Hello Erich,
more below.
On 11/12/19 2:22 PM, Erich Eckner wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, 12 Nov 2019, Tony Finch wrote:
Erich Eckner <b...@eckner.net> wrote:
I have also a hard time, generating some useful debug output
- setting `-d 9` does not give additional information in the system log.
You might find it is being written to the file named.run in named's
working directory (this is the default_debug logging channel
configuration). I generally use `rndc trace 11` to tell named to log
details of resolution and validation, including sent and received DNS
mesaages. It's very verbose but it can tell you what is happening to your
.onion queries.
Thanks! I now get the desired log. I noticed, that there were *no*
queries sent by the dns server at all (even when asking for subdomains
of onion.eckner.net - which were successfully resolved by tor). I
suspected, that the slave "." zone superseeds every other zone I have,
and confirmed that by commenting out the other (slaved opennic) tlds
which did *not* break the resolving.
I replaced "." by a hint zone and now it works as intended:
- - opennic tlds are resolved via their slave zones (before, they were
not: I could comment them out and still resolve)
- - normal tlds are resolved via hint root zone (I think)
- - onion. is forwarded to tor
thanks a lot!
That was because when slave, your server was authoritative to say: onion
does not exist. Local authoritative zone is preferred over forwards,
your server knew all top level domains.
I have another (minor) question, though:
To my understanding, the difference between "forward first;" and
"forward only;" is, that the former caches and the latter forwards all
queries. However, I see the same behaviour in the log for both. Where is
my mistake?
forward only; means it will forward all queries. If it fails, report
failure.
forward first; means forward all queries. If it fails, try iterative
queries from root servers. To prevent leaking of onion queries outside,
use only;
In both cases, bind would cache responses.
cheers,
Erich
Regards,
Petr
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com PGP: 65C6C973
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users