Help with dig to check NS servers for DNSSEC setup
Eduardo Bonsi
beartcom at pacbell.net
Tue Nov 15 05:26:57 UTC 2011
Barry;
Thanks, I fixed that!
I am also not sure if that will help with the server "fail" or status
"refused" issue when checked from outside.
Eduardo
On 11/14/11 6:58 PM, Barry Margolin wrote:
> In article<mailman.95.1321308136.68562.bind-users at lists.isc.org>,
> Eduardo Bonsi<beartcom at pacbell.net> wrote:
>
>> Since my servers are getting status "refused" from outside, could
>> someone shine me a light what is wrong here? Here is a copy of my named
>> conf file for the master.
>
> You have the same 'match-clients {any;}' clause in both the internal and
> external views. Although I don't see how this would cause us to get
> "refused" responses. It should mean that we see the internal zones
> instead of the external ones.
>
> BTW, it's customary to put all the view options (like match-clients) at
> the beginning of the view clause, not hide them in the middle of all the
> zone sub-clauses.
>
>>
>> Thanks!
>>
>> //
>> // Include keys file
>> key rndc-key {
>> algorithm hmac-md5;
>> secret "yyxx-not-the-real-key-xmc/xxx/z/x==";
>> };
>> //
>> //
>> // Declares control channels to be used by the rndc utility.
>> //
>> // It is recommended that 127.0.0.1 be the only address used.
>> // This also allows non-privileged users on the local host to manage
>> // your name server.
>> //
>> // Default controls
>> controls {
>> inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
>> };
>> //
>> //20
>> //21
>> //
>> options {
>> directory "/var/named";
>> version "Undisclosed";
>> //
>> // If there is a firewall between you and name servers you want
>> // to talk to, you might need to un-comment the query-source
>> // directive below. Previous versions of BIND always asked
>> // questions using port 53, but BIND 8.1 uses an unprivileged
>> // port by default.
>> //query-source address 192.168.1.cc port 53;
>> //
>> dnssec-enable yes;
>> dnssec-validation yes;
>> forward first;
>> transfer-format one-answer;
>> forwarders {
>> 68.94.156.1 port 53;
>> 68.94.157.1 port 53;
>> };
>> dnssec-lookaside . trust-anchor dlv.isc.org.;
>> };
>> //44
>> //45
>> //
>> //
>> statistics-channels {
>> inet * port 8053 allow { 127.0.0.1; };
>> };
>> //
>> // ACL statement
>>
>> acl trusted {
>> 192.168.1.254;
>> 192.168.1.0/24;
>> localhost;
>> localnets;
>> };
>>
>> view "internal" {
match-clients { 192.168.1.0/24; };
>> recursion yes;
>>
>> zone "." IN {
>> type hint;
>> file "named.ca";
>> };
>>
>> zone "localhost" IN {
>> type master;
>> allow-query { any; };
>> file "localhost.zone";
>> allow-update { none; };
>> };
>>
>> zone "0.0.127.in-addr.arpa" IN {
>> type master;
>> allow-query {
>> any;
>> };
>> file "named.local";
>> allow-update {
>> none;
>> };
>> allow-transfer {
>> none;
>> };
>> };
>> //
>> //90
>> //100
>> // internal zones
>> //
>> zone "bonsi.org" IN {
>> type master;
>> allow-query {
>> any;
>> };
>> notify yes;
>> file "/var/named/db.bonsi.org";
>> also-notify {
>> 192.168.1.cc;
>> };
>> };
>>
>> zone "1.168.192.in-addr.arpa" IN {
>> type master;
>> allow-query {
>> any;
>> };
>> notify no;
>> file "/var/named/db.192.168.1";
>> also-notify {
>> 192.168.1.cc;
>> };
>> };
>>
>> zone "168.192.in-addr.arpa" IN {
>> type master;
>> allow-query {
>> any;
>> };
>> file "/var/named/db.192.168";
>> also-notify {
>> 192.168.1.cc;
>> };
>> };
>> zone "domain2.com" {
>> type master;
>> allow-query { any; };
>> file "domain2.internal.hosts";
>> };
>> allow-query {
>> any;
>> };
>> also-notify {
>> 192.168.1.cc;
>> };
>> };
>> //150
>> // www.external zones
>> //
>> view "external" {
match-clients { any; };
recursion no;
>> zone "bonsi.org" {
>> type master;
>> allow-query {
>> any;
>> };
>> file "/var/named/bonsi.org.external.hosts";
>> notify yes;
>> also-notify {
>> 192.168.1.cc;
>> };
>> };
>>
>> zone "ns1.bonsi.org" {
>> type master;
>> allow-query {
>> any;
>> };
>> file "ns1.bonsi.org.external.hosts";
>> also-notify {
>> 192.168.1.cc;
>> };
>> };
>>
>> zone "sub.bonsi.org" {
>> type master;
>> allow-query { any; };
>> file "sub.bonsi.org.external.hosts";
>> };
>> zone "domain2.com" {
>> type master;
>> allow-query { any; };
>> file "domain2.com.external.hosts";
>> };
>> zone "45.200.63.in-addr.arpa" {
>> type master;
>> allow-query {
>> any;
>> };
>> file "63.200.45.external.rev";
>> also-notify {
>> 192.168.1.cc;
>> };
>> };
>> allow-query {
>> any;
>> };
>> also-notify {
>> 63.200.45.19;
>> };
>> };
>> //
>>
>> server 192.168.1.cc {
>> keys {
>> rndc-key;
>> };
>> };
>> //
>> trusted-keys {
>> dlv.isc.org. 257 3 5
>> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70
>> jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ
>> 2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoB
>> AADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9
>> UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
>> dlv.isc.org. 257 3 8
>> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0E
>> zrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxk
>> jf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzC
>> TMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmq
>> rAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
>> };
>> //
>> logging {
>> channel dnssec_log {
>> file "log/dnssec" size 20m;
>> print-time yes;
>> print-category yes;
>> print-severity yes;
>> severity debug 3;
>> };
>> category dnssec {
>> dnssec_log;
>> default_syslog;
>> default_debug;
>> default_stderr;
>> };
>> };
>>
>>
>>
>> On 11/14/11 12:44 PM, Adamiec, Lawrence wrote:
>>> Here are some results using the same commands you used.
>>>
>>>
>>>
>>> # dig bonsi.org
>>>
>>> ;<<>> DiG 9.6.1-P3<<>> bonsi.org
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;bonsi.org. IN A
>>>
>>> ;; Query time: 666 msec
>>> ;; SERVER: 64.131.119.11#53(64.131.119.11)
>>> ;; WHEN: Mon Nov 14 14:41:54 2011
>>> ;; MSG SIZE rcvd: 27
>>>
>>>
>>>
>>> # dig @63.200.45.18 ns1.bonsi.org soa
>>>
>>> ;<<>> DiG 9.6.1-P3<<>> @63.200.45.18 ns1.bonsi.org soa
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 986
>>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>> ;; WARNING: recursion requested but not available
>>>
>>> ;; QUESTION SECTION:
>>> ;ns1.bonsi.org. IN SOA
>>>
>>> ;; Query time: 75 msec
>>> ;; SERVER: 63.200.45.18#53(63.200.45.18)
>>> ;; WHEN: Mon Nov 14 14:42:25 2011
>>> ;; MSG SIZE rcvd: 31
>>>
>>> #
>>>
>>>> -----Original Message-----
>>>> From: bind-users-bounces+ladamiec=kentlaw.edu at lists.isc.org
>>> [mailto:bind-users-
>>>> bounces+ladamiec=kentlaw.edu at lists.isc.org] On Behalf Of Eduardo Bonsi
>>>> Sent: Monday, November 14, 2011 14:39
>>>> To: bind-users at isc.org
>>>> Subject: Help with dig to check NS servers for DNSSEC setup
>>>>
>>>> I am checking my DNS setup from inside using dig and I am getting
>>>> everything ok but I need a second opinion from outside of the server
>>> to
>>>> see if my ns1 and ns2 are responding ok to setup DNSSEC.
>>>>
>>>> Thanks!
>>>>
>>>> user:~ user1$ dig bonsi.org
>>>>
>>>> ;<<>> DiG 9.6-ESV-R4-P3<<>> bonsi.org
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35880
>>>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>>>> ;; WARNING: recursion requested but not available
>>>>
>>>> ;; QUESTION SECTION:
>>>> ;bonsi.org. IN A
>>>>
>>>> ;; ANSWER SECTION:
>>>> bonsi.org. 3600 IN A 63.200.45.21
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> bonsi.org. 3600 IN NS ns2.bonsi.org.
>>>> bonsi.org. 3600 IN NS ns1.bonsi.org.
>>>>
>>>> ;; ADDITIONAL SECTION:
>>>> ns2.bonsi.org. 3600 IN A 63.200.45.19
>>>>
>>>> ;; Query time: 14 msec
>>>> ;; SERVER: 63.200.45.18#53(63.200.45.18)
>>>> ;; WHEN: Mon Nov 14 12:09:43 2011
>>>> ;; MSG SIZE rcvd: 95
>>>> ********************************************************************
>>>> user:~ user1$ dig @63.200.45.18 ns1.bonsi.org soa
>>>>
>>>> ;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.18 ns1.bonsi.org soa
>>>> ; (1 server found)
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31586
>>>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>>>> ;; WARNING: recursion requested but not available
>>>>
>>>> ;; QUESTION SECTION:
>>>> ;ns1.bonsi.org. IN SOA
>>>>
>>>> ;; ANSWER SECTION:
>>>> ns1.bonsi.org. 3600 IN SOA ns1.bonsi.org.
>>> hostmaster.bonsi.org.
>>>> 2011101403 10800 3600 604800 3600
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> ns1.bonsi.org. 3600 IN NS ns1.bonsi.org.
>>>>
>>>> ;; Query time: 14 msec
>>>> ;; SERVER: 63.200.45.18#53(63.200.45.18)
>>>> ;; WHEN: Mon Nov 14 12:10:19 2011
>>>> ;; MSG SIZE rcvd: 92
>>>> ********************************************************************
>>>> user:~ user1$ dig @63.200.45.19 ns2.bonsi.org
>>>>
>>>> ;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.19 ns2.bonsi.org
>>>> ; (1 server found)
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38660
>>>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>>>> ;; WARNING: recursion requested but not available
>>>>
>>>> ;; QUESTION SECTION:
>>>> ;ns2.bonsi.org. IN A
>>>>
>>>> ;; ANSWER SECTION:
>>>> ns2.bonsi.org. 3600 IN A 63.200.45.19
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> ns2.bonsi.org. 3600 IN NS ns2.bonsi.org.
>>>>
>>>> ;; Query time: 12 msec
>>>> ;; SERVER: 63.200.45.19#53(63.200.45.19)
>>>> ;; WHEN: Mon Nov 14 12:11:04 2011
>>>> ;; MSG SIZE rcvd: 61
>>>> ********************************************************************
>>>> user:~ user1$ dig @63.200.45.19 ns2.bonsi.org soa
>>>>
>>>> ;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.19 ns2.bonsi.org soa
>>>> ; (1 server found)
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17334
>>>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>>>> ;; WARNING: recursion requested but not available
>>>>
>>>> ;; QUESTION SECTION:
>>>> ;ns2.bonsi.org. IN SOA
>>>>
>>>> ;; ANSWER SECTION:
>>>> ns2.bonsi.org. 3600 IN SOA ns2.bonsi.org.
>>> hostmaster.bonsi.org.
>>>> 2011101409 10800 3600 604800 3600
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> ns2.bonsi.org. 3600 IN NS ns2.bonsi.org.
>>>>
>>>> ;; ADDITIONAL SECTION:
>>>> ns2.bonsi.org. 3600 IN A 63.200.45.19
>>>>
>>>> ;; Query time: 58 msec
>>>> ;; SERVER: 63.200.45.19#53(63.200.45.19)
>>>> ;; WHEN: Mon Nov 14 12:19:50 2011
>>>> ;; MSG SIZE rcvd: 108
>>>>
>>>>
>>>> --
>>>> BEARTCOMMUNICATIONS
>>>> Eduardo Bonsi
>>>> System - Network Admin
>>>> beartcom at pacbell.net
>>>> webmaster at beart.com
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beartcom at pacbell.net
webmaster at beart.com
More information about the bind-users
mailing list