<div dir="ltr"><div><div><div>I'm going crazy.<br><br>This is my named.conf<br><br>logging {<br><br> channel default_logfile {<br> file "/var/cache/bind/logs/default.log";<br> severity info;<br>
print-category yes;<br> print-severity yes;<br> print-time yes;<br> };<br><br> category default {<br> default_logfile;<br> };<br><br> category lame-servers {null;};<br>
};<br><br>options {<br> directory "/var/cache/bind";<br><br> dnssec-validation auto;<br><br> auth-nxdomain no; # conform to RFC1035<br> listen-on-v6 { any; };<br>};<br><br></div>and the default zones (not shown here).<br>
<br></div>This is the output of `dig +trace +nodnssec <a href="http://www.isc.org">www.isc.org</a>`<br>; <<>> DiG 9.8.1-P1 <<>> +trace +nodnssec <a href="http://www.isc.org">www.isc.org</a><br>;; global options: +cmd<br>
. 3600000 IN NS <a href="http://M.ROOT-SERVERS.NET">M.ROOT-SERVERS.NET</a>.<br>. 3600000 IN NS <a href="http://K.ROOT-SERVERS.NET">K.ROOT-SERVERS.NET</a>.<br>. 3600000 IN NS <a href="http://G.ROOT-SERVERS.NET">G.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://L.ROOT-SERVERS.NET">L.ROOT-SERVERS.NET</a>.<br>. 3600000 IN NS <a href="http://B.ROOT-SERVERS.NET">B.ROOT-SERVERS.NET</a>.<br>. 3600000 IN NS <a href="http://E.ROOT-SERVERS.NET">E.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://A.ROOT-SERVERS.NET">A.ROOT-SERVERS.NET</a>.<br>. 3600000 IN NS <a href="http://F.ROOT-SERVERS.NET">F.ROOT-SERVERS.NET</a>.<br>. 3600000 IN NS <a href="http://J.ROOT-SERVERS.NET">J.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://H.ROOT-SERVERS.NET">H.ROOT-SERVERS.NET</a>.<br>. 3600000 IN NS <a href="http://C.ROOT-SERVERS.NET">C.ROOT-SERVERS.NET</a>.<br>. 3600000 IN NS <a href="http://I.ROOT-SERVERS.NET">I.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://D.ROOT-SERVERS.NET">D.ROOT-SERVERS.NET</a>.<br>dig: couldn't get address for '<a href="http://M.ROOT-SERVERS.NET">M.ROOT-SERVERS.NET</a>': not found<br><br><br>
</div>During `dig` operations, using Wireshark I can see outgoing packets to port 53 and incoming ones from port 53<br><div><br><div><div><div><div dir="ltr"><div class="gmail_extra">The default policy of my firewall, configured via `iptables`, is to accept everything (I'm on VirtualBox); the only rule is to MASQUERADE outgoing packets for NAT reasons (this box is the gateway of my private network).<br>
<br></div><div class="gmail_extra">What's wrong?<br></div><div class="gmail_extra"><br><div class="gmail_quote">2013/1/15 Chris Thompson <span dir="ltr"><<a href="mailto:cet1@cam.ac.uk" target="_blank">cet1@cam.ac.uk</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
On Jan 14 2013, Shane Kerr wrote:<br>
<br>
[...]<div><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
You may want to try:<br>
<br>
dig +trace <a href="http://www.isc.org" target="_blank">www.isc.org</a><br>
<br>
</blockquote></div>
[...]<div><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
The next step may be to try:<br>
<br>
dig +trace +dnssec <a href="http://www.isc.org" target="_blank">www.isc.org</a><br>
</blockquote>
<br></div>
Beware that if you have a dig(1) from BIND 9.9.x, +dnssec has become the<br>
default with +trace. In that case replace the first attempt with<br>
<br>
dig +trace +nodnssec <a href="http://www.isc.org" target="_blank">www.isc.org</a><span><font color="#888888"><br>
<br>
-- <br>
Chris Thompson<br>
Email: <a href="mailto:cet1@cam.ac.uk" target="_blank">cet1@cam.ac.uk</a><br>
</font></span></blockquote></div><br></div></div></div></div></div></div></div>