.onion and dnssec
pemensik at redhat.com
Fri Nov 15 19:18:45 UTC 2019
On 11/12/19 2:22 PM, Erich Eckner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> On Tue, 12 Nov 2019, Tony Finch wrote:
>> Erich Eckner <bind at eckner.net> wrote:
>>> I have also a hard time, generating some useful debug output
>>> - setting `-d 9` does not give additional information in the system log.
>> You might find it is being written to the file named.run in named's
>> working directory (this is the default_debug logging channel
>> configuration). I generally use `rndc trace 11` to tell named to log
>> details of resolution and validation, including sent and received DNS
>> mesaages. It's very verbose but it can tell you what is happening to your
>> .onion queries.
> Thanks! I now get the desired log. I noticed, that there were *no*
> queries sent by the dns server at all (even when asking for subdomains
> of onion.eckner.net - which were successfully resolved by tor). I
> suspected, that the slave "." zone superseeds every other zone I have,
> and confirmed that by commenting out the other (slaved opennic) tlds
> which did *not* break the resolving.
> I replaced "." by a hint zone and now it works as intended:
> - - opennic tlds are resolved via their slave zones (before, they were
> not: I could comment them out and still resolve)
> - - normal tlds are resolved via hint root zone (I think)
> - - onion. is forwarded to tor
> thanks a lot!
That was because when slave, your server was authoritative to say: onion
does not exist. Local authoritative zone is preferred over forwards,
your server knew all top level domains.
> I have another (minor) question, though:
> To my understanding, the difference between "forward first;" and
> "forward only;" is, that the former caches and the latter forwards all
> queries. However, I see the same behaviour in the log for both. Where is
> my mistake?
forward only; means it will forward all queries. If it fails, report
forward first; means forward all queries. If it fails, try iterative
queries from root servers. To prevent leaking of onion queries outside,
In both cases, bind would cache responses.
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com PGP: 65C6C973
More information about the bind-users