On 08/03/2018 18:58, Jacques Rodary wrote:

On 08/03/2018 09:51, Reco wrote:

On Wed, Mar 07, 2018 at 10:19:32PM +0100, RODARY Jacques wrote:
    Sorry for my last post: I sent a draft mail instead of the corrected one.  Let's go back to my own concern: dnsmasq and soa,
if you don't mind. Here is my dnsmasq.conf file:




    Shouldn't I add a "auth-peer=" line for AXFR to ns6.gandi.net? With all my stupid previous acts, I don't dare to try it,
specially when it could affect outside hosts e.g. my registrar.
I never tried it myself, but the manpage says this on auth-peer:

If this option is not given, then AXFR requests will be accepted from any secondary.

The way I understand it, your configuration should work without
auth-peer, while being somewhat insecure. You may need to specify
ns6.gandi.net as secondary through auth-sec-servers, on the other hand.

Yet your configuration does not work, apparently, as 'dig +trace'
shows me this:

rodary.net.             3600    IN      SOA     ns.rodary.net.
root.ns.rodary.net. 2018022101 10800 3600 604800 3600
rodary.net.             3600    IN      NS      ns.rodary.net.
rodary.net.             3600    IN      NS      ns6.gandi.net.
;; Received 169 bytes from in 64 ms
Today "dig in soa rodary.net" gives me:
rodary.net.             600     IN      SOA     . root.ns.rodary.net. 2018022801 10800 3600 10800 600 Which is neither the answer I had  yesterday, neither yours (by the way I don't find how to use the "dig +trace" command), and "dig in ns rodary.net" which gave me ns.rodary.net and ns6.gandi.net , gives me only ns.rodary.net now, and "dig in ns/soa rodary.net @ns6.gandi.net" has no answer, but "recursion requested but not available"
Did your previous BIND configuration implement DNSSEC?
ns6.gandi.net was NS in my main zone file; so I think I will try auth-sec-servers=ns6.gandi.net as it was in my BIND setup. I did and it  worked: "dig in soa  rodary.net" gives me:
rodary.net.             600     IN      SOA     . root.ns.rodary.net. 2018022801 10800 3600 10800 600

rodary.net.             600     IN      NS      .
rodary.net.             600     IN      NS      ns6.gandi.net.

and even if I don't quite understand why "." (the root) is my secondary server, I suppose it means  I succeeded to have my host as a stealth server! But when I added "auth-peer="  I had to restart everything, which means reboot for me because I don't understand quite well how NetworkManager works.

Reply via email to