Re: .onion and dnssec

Fri, 15 Nov 2019 11:20:23 -0800 

Hello Erich,

more below.

On 11/12/19 2:22 PM, Erich Eckner wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 12 Nov 2019, Tony Finch wrote:


Erich Eckner <b...@eckner.net> wrote:


I have also a hard time, generating some useful debug output
- setting `-d 9` does not give additional information in the system log.


You might find it is being written to the file named.run in named's
working directory (this is the default_debug logging channel
configuration). I generally use `rndc trace 11` to tell named to log
details of resolution and validation, including sent and received DNS
mesaages. It's very verbose but it can tell you what is happening to your
.onion queries.
Thanks! I now get the desired log. I noticed, that there were *no* queries sent by the dns server at all (even when asking for subdomains of onion.eckner.net - which were successfully resolved by tor). I suspected, that the slave "." zone superseeds every other zone I have, and confirmed that by commenting out the other (slaved opennic) tlds which did *not* break the resolving. 

I replaced "." by a hint zone and now it works as intended:
- - opennic tlds are resolved via their slave zones (before, they were not: I could comment them out and still resolve) 

- - normal tlds are resolved via hint root zone (I think)

- - onion. is forwarded to tor

thanks a lot!
That was because when slave, your server was authoritative to say: onion does not exist. Local authoritative zone is preferred over forwards, your server knew all top level domains. 

I have another (minor) question, though:
To my understanding, the difference between "forward first;" and "forward only;" is, that the former caches and the latter forwards all queries. However, I see the same behaviour in the log for both. Where is my mistake?
forward only; means it will forward all queries. If it fails, report failure. forward first; means forward all queries. If it fails, try iterative queries from root servers. To prevent leaking of onion queries outside, use only; 

In both cases, bind would cache responses.


cheers,
Erich


Regards,
Petr

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com  PGP: 65C6C973

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to