvd: 92
>> ********************************************************************
>> user:~ user1$ dig @63.200.45.19 ns2.bonsi.org
>>
>> ;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.19 ns2.bonsi.org
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38660
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;ns2.bonsi.org. IN A
>>
>> ;; ANSWER SECTION:
>> ns2.bonsi.org. 3600 IN A 63.200.45.19
>>
>> ;; AUTHORITY SECTION:
>> ns2.bonsi.org. 3600 IN NS ns2.bonsi.org.
>>
>> ;; Query time: 12 msec
>> ;; SERVER: 63.200.45.19#53(63.200.45.19)
>> ;; WHEN: Mon Nov 14 12:11:04 2011
>> ;; MSG SIZE rcvd: 61
>> ********************************************************************
>> user:~ user1$ dig @63.200.45.19 ns2.bonsi.org soa
>>
>> ;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.19 ns2.bonsi.org soa
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17334
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;ns2.bonsi.org. IN SOA
>>
>> ;; ANSWER SECTION:
>> ns2.bonsi.org. 3600 IN SOA ns2.bonsi.org.
> hostmaster.bonsi.org.
>> 2011101409 10800 3600 604800 3600
>>
>> ;; AUTHORITY SECTION:
>> ns2.bonsi.org. 3600 IN NS ns2.bonsi.org.
>>
>> ;; ADDITIONAL SECTION:
>> ns2.bonsi.org. 3600 IN A 63.200.45.19
>>
>> ;; Query time: 58 msec
>> ;; SERVER: 63.200.45.19#53(63.200.45.19)
>> ;; WHEN: Mon Nov 14 12:19:50 2011
>> ;; MSG SIZE rcvd: 108
>>
>>
>> --
>> BEARTCOMMUNICATIONS
>> Eduardo Bonsi
>> System - Network Admin
>> beartcom at pacbell.net
>> webmaster at beart.com
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beartcom at pacbell.net
webmaster at beart.com
More information about the bind-users
mailing list