static stub zone not working as expected
Mark Andrews
marka at isc.org
Thu Jul 11 23:36:16 UTC 2019
Because static-stub only overrides “where” to find the information about the zone
not whether the zone content is valid.
With DNSSEC named will treat zone content as trusted (master/slave). Slave the top
level internal zones. Note this doesn’t help any application that is also performing
DNSSEC validation.
Note .local is reserved for mDNS. getaddrinfo() shouldn’t be looking in the DNS for
.local names.
Mark
> On 12 Jul 2019, at 7:25 am, btb via bind-users <bind-users at lists.isc.org> wrote:
>
> hi-
>
> i have an environment which over time has managed to accumulate various "internal" zones [in this specific case, "foo.local"]. eventually, these zones will be phased out, but unfortunately in the interim, i'm stuck with this. i'm attempting to configure them as static-stub zones:
>
> zone "foo.local" {
> type static-stub;
> server-addresses {
> 192.168.220.20;
> 192.168.220.21;
> };
> };
>
> however, queries are not working. following a cache flush, the initial query is servfail and subsequent queries are nxdomain:
>
>> dig @localhost foo.local ns
> ; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> @localhost foo.local ns
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2550
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;foo.local. IN NS
>
> ;; Query time: 181 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Jul 11 16:11:02 EDT 2019
> ;; MSG SIZE rcvd: 38
>
>> dig @localhost foo.local ns
> ; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> @localhost foo.local ns
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43056
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;foo.local. IN NS
>
> ;; AUTHORITY SECTION:
> . 10796 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019071101 1800 900 604800 86400
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Jul 11 16:11:06 EDT 2019
> ;; MSG SIZE rcvd: 113
>
> querying the auth nameservers directory is successful:
>> dig @192.168.220.20 foo.local ns +norec
>
> ; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> @192.168.220.20 foo.local ns +norec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 5
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4000
> ;; QUESTION SECTION:
> ;foo.local. IN NS
>
> ;; ANSWER SECTION:
> foo.local. 3600 IN NS 01.foo.local.
> foo.local. 3600 IN NS 02.foo.local.
> foo.local. 3600 IN NS a2.foo.local.
> foo.local. 3600 IN NS a1.foo.local.
>
> ;; ADDITIONAL SECTION:
> 01.foo.local. 3600 IN A 192.168.0.20
> 02.foo.local. 3600 IN A 192.168.0.21
> a2.foo.local. 3600 IN A 10.201.11.8
> a1.foo.local. 1200 IN A 10.201.10.119
>
> ;; Query time: 82 msec
> ;; SERVER: 192.168.220.20#53(192.168.220.20)
> ;; WHEN: Thu Jul 11 16:35:39 EDT 2019
> ;; MSG SIZE rcvd: 214
>
> additionally unfortunate, there is nat involved here, due to address space collision, and while this obviously means the practical functionality of this is questionable, i was expecting that with a static-stub zone, the query itself would at least function.
>
> i see these messages in the logs:
> 11-Jul-2019 16:08:51.406 lame-servers: info: error (insecurity proof failed) resolving 'foo.local/NS/IN': 192.168.220.20#53
> 11-Jul-2019 16:08:51.489 lame-servers: info: error (insecurity proof failed) resolving 'foo.local/NS/IN': 192.168.220.21#53
> 11-Jul-2019 17:08:44.111 lame-servers: info: error (no valid DS) resolving 'foo.local/NS/IN': 192.168.220.21#53
> 11-Jul-2019 17:08:44.194 lame-servers: info: error (broken trust chain) resolving 'foo.local/NS/IN': 192.168.220.20#53
>
> i've not had much experience with dnssec yet, but it would seem that perhaps it relates here in some capacity, as there is no public .local domain, obviously? disabling dnssec [dnssec-enable no;] seems to support this, as when doing so, queries work.
>
> that said, i'm wondering why this is happening - e.g. why bind seems to be consulting public dns for this zone, if i've explicitly told bind where to go to find this zone data, and how i might be able to troubleshoot further, or what my options might be.
>
> lastly, this is currently an older version of bind [9.9.5, courtesy of ubuntu packages]. it will be updated, but can't be just yet.
>
> thanks!
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list