Help with dig to check NS servers for DNSSEC setup
Barry Margolin
barmar at alum.mit.edu
Tue Nov 15 02:58:13 UTC 2011
In article <mailman.95.1321308136.68562.bind-users at lists.isc.org>,
Eduardo Bonsi <beartcom at pacbell.net> wrote:
> Since my servers are getting status "refused" from outside, could
> someone shine me a light what is wrong here? Here is a copy of my named
> conf file for the master.
You have the same 'match-clients {any;}' clause in both the internal and
external views. Although I don't see how this would cause us to get
"refused" responses. It should mean that we see the internal zones
instead of the external ones.
BTW, it's customary to put all the view options (like match-clients) at
the beginning of the view clause, not hide them in the middle of all the
zone sub-clauses.
>
> Thanks!
>
> //
> // Include keys file
> key rndc-key {
> algorithm hmac-md5;
> secret "yyxx-not-the-real-key-xmc/xxx/z/x==";
> };
> //
> //
> // Declares control channels to be used by the rndc utility.
> //
> // It is recommended that 127.0.0.1 be the only address used.
> // This also allows non-privileged users on the local host to manage
> // your name server.
> //
> // Default controls
> controls {
> inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
> };
> //
> //20
> //21
> //
> options {
> directory "/var/named";
> version "Undisclosed";
> //
> // If there is a firewall between you and name servers you want
> // to talk to, you might need to un-comment the query-source
> // directive below. Previous versions of BIND always asked
> // questions using port 53, but BIND 8.1 uses an unprivileged
> // port by default.
> //query-source address 192.168.1.cc port 53;
> //
> dnssec-enable yes;
> dnssec-validation yes;
> forward first;
> transfer-format one-answer;
> forwarders {
> 68.94.156.1 port 53;
> 68.94.157.1 port 53;
> };
> dnssec-lookaside . trust-anchor dlv.isc.org.;
> };
> //44
> //45
> //
> //
> statistics-channels {
> inet * port 8053 allow { 127.0.0.1; };
> };
> //
> // ACL statement
>
> acl trusted {
> 192.168.1.254;
> 192.168.1.0/24;
> localhost;
> localnets;
> };
>
> view "internal" {
> recursion yes;
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> zone "localhost" IN {
> type master;
> allow-query { any; };
> file "localhost.zone";
> allow-update { none; };
> };
>
> zone "0.0.127.in-addr.arpa" IN {
> type master;
> allow-query {
> any;
> };
> file "named.local";
> allow-update {
> none;
> };
> allow-transfer {
> none;
> };
> };
> //
> //90
> //100
> // internal zones
> //
> zone "bonsi.org" IN {
> type master;
> allow-query {
> any;
> };
> notify yes;
> file "/var/named/db.bonsi.org";
> also-notify {
> 192.168.1.cc;
> };
> };
>
> zone "1.168.192.in-addr.arpa" IN {
> type master;
> allow-query {
> any;
> };
> notify no;
> file "/var/named/db.192.168.1";
> also-notify {
> 192.168.1.cc;
> };
> };
>
> zone "168.192.in-addr.arpa" IN {
> type master;
> allow-query {
> any;
> };
> file "/var/named/db.192.168";
> also-notify {
> 192.168.1.cc;
> };
> };
> match-clients {any; };
> zone "domain2.com" {
> type master;
> allow-query { any; };
> file "domain2.internal.hosts";
> };
> allow-query {
> any;
> };
> also-notify {
> 192.168.1.cc;
> };
> };
> //150
> // www.external zones
> //
> view "external" {
> zone "bonsi.org" {
> type master;
> allow-query {
> any;
> };
> file "/var/named/bonsi.org.external.hosts";
> notify yes;
> also-notify {
> 192.168.1.cc;
> };
> };
> recursion no;
> zone "ns1.bonsi.org" {
> type master;
> allow-query {
> any;
> };
> file "ns1.bonsi.org.external.hosts";
> also-notify {
> 192.168.1.cc;
> };
> };
> match-clients { any; };
> zone "sub.bonsi.org" {
> type master;
> allow-query { any; };
> file "sub.bonsi.org.external.hosts";
> };
> zone "domain2.com" {
> type master;
> allow-query { any; };
> file "domain2.com.external.hosts";
> };
> zone "45.200.63.in-addr.arpa" {
> type master;
> allow-query {
> any;
> };
> file "63.200.45.external.rev";
> also-notify {
> 192.168.1.cc;
> };
> };
> allow-query {
> any;
> };
> also-notify {
> 63.200.45.19;
> };
> };
> //
>
> server 192.168.1.cc {
> keys {
> rndc-key;
> };
> };
> //
> trusted-keys {
> dlv.isc.org. 257 3 5
> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70
> jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ
> 2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoB
> AADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9
> UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
> dlv.isc.org. 257 3 8
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0E
> zrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxk
> jf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzC
> TMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmq
> rAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
> };
> //
> logging {
> channel dnssec_log {
> file "log/dnssec" size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity debug 3;
> };
> category dnssec {
> dnssec_log;
> default_syslog;
> default_debug;
> default_stderr;
> };
> };
>
>
>
> On 11/14/11 12:44 PM, Adamiec, Lawrence wrote:
> > Here are some results using the same commands you used.
> >
> >
> >
> > # dig bonsi.org
> >
> > ;<<>> DiG 9.6.1-P3<<>> bonsi.org
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;bonsi.org. IN A
> >
> > ;; Query time: 666 msec
> > ;; SERVER: 64.131.119.11#53(64.131.119.11)
> > ;; WHEN: Mon Nov 14 14:41:54 2011
> > ;; MSG SIZE rcvd: 27
> >
> >
> >
> > # dig @63.200.45.18 ns1.bonsi.org soa
> >
> > ;<<>> DiG 9.6.1-P3<<>> @63.200.45.18 ns1.bonsi.org soa
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 986
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > ;; WARNING: recursion requested but not available
> >
> > ;; QUESTION SECTION:
> > ;ns1.bonsi.org. IN SOA
> >
> > ;; Query time: 75 msec
> > ;; SERVER: 63.200.45.18#53(63.200.45.18)
> > ;; WHEN: Mon Nov 14 14:42:25 2011
> > ;; MSG SIZE rcvd: 31
> >
> > #
> >
> >> -----Original Message-----
> >> From: bind-users-bounces+ladamiec=kentlaw.edu at lists.isc.org
> > [mailto:bind-users-
> >> bounces+ladamiec=kentlaw.edu at lists.isc.org] On Behalf Of Eduardo Bonsi
> >> Sent: Monday, November 14, 2011 14:39
> >> To: bind-users at isc.org
> >> Subject: Help with dig to check NS servers for DNSSEC setup
> >>
> >> I am checking my DNS setup from inside using dig and I am getting
> >> everything ok but I need a second opinion from outside of the server
> > to
> >> see if my ns1 and ns2 are responding ok to setup DNSSEC.
> >>
> >> Thanks!
> >>
> >> user:~ user1$ dig bonsi.org
> >>
> >> ;<<>> DiG 9.6-ESV-R4-P3<<>> bonsi.org
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35880
> >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> >> ;; WARNING: recursion requested but not available
> >>
> >> ;; QUESTION SECTION:
> >> ;bonsi.org. IN A
> >>
> >> ;; ANSWER SECTION:
> >> bonsi.org. 3600 IN A 63.200.45.21
> >>
> >> ;; AUTHORITY SECTION:
> >> bonsi.org. 3600 IN NS ns2.bonsi.org.
> >> bonsi.org. 3600 IN NS ns1.bonsi.org.
> >>
> >> ;; ADDITIONAL SECTION:
> >> ns2.bonsi.org. 3600 IN A 63.200.45.19
> >>
> >> ;; Query time: 14 msec
> >> ;; SERVER: 63.200.45.18#53(63.200.45.18)
> >> ;; WHEN: Mon Nov 14 12:09:43 2011
> >> ;; MSG SIZE rcvd: 95
> >> ********************************************************************
> >> user:~ user1$ dig @63.200.45.18 ns1.bonsi.org soa
> >>
> >> ;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.18 ns1.bonsi.org soa
> >> ; (1 server found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31586
> >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> >> ;; WARNING: recursion requested but not available
> >>
> >> ;; QUESTION SECTION:
> >> ;ns1.bonsi.org. IN SOA
> >>
> >> ;; ANSWER SECTION:
> >> ns1.bonsi.org. 3600 IN SOA ns1.bonsi.org.
> > hostmaster.bonsi.org.
> >> 2011101403 10800 3600 604800 3600
> >>
> >> ;; AUTHORITY SECTION:
> >> ns1.bonsi.org. 3600 IN NS ns1.bonsi.org.
> >>
> >> ;; Query time: 14 msec
> >> ;; SERVER: 63.200.45.18#53(63.200.45.18)
> >> ;; WHEN: Mon Nov 14 12:10:19 2011
> >> ;; MSG SIZE rcvd: 92
> >> ********************************************************************
> >> user:~ user1$ dig @63.200.45.19 ns2.bonsi.org
> >>
> >> ;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.19 ns2.bonsi.org
> >> ; (1 server found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38660
> >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> >> ;; WARNING: recursion requested but not available
> >>
> >> ;; QUESTION SECTION:
> >> ;ns2.bonsi.org. IN A
> >>
> >> ;; ANSWER SECTION:
> >> ns2.bonsi.org. 3600 IN A 63.200.45.19
> >>
> >> ;; AUTHORITY SECTION:
> >> ns2.bonsi.org. 3600 IN NS ns2.bonsi.org.
> >>
> >> ;; Query time: 12 msec
> >> ;; SERVER: 63.200.45.19#53(63.200.45.19)
> >> ;; WHEN: Mon Nov 14 12:11:04 2011
> >> ;; MSG SIZE rcvd: 61
> >> ********************************************************************
> >> user:~ user1$ dig @63.200.45.19 ns2.bonsi.org soa
> >>
> >> ;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.19 ns2.bonsi.org soa
> >> ; (1 server found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17334
> >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> >> ;; WARNING: recursion requested but not available
> >>
> >> ;; QUESTION SECTION:
> >> ;ns2.bonsi.org. IN SOA
> >>
> >> ;; ANSWER SECTION:
> >> ns2.bonsi.org. 3600 IN SOA ns2.bonsi.org.
> > hostmaster.bonsi.org.
> >> 2011101409 10800 3600 604800 3600
> >>
> >> ;; AUTHORITY SECTION:
> >> ns2.bonsi.org. 3600 IN NS ns2.bonsi.org.
> >>
> >> ;; ADDITIONAL SECTION:
> >> ns2.bonsi.org. 3600 IN A 63.200.45.19
> >>
> >> ;; Query time: 58 msec
> >> ;; SERVER: 63.200.45.19#53(63.200.45.19)
> >> ;; WHEN: Mon Nov 14 12:19:50 2011
> >> ;; MSG SIZE rcvd: 108
> >>
> >>
> >> --
> >> BEARTCOMMUNICATIONS
> >> Eduardo Bonsi
> >> System - Network Admin
> >> beartcom at pacbell.net
> >> webmaster at beart.com
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >>
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >
--
Barry Margolin
Arlington, MA
More information about the bind-users
mailing list