DNSSEC external validation issues

Eduardo Bonsi beartcom at pacbell.net
Tue Nov 15 19:17:35 UTC 2011


Casey;

I do have the allow-query { any; }; statement posted in all zones;
The server is working fine! It has been serving the domain www.bonsi.org 
and another FQDN with not problems. When I dig from the inside it show 
that everything is ok.

; <<>> DiG 9.6-ESV-R4-P3 <<>> bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36063
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bonsi.org.			IN	A

;; ANSWER SECTION:
bonsi.org.		3600	IN	A	63.200.45.21

;; AUTHORITY SECTION:
bonsi.org.		3600	IN	NS	ns2.bonsi.org.
bonsi.org.		3600	IN	NS	ns1.bonsi.org.

;; ADDITIONAL SECTION:
ns2.bonsi.org.		3600	IN	A	63.200.45.19

;; Query time: 4 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Tue Nov 15 11:10:07 2011
;; MSG SIZE  rcvd: 95

*********************************************************************
; <<>> DiG 9.6-ESV-R4-P3 <<>> ns1.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63734
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns1.bonsi.org.			IN	A

;; AUTHORITY SECTION:
ns1.bonsi.org.		3600	IN	SOA	ns1.bonsi.org. hostmaster.bonsi.org. 
2011101403 10800 3600 604800 3600

;; Query time: 8 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Tue Nov 15 11:10:45 2011
;; MSG SIZE  rcvd: 78

*********************************************************************

It just that people when querying from outside gets a "return refused" 
or "server not found"

Here is a copy of my "named.conf"
The debug of named when checked showed;

Check BIND Config:
"No errors were found in the BIND configuration file named.conf or 
referenced zone files."

//01
// Include keys file
key rndc-key {
	algorithm hmac-md5;
	secret "secret key";
	};
//
//
// Declares control channels to be used by the rndc utility.
//10
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host
// to manage your name server.
//
// Default controls
controls {
inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
};
//
//20
//21
//22
options {
directory "/var/named";
version "Undisclosed";
//26
// If there is a firewall between you and name servers you want
// to talk to, you might need to un-comment the query-source
// directive below.  Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 uses an unprivileged
// port by default.
//query-source address 192.168.1.2 port 53;
//33
dnssec-enable yes;
dnssec-validation yes;
forward first;
transfer-format one-answer;
forwarders {
68.94.156.1 port 53;
68.94.157.1 port 53; };
dnssec-lookaside . trust-anchor dlv.isc.org.;
     };
//43
//44
//45
//46
statistics-channels {
inet * port 8053 allow { 127.0.0.1; };
};
//50
// ACL statement
//
acl trusted {
	192.168.1.254;
	192.168.1.0/24;
	localhost;
	localnets;
	};
//59
view "internal" {
match-clients {
		192.168.1.0/24;
		192.168.1.2;
		192.168.1.6;
		192.168.1.10;
		192.168.1.17;
		192.168.1.18;
		192.168.1.25;
		};
recursion yes;
zone "." IN {
         type hint;
         file "named.ca";
};
//75
zone "localhost" IN {
type master;
allow-query { any; };
file "localhost.zone";
allow-update { none; };
};
//82
zone "0.0.127.in-addr.arpa" IN {
type master;
allow-query { any; };
file "named.local";
allow-update { none; };
allow-transfer { none; };
};
//90
//91
//92
// internal zones
//
zone "bonsi.org" IN {
type master;
allow-query { any; };
notify yes;
file "/var/named/db.bonsi.org";
also-notify {
192.168.1.10;
      };
};
//104
zone "1.168.192.in-addr.arpa" IN {
type master;
allow-query { any; };
notify no;
file "/var/named/db.192.168.1";
also-notify { 192.168.1.10;
     };
};
//113
zone "168.192.in-addr.arpa" IN {
type master;
allow-query { any; };
file "/var/named/db.192.168";
also-notify { 192.168.1.10;
      };
};
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.internal.hosts";
};
allow-query { any; };
also-notify { 192.168.1.10;
      };
};
//130
// www.external zones
//
view "external" {
match-clients { any; };
recursion no;
zone "bonsi.org" {
type master;
allow-query { any; };
file "/var/named/bonsi.org.external.hosts";
notify yes;
also-notify { 192.168.1.10; };
};
//143
zone "sub1.bonsi.org" {
type master;
allow-query { any; };
file "sub1.bonsi.org.external.hosts";
};
//149
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.com.external.hosts";
};
//155
zone "45.200.63.in-addr.arpa" {
type master;
allow-query { any; };
file "63.200.45.external.rev";
also-notify { 192.168.1.10;
      };
};
allow-query { any; };
also-notify { 63.200.45.19;
      };
};
//167
//168
server 192.168.1.10 {
keys { rndc-key; };
};
//172
trusted-keys {
	dlv.isc.org. 257 3 5 
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
	dlv.isc.org. 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
	};
//190
logging {
	channel dnssec_log {
		file "log/dnssec" size 20m;
		print-time yes;
		print-category yes;
		print-severity yes;
		severity debug 3;
		};
	category dnssec {
		dnssec_log;
		default_syslog;
		default_debug;
		default_stderr;
		};
};
//206

On 11/15/11 9:56 AM, Casey Deccio wrote:
> On Sun, Nov 13, 2011 at 1:50 PM, Eduardo Bonsi<beartcom at pacbell.net>  wrote:
>
>> Mark and everybody, Thanks for the checking. I had a suspicion that was
>> the issue but I need a second opinion since when I checked my DNS from the
>> inside the "refused" status is not happening. Here is what I am getting:
>>
>>
> What does your named.conf on ns1/ns2 look like?  You should allowing
> queries from "any" for bonsi.orgif you intend it to be advertised as an
> authoritative server.  Something like:
>
> zone "bonsi.org" {
>    ...
>    allow-query { any; };
> };
>
> Casey
>


-- 
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beartcom at pacbell.net
webmaster at beart.com



More information about the bind-users mailing list