.onion and dnssec

Petr Mensik pemensik at redhat.com
Fri Nov 15 19:18:45 UTC 2019

Hello Erich,

more below.

On 11/12/19 2:22 PM, Erich Eckner wrote:
> Hash: SHA256
> On Tue, 12 Nov 2019, Tony Finch wrote:
>> Erich Eckner <bind at eckner.net> wrote:
>>> I have also a hard time, generating some useful debug output
>>> - setting `-d 9` does not give additional information in the system log.
>> You might find it is being written to the file named.run in named's
>> working directory (this is the default_debug logging channel
>> configuration). I generally use `rndc trace 11` to tell named to log
>> details of resolution and validation, including sent and received DNS
>> mesaages. It's very verbose but it can tell you what is happening to your
>> .onion queries.
> Thanks! I now get the desired log. I noticed, that there were *no* 
> queries sent by the dns server at all (even when asking for subdomains 
> of onion.eckner.net - which were successfully resolved by tor). I 
> suspected, that the slave "." zone superseeds every other zone I have, 
> and confirmed that by commenting out the other (slaved opennic) tlds 
> which did *not* break the resolving.
> I replaced "." by a hint zone and now it works as intended:
> - - opennic tlds are resolved via their slave zones (before, they were 
> not: I could comment them out and still resolve)
> - - normal tlds are resolved via hint root zone (I think)
> - - onion. is forwarded to tor
> thanks a lot!

That was because when slave, your server was authoritative to say: onion 
does not exist. Local authoritative zone is preferred over forwards, 
your server knew all top level domains.
> I have another (minor) question, though:
> To my understanding, the difference between "forward first;" and 
> "forward only;" is, that the former caches and the latter forwards all 
> queries. However, I see the same behaviour in the log for both. Where is 
> my mistake?
forward only; means it will forward all queries. If it fails, report 
forward first; means forward all queries. If it fails, try iterative 
queries from root servers. To prevent leaking of onion queries outside, 
use only;

In both cases, bind would cache responses.
> cheers,
> Erich


Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973

More information about the bind-users mailing list