Authoritative and caching
Danjel Jungersen
danjel at jungersen.dk
Fri Apr 4 06:17:09 UTC 2025
Hi everyone.
Thank you for all your help!
One key info that I missed, the DS record should be placed on the TLD host.
I tried (and failed) using the "normal" public available DNS for my domain.
Now back to the original problem, getting DANE set up.....
All the best!
Danjel
On 23-03-2025 11:18, Danjel Jungersen via bind-users wrote:
>
>
> On 19-02-2025 12:04, Greg Choules wrote:
>> Hi Danjel.
>> To obtain a packet capture use tcpdump, which is probably installed
>> already. If not, add it using your preferred package manager.
>> You can dump to the screen, but I find it more useful to dump to a
>> file, which can then be analysed offline in Wireshark.
>>
>> A typical capture command might be:
>>
>> sudo tcpdump -nvc 1000 -w <dump_file_name> host "(
>>
>> 192.168.20.10 or 192.168.20.11)" and port 53
>>
>>
> OK, I tried that.
>
> I also studied the output in wireshark.
> But since this is my first try, I don't know what to look for, and
> cannot find out what's wrong.
>
> I get:
> root at mail:~# dig A mail.jungersen.dk @127.0.0.1
>
> ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A mail.jungersen.dk @127.0.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47697
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 41461c3ea02342e40100000067dfdba11eea65ad9061831f (good)
> ;; QUESTION SECTION:
> ;mail.jungersen.dk. IN A
>
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> ;; WHEN: Sun Mar 23 11:00:01 CET 2025
> ;; MSG SIZE rcvd: 74
>
> The mentioned tcpdump command gave the attached result.
>
> Just to sum it up:
> My setup:
> I have a mailserver (192.168.20.9), on the same box I have bind as
> resolver.
>
> I have 2 bind boxes running as "local authoritative" for the
> jungersen.dk zone (192.168.20.10 and 192.168.20.11)
>
> This was meant to give me the result of 192.168.20.9 when looking up
> my local mailserver on my local network, while giving the 212.27.12.12
> result when asked from the public.
> The public DNS is hosted at one.com
>
> I tried setting up dnssec to satisfy the suggested solution:
>
> 1) create a working chain of trust that links to your private zone content
>
> But you may have guessed it, it does not work.
>
> Does the above give enough info to give me more guidance?
>
> TIA
> Danjel
>
>
>> That will capture to disk all DNS traffic to and from your
>> forwarders, up to a limit of 1000 packets, just as a safety net. Once
>> that is running, make your tests to the local machine, stop the
>> capture, upload it here if you wish or just open it in Wireshark and
>> follow the conversations and their timeline.
>> It is almost certainly a DNSSEC problem though, as Mark says.
>>
>> Hope that helps.
>> Cheers, Greg
>>
>> On Wed, 19 Feb 2025 at 10:22, Danjel Jungersen via bind-users
>> <bind-users at lists.isc.org> wrote:
>>
>> On 19-02-2025 11:11, Marco Moock wrote:
>> > Am Wed, 19 Feb 2025 10:58:14 +0100
>> > schrieb Danjel Jungersen via bind-users <bind-users at lists.isc.org>:
>> >
>> >> But if I change /etc/resolv.conf to 127.0.0.1 something happens
>> >> If I do a dig or ping from my postfixbox to something that the
>> 2 main
>> >> bind-boxes are authoratative for, it doesn't work.
>> > Please sniff the DNS traffic between the 2 machines and check
>> if the
>> > request goes out to the authoritative server and check what it
>> replied.
>> >
>> > You can trigger the request by
>> >
>> > dig A/AAAA non-working domain @IP.
>> >
>> > Try +recurse/+norecurse to check if the issue is related to
>> those flags.
>> root at mail:~# dig A mail.jungersen.dk <http://mail.jungersen.dk>
>> @127.0.0.1 <http://127.0.0.1>
>>
>> ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A mail.jungersen.dk
>> <http://mail.jungersen.dk> @127.0.0.1 <http://127.0.0.1>
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9792
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 1232
>> ; COOKIE: d55e55f5d6573eaf0100000067b5af13a2e4bdccbb3ce36b (good)
>> ;; QUESTION SECTION:
>> ;mail.jungersen.dk <http://mail.jungersen.dk>. IN A
>>
>> ;; Query time: 4 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
>> ;; WHEN: Wed Feb 19 11:14:43 CET 2025
>> ;; MSG SIZE rcvd: 74
>>
>>
>> dig +recurse A mail.jungersen.dk <http://mail.jungersen.dk>
>> @127.0.0.1 <http://127.0.0.1>
>>
>> ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +recurse A
>> mail.jungersen.dk <http://mail.jungersen.dk>
>> @127.0.0.1 <http://127.0.0.1>
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19526
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 1232
>> ; COOKIE: 1579e49c3774139b0100000067b5af24e95ccd20f610d99d (good)
>> ;; QUESTION SECTION:
>> ;mail.jungersen.dk <http://mail.jungersen.dk>. IN A
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
>> ;; WHEN: Wed Feb 19 11:15:00 CET 2025
>> ;; MSG SIZE rcvd: 74
>>
>>
>> dig +norecurse A mail.jungersen.dk <http://mail.jungersen.dk>
>> @127.0.0.1 <http://127.0.0.1>
>>
>> ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +norecurse A
>> mail.jungersen.dk <http://mail.jungersen.dk>
>> @127.0.0.1 <http://127.0.0.1>
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10118
>> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 1232
>> ; COOKIE: 689869318da8e64c0100000067b5af33f48840b2e116d76e (good)
>> ;; QUESTION SECTION:
>> ;mail.jungersen.dk <http://mail.jungersen.dk>. IN A
>>
>> ;; AUTHORITY SECTION:
>> . 3600000 IN NS E.ROOT-SERVERS.NET
>> <http://E.ROOT-SERVERS.NET>.
>> . 3600000 IN NS F.ROOT-SERVERS.NET
>> <http://F.ROOT-SERVERS.NET>.
>> . 3600000 IN NS L.ROOT-SERVERS.NET
>> <http://L.ROOT-SERVERS.NET>.
>> . 3600000 IN NS C.ROOT-SERVERS.NET
>> <http://C.ROOT-SERVERS.NET>.
>> . 3600000 IN NS B.ROOT-SERVERS.NET
>> <http://B.ROOT-SERVERS.NET>.
>> . 3600000 IN NS A.ROOT-SERVERS.NET
>> <http://A.ROOT-SERVERS.NET>.
>> . 3600000 IN NS J.ROOT-SERVERS.NET
>> <http://J.ROOT-SERVERS.NET>.
>> . 3600000 IN NS D.ROOT-SERVERS.NET
>> <http://D.ROOT-SERVERS.NET>.
>> . 3600000 IN NS H.ROOT-SERVERS.NET
>> <http://H.ROOT-SERVERS.NET>.
>> . 3600000 IN NS G.ROOT-SERVERS.NET
>> <http://G.ROOT-SERVERS.NET>.
>> . 3600000 IN NS I.ROOT-SERVERS.NET
>> <http://I.ROOT-SERVERS.NET>.
>> . 3600000 IN NS K.ROOT-SERVERS.NET
>> <http://K.ROOT-SERVERS.NET>.
>> . 3600000 IN NS M.ROOT-SERVERS.NET
>> <http://M.ROOT-SERVERS.NET>.
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
>> ;; WHEN: Wed Feb 19 11:15:15 CET 2025
>> ;; MSG SIZE rcvd: 297
>>
>>
>> Not sure how to do the sniff part(?)
>>
>> But I must get some sort of answer...
>> dig A postfix.org <http://postfix.org> @127.0.0.1 <http://127.0.0.1>
>>
>> ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A postfix.org
>> <http://postfix.org> @127.0.0.1 <http://127.0.0.1>
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2255
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
>> ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 1232
>> ; COOKIE: 6c3f5cf7e1e34e450100000067b5b035b878201ed4e8d3fd (good)
>> ;; QUESTION SECTION:
>> ;postfix.org <http://postfix.org>. IN A
>>
>> ;; ANSWER SECTION:
>> postfix.org <http://postfix.org>. 3600 IN A
>> 65.108.3.114
>>
>> ;; Query time: 852 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
>> ;; WHEN: Wed Feb 19 11:19:33 CET 2025
>> ;; MSG SIZE rcvd: 84
>>
>> Best regards
>> Danjel
>>
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for
>> more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> --
> Med venlig hilsen/Kind regards
> Danjel Jungersen
> Mail: danjel at jungersen.dk
> Mobile: +45 20 42 20 11
>
> Jungersen Grafisk ApS,
> Holsbjergvej 39, DK-2620 Albertslund,
> Denmark.
> Tel: +45 43 64 10 00
>
> WEBSHOP: PRINTLIGHT.DK <https://www.printlight.dk> | WWW.JUNGERSEN.DK
> <https://www.jungersen.dk>
>
> Logo <https://www.jungersen.dk>
>
--
Med venlig hilsen/Kind regards
Danjel Jungersen
Mail: danjel at jungersen.dk
Mobile: +45 20 42 20 11
Jungersen Grafisk ApS,
Holsbjergvej 39, DK-2620 Albertslund,
Denmark.
Tel: +45 43 64 10 00
WEBSHOP: PRINTLIGHT.DK <https://www.printlight.dk> | WWW.JUNGERSEN.DK
<https://www.jungersen.dk>
Logo <https://www.jungersen.dk>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250404/dbb19f87/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_m_reg_125.png
Type: image/png
Size: 24506 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250404/dbb19f87/attachment-0001.png>
More information about the bind-users
mailing list