<div>I'm testing new configuration on VirtualBox following the advice of not forwarding.<br></div><div>Furthermore, I exclude any reference to DNSSEC.</div><div><br></div><div>So, in these conditions and assuming an empty cache, if I query for a remote domain name, my server should query a root-server and then iterate, right?</div>
<div>Well, Wireshark shows me outcoming queries and incoming responses to/from root-servers, but "dig <a href="http://www.apple.com" target="_blank">www.apple.com</a>" (for example) fails with a timeout.<br><br>
"syslog" has a lot of "DNS format error ... non-improving referral" and "error (FORMERR) resolving" entries.<br><br>This is my very vary basic "named.conf" file<br><br><div class="gmail_extra">
options {<br> directory "/var/cache/bind";<br>}<br><br>zone "." {<br> type hint;<br> file "/etc/bind/db.root";<br>};<br><br>zone "localhost" {<br> type master;<br>
file "/etc/bind/db.local";<br>};<br><br>zone "127.in-addr.arpa" {<br> type master;<br> file "/etc/bind/db.127";<br>};<br><br>I've also updated "db.root" from <a href="http://ftp.internic.net/domain/db.cache">ftp.internic.net/domain/db.cache</a><br>
<br><br><div class="gmail_quote">
2012/12/5 Sten Carlsen <span dir="ltr"><<a href="mailto:stenc@s-carlsen.dk" target="_blank">stenc@s-carlsen.dk</a>></span><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div text="#000000" bgcolor="#FFFFCC"><div>
<br>
<div>On 05/12/12 18:29, Hauke Lampe wrote:<br>
</div>
<blockquote type="cite">On
<a href="tel:05.12.2012%2014" value="+390512201214" target="_blank">05.12.2012 14</a>:59, Daniele Imbrogino wrote:
<br>
<br>
<blockquote type="cite">resolv.conf contains only 127.0.0.1 as
nameserver.
<br>
<br>
The syslog contains a lot of errors as "insecurity proof
failed", "no valid
<br>
RRSIG", "got insecure response" that I don't understand.
<br>
</blockquote>
<br>
Your forwarder probably doesn't handle DNSSEC responses well.
Therefore your BIND cannot validate the answers and returns a
failure code.
<br>
<br>
Either update the forwarder/enable DNSSEC (older versions of BIND
9 require "dnssec-enable yes;" in the options clause), or disable
DNSSEC validation in your local BIND (set "dnssec-validation
no;").
<br>
</blockquote></div>
Or consider not doing forwarding, that usually gives fewer problems
if possible.<div><br>
<blockquote type="cite">
<br>
<br>
<br>
Hauke
<br>
<br>
_______________________________________________
<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to
unsubscribe from this list
<br>
<br>
bind-users mailing list
<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>
<br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
</blockquote>
<br>
</div><span><font color="#888888"><pre cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</font></span></div>
<br>_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br></blockquote></div><br></div></div>