Why are you using forwarders? These cloudflare servers are not
authoritive for cat.com and don't seem to be open resolvers either.
Lyle Giese
LCR Computer Services, Inc.
On 12/4/20 12:48 PM, Wade Blackwell wrote:
Good morning from the West Coast,
It’s been a while since I’ve setup an authoritative
bind server from scratch so I may be missing something very basic.
First time in a docker container, besides the point but maybe it plays
(this looks like a configuration issue in Bind). I’m getting the
following errors when trying to resolve domains external to my own;
---snip---
17:30:04.843 REFUSED unexpected RCODE resolving './NS/IN':
172.64.32.142#53
04-Dec-2020 17:30:04.859 REFUSED unexpected RCODE resolving
'www.cat.com/A/IN <http://www.cat.com/A/IN>': 172.64.32.142#53
04-Dec-2020 17:30:04.865 REFUSED unexpected RCODE resolving './NS/IN':
172.64.33.136#53
04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving
'E.ROOT-SERVERS.NET/AAAA/IN <http://E.ROOT-SERVERS.NET/AAAA/IN>':
172.64.32.142#53
04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving
'G.ROOT-SERVERS.NET/AAAA/IN <http://G.ROOT-SERVERS.NET/AAAA/IN>':
172.64.32.142#53
04-Dec-2020 17:30:04.877 REFUSED unexpected RCODE resolving
'www.cat.com/A/IN <http://www.cat.com/A/IN>': 172.64.33.136#53
04-Dec-2020 17:30:04.883 REFUSED unexpected RCODE resolving './NS/IN':
108.162.192.142#53
04-Dec-2020 17:30:04.884 REFUSED unexpected RCODE resolving
'E.ROOT-SERVERS.NET/AAAA/IN <http://E.ROOT-SERVERS.NET/AAAA/IN>':
108.162.192.142#53
04-Dec-2020 17:30:04.889 REFUSED unexpected RCODE resolving
'G.ROOT-SERVERS.NET/AAAA/IN <http://G.ROOT-SERVERS.NET/AAAA/IN>':
108.162.192.142#53
04-Dec-2020 17:30:04.897 REFUSED unexpected RCODE resolving
'www.cat.com/A/IN <http://www.cat.com/A/IN>': 108.162.192.142#53
04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving
'E.ROOT-SERVERS.NET/AAAA/IN <http://E.ROOT-SERVERS.NET/AAAA/IN>':
172.64.33.136#53
04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving './NS/IN':
108.162.193.136#53
---end---
You’ll notice the above are Cloudflare resolvers (pete/roxy)
I get a DNSSEC related error when the same resolution is attempted on
the OpenDNS servers
---snip---
04-Dec-2020 17:30:05.084 validating ./DNSKEY: unable to find a DNSKEY
which verifies the DNSKEY RRset and also matches a trusted key for '.'
04-Dec-2020 17:30:05.085 no valid KEY resolving './DNSKEY/IN':
208.67.220.220#53
04-Dec-2020 17:30:05.108 validating ./DNSKEY: unable to find a DNSKEY
which verifies the DNSKEY RRset and also matches a trusted key for '.'
04-Dec-2020 17:30:05.108 no valid KEY resolving './DNSKEY/IN':
208.67.222.222#53
---end---
Named.conf has the correct sources for queries;
---snip---
acl permit {
172.30.0.0/16 <http://172.30.0.0/16>;
---end---
Named.conf.options has the correct forwarders, recursion and query
statements (ignore syntax, pulling partials);
---snip---
forwarders {
108.162.193.136;
172.64.33.136;
108.162.192.142;
172.64.32.142;
173.245.58.142;
208.67.220.220;
208.67.222.222;
};
allow-recursion {
172.30.0.0/16 <http://172.30.0.0/16>;
allow-query {
172.30.0.0/16 <http://172.30.0.0/16>;
---end---
What am I missing here (flame away…)?
-W
“Solo puedo explicártelo a ti. No puedo entenderlo por ti”
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
