.onion and dnssec
bind at eckner.net
Tue Nov 12 13:22:09 UTC 2019
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 12 Nov 2019, Tony Finch wrote:
> Erich Eckner <bind at eckner.net> wrote:
>> I have also a hard time, generating some useful debug output
>> - setting `-d 9` does not give additional information in the system log.
> You might find it is being written to the file named.run in named's
> working directory (this is the default_debug logging channel
> configuration). I generally use `rndc trace 11` to tell named to log
> details of resolution and validation, including sent and received DNS
> mesaages. It's very verbose but it can tell you what is happening to your
> .onion queries.
Thanks! I now get the desired log. I noticed, that there were *no* queries
sent by the dns server at all (even when asking for subdomains of
onion.eckner.net - which were successfully resolved by tor). I
suspected, that the slave "." zone superseeds every other zone I have,
and confirmed that by commenting out the other (slaved opennic) tlds which
did *not* break the resolving.
I replaced "." by a hint zone and now it works as intended:
- - opennic tlds are resolved via their slave zones (before, they were not:
I could comment them out and still resolve)
- - normal tlds are resolved via hint root zone (I think)
- - onion. is forwarded to tor
thanks a lot!
I have another (minor) question, though:
To my understanding, the difference between "forward first;" and "forward
only;" is, that the former caches and the latter forwards all queries.
However, I see the same behaviour in the log for both. Where is my
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the bind-users