RE: bind9 and dns forward

Thu, 01 Jun 2023 13:13:35 -0700 

Hi,

@Tim,
If I use the dnssec-validation no; option then indeed it all works. Just tested 
it again to make sure.
And as a final solution to this problem I might accept it, but I would rather 
not.

@Michel,  
> I reread all our mails and I miss to ask you this one (as answers via 
> external dns masked the real problem) :
> dig tio.nl NS +cd

Ok, with /etc/resolv.conf pointing only to localhost and option 
dnssec-validation auto;

-----<Quote>--------------------
linbobo:/etc/bind# dig tio.nl NS +cd

; <<>> DiG 9.16.37-Debian <<>> tio.nl NS +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8565
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f9edf2abbc6bb1b4010000006478e3bce0244f2a98d3724c (good)
;; QUESTION SECTION:
;tio.nl.                                IN      NS

;; ANSWER SECTION:
tio.nl.                 3600    IN      NS      amsstuddc-04.student.tio.nl.
[... snip ...]
tio.nl.                 3600    IN      NS      rtmstuddc-05.student.tio.nl.

;; Query time: 28 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 01 20:30:20 CEST 2023
;; MSG SIZE  rcvd: 568

linbobo:/etc/bind# dig tio.nl NS

; <<>> DiG 9.16.37-Debian <<>> tio.nl NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57482
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: eeb3f3a1c2495cf5010000006478e3c58effeec3959e9ccc (good)
;; QUESTION SECTION:
;tio.nl.                                IN      NS

;; Query time: 188 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 01 20:30:29 CEST 2023
;; MSG SIZE  rcvd: 63

linbobo:/etc/bind#
-----<Quote>--------------------

> If you get an answer it's a dnssec problem with the error message in your 
> logs. If there is no answer it's another problem.
Well, it seems I get an answer with the +cd option, and none without.

[...]
> And it's definitely not the good solution but you could transfer the full 
> zone (or get a copy of the file) and serve it as master.
Nah, I do not want to do that. Too many updates on the internal zone, I would 
need to copy at least every 5 min. Also other reasons.

Bonno Bloksma

Reply via email to