<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFCC" text="#000000">
My next move would be to look for issues in the network, I would
look at what wireshark can sniff out. I would look for packets with
errors. The purpose is to find out if the network is mangling
packets.<br>
<br>
<br>
<div class="moz-cite-prefix">On 06/12/12 16:46, Daniele Imbrogino
wrote:<br>
</div>
<blockquote
cite="mid:CAL_2sc0MnJtUYiakXx71hMN5+22G-FAKYBDBLoyrxB_hkbK1-A@mail.gmail.com"
type="cite">
<div>I'm testing new configuration on VirtualBox following the
advice of not forwarding.<br>
</div>
<div>Furthermore, I exclude any reference to DNSSEC.</div>
<div><br>
</div>
<div>So, in these conditions and assuming an empty cache, if I
query for a remote domain name, my server should query a
root-server and then iterate, right?</div>
<div>Well, Wireshark shows me outcoming queries and incoming
responses to/from root-servers, but "dig <a
moz-do-not-send="true" href="http://www.apple.com"
target="_blank">www.apple.com</a>" (for example) fails with a
timeout.<br>
<br>
"syslog" has a lot of "DNS format error ... non-improving
referral" and "error (FORMERR) resolving" entries.<br>
<br>
This is my very vary basic "named.conf" file<br>
<br>
<div class="gmail_extra">
options {<br>
directory "/var/cache/bind";<br>
}<br>
<br>
zone "." {<br>
type hint;<br>
file "/etc/bind/db.root";<br>
};<br>
<br>
zone "localhost" {<br>
type master;<br>
file "/etc/bind/db.local";<br>
};<br>
<br>
zone "127.in-addr.arpa" {<br>
type master;<br>
file "/etc/bind/db.127";<br>
};<br>
<br>
I've also updated "db.root" from <a moz-do-not-send="true"
href="http://ftp.internic.net/domain/db.cache">ftp.internic.net/domain/db.cache</a><br>
<br>
<br>
<div class="gmail_quote">
2012/12/5 Sten Carlsen <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:stenc@s-carlsen.dk"
target="_blank">stenc@s-carlsen.dk</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div text="#000000" bgcolor="#FFFFCC">
<div> <br>
<div>On 05/12/12 18:29, Hauke Lampe wrote:<br>
</div>
<blockquote type="cite">On <a moz-do-not-send="true"
href="tel:05.12.2012%2014" value="+390512201214"
target="_blank">05.12.2012 14</a>:59, Daniele
Imbrogino wrote: <br>
<br>
<blockquote type="cite">resolv.conf contains only
127.0.0.1 as nameserver. <br>
<br>
The syslog contains a lot of errors as "insecurity
proof failed", "no valid <br>
RRSIG", "got insecure response" that I don't
understand. <br>
</blockquote>
<br>
Your forwarder probably doesn't handle DNSSEC
responses well. Therefore your BIND cannot validate
the answers and returns a failure code. <br>
<br>
Either update the forwarder/enable DNSSEC (older
versions of BIND 9 require "dnssec-enable yes;" in
the options clause), or disable DNSSEC validation in
your local BIND (set "dnssec-validation no;"). <br>
</blockquote>
</div>
Or consider not doing forwarding, that usually gives
fewer problems if possible.
<div><br>
<blockquote type="cite"> <br>
<br>
<br>
Hauke <br>
<br>
_______________________________________________ <br>
Please visit <a moz-do-not-send="true"
href="https://lists.isc.org/mailman/listinfo/bind-users"
target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list <br>
<br>
bind-users mailing list <br>
<a moz-do-not-send="true"
href="mailto:bind-users@lists.isc.org"
target="_blank">bind-users@lists.isc.org</a> <br>
<a moz-do-not-send="true"
href="https://lists.isc.org/mailman/listinfo/bind-users"
target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
</blockquote>
<br>
</div>
<span><font color="#888888">
<pre cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</font></span></div>
<br>
_______________________________________________<br>
Please visit <a moz-do-not-send="true"
href="https://lists.isc.org/mailman/listinfo/bind-users"
target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a moz-do-not-send="true"
href="https://lists.isc.org/mailman/listinfo/bind-users"
target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</body>
</html>