<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Why are you using forwarders? These cloudflare servers are not
authoritive for cat.com and don't seem to be open resolvers
either.</p>
<p>Lyle Giese</p>
<p>LCR Computer Services, Inc.</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 12/4/20 12:48 PM, Wade Blackwell
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAE0Ai3BOUWXT9GZbzUnDEZob28z73ueNkHP1gvjKdyCS5X3s4A@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Good morning from the West Coast,<br>
It’s been a while since I’ve setup an
authoritative bind server from scratch so I may be missing
something very basic. First time in a docker container, besides
the point but maybe it plays (this looks like a configuration
issue in Bind). I’m getting the following errors when trying to
resolve domains external to my own;<br>
---snip---<br>
17:30:04.843 REFUSED unexpected RCODE resolving './NS/IN':
172.64.32.142#53
<br>
04-Dec-2020 17:30:04.859 REFUSED unexpected RCODE resolving '<a
href="http://www.cat.com/A/IN" moz-do-not-send="true">www.cat.com/A/IN</a>':
172.64.32.142#53
<br>
04-Dec-2020 17:30:04.865 REFUSED unexpected RCODE resolving
'./NS/IN': 172.64.33.136#53
<br>
04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving '<a
href="http://E.ROOT-SERVERS.NET/AAAA/IN"
moz-do-not-send="true">E.ROOT-SERVERS.NET/AAAA/IN</a>':
172.64.32.142#53
<br>
04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving '<a
href="http://G.ROOT-SERVERS.NET/AAAA/IN"
moz-do-not-send="true">G.ROOT-SERVERS.NET/AAAA/IN</a>':
172.64.32.142#53
<br>
04-Dec-2020 17:30:04.877 REFUSED unexpected RCODE resolving '<a
href="http://www.cat.com/A/IN" moz-do-not-send="true">www.cat.com/A/IN</a>':
172.64.33.136#53
<br>
04-Dec-2020 17:30:04.883 REFUSED unexpected RCODE resolving
'./NS/IN': 108.162.192.142#53
<br>
04-Dec-2020 17:30:04.884 REFUSED unexpected RCODE resolving '<a
href="http://E.ROOT-SERVERS.NET/AAAA/IN"
moz-do-not-send="true">E.ROOT-SERVERS.NET/AAAA/IN</a>':
108.162.192.142#53
<br>
04-Dec-2020 17:30:04.889 REFUSED unexpected RCODE resolving '<a
href="http://G.ROOT-SERVERS.NET/AAAA/IN"
moz-do-not-send="true">G.ROOT-SERVERS.NET/AAAA/IN</a>':
108.162.192.142#53
<br>
04-Dec-2020 17:30:04.897 REFUSED unexpected RCODE resolving '<a
href="http://www.cat.com/A/IN" moz-do-not-send="true">www.cat.com/A/IN</a>':
108.162.192.142#53
<br>
04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving '<a
href="http://E.ROOT-SERVERS.NET/AAAA/IN"
moz-do-not-send="true">E.ROOT-SERVERS.NET/AAAA/IN</a>':
172.64.33.136#53
<br>
04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving
'./NS/IN': 108.162.193.136#53 <br>
---end---<br>
<br>
You’ll notice the above are Cloudflare resolvers (pete/roxy)<br>
I get a DNSSEC related error when the same resolution is
attempted on the OpenDNS servers<br>
<br>
---snip---<br>
04-Dec-2020 17:30:05.084 validating ./DNSKEY: unable to find a
DNSKEY which verifies the DNSKEY RRset and also matches a
trusted key for '.'
<br>
04-Dec-2020 17:30:05.085 no valid KEY resolving './DNSKEY/IN':
208.67.220.220#53
<br>
04-Dec-2020 17:30:05.108 validating ./DNSKEY: unable to find a
DNSKEY which verifies the DNSKEY RRset and also matches a
trusted key for '.'
<br>
04-Dec-2020 17:30:05.108 no valid KEY resolving './DNSKEY/IN':
208.67.222.222#53 <br>
---end---<br>
<br>
Named.conf has the correct sources for queries;<br>
<br>
---snip---<br>
acl permit {<br>
<a href="http://172.30.0.0/16"
moz-do-not-send="true">172.30.0.0/16</a>;<br>
---end---<br>
<br>
Named.conf.options has the correct forwarders, recursion and
query statements (ignore syntax, pulling partials);<br>
<br>
---snip---<br>
forwarders {<br>
108.162.193.136;<br>
172.64.33.136;<br>
108.162.192.142;<br>
172.64.32.142;<br>
173.245.58.142;<br>
208.67.220.220;<br>
208.67.222.222;<br>
};<br>
allow-recursion {<br>
<a href="http://172.30.0.0/16"
moz-do-not-send="true">172.30.0.0/16</a>;<br>
allow-query {<br>
<a href="http://172.30.0.0/16"
moz-do-not-send="true">172.30.0.0/16</a>;<br>
---end---<br>
<br>
<div>What am I missing here (flame away…)?</div>
<div><br>
</div>
<div> -W<br>
</div>
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<p class="MsoNormal"><font size="2"><span
style="font-family:"Courier New""> </span></font></p>
<p class="MsoNormal"
style="background-image:initial;background-position:initial;background-repeat:initial"></p>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><font
size="2"><span>“Solo puedo
explicártelo a ti. No puedo
entenderlo por ti”</span></font></p>
<p class="MsoNormal"><br>
<span
style="font-size:8.0pt;font-family:"Calibri
Light",sans-serif"></span><span
style="font-size:8.0pt;font-family:"Calibri Light",sans-serif"></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
</body>
</html>