Re: Bind 9.10 recursion issues

[Lyle Giese]

Why are you using forwarders?  These cloudflare servers are not 
authoritive for cat.com and don't seem to be open resolvers either.


Lyle Giese

LCR Computer Services, Inc.


On 12/4/20 12:48 PM, Wade Blackwell wrote:

Good morning from the West Coast,
                It’s been a while since I’ve setup an authoritative 
bind server from scratch so I may be missing something very basic. 
First time in a docker container, besides the point but maybe it plays 
(this looks like a configuration issue in Bind). I’m getting the 
following errors when trying to resolve domains external to my own;

---snip---
17:30:04.843 REFUSED unexpected RCODE resolving './NS/IN': 
172.64.32.142#53
04-Dec-2020 17:30:04.859 REFUSED unexpected RCODE resolving 
'www.cat.com/A/IN ': 172.64.32.142#53
04-Dec-2020 17:30:04.865 REFUSED unexpected RCODE resolving './NS/IN': 
172.64.33.136#53
04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving 
'E.ROOT-SERVERS.NET//IN ': 
172.64.32.142#53
04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving 
'G.ROOT-SERVERS.NET//IN ': 
172.64.32.142#53
04-Dec-2020 17:30:04.877 REFUSED unexpected RCODE resolving 
'www.cat.com/A/IN ': 172.64.33.136#53
04-Dec-2020 17:30:04.883 REFUSED unexpected RCODE resolving './NS/IN': 
108.162.192.142#53
04-Dec-2020 17:30:04.884 REFUSED unexpected RCODE resolving 
'E.ROOT-SERVERS.NET//IN ': 
108.162.192.142#53
04-Dec-2020 17:30:04.889 REFUSED unexpected RCODE resolving 
'G.ROOT-SERVERS.NET//IN ': 
108.162.192.142#53
04-Dec-2020 17:30:04.897 REFUSED unexpected RCODE resolving 
'www.cat.com/A/IN ': 108.162.192.142#53
04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving 
'E.ROOT-SERVERS.NET//IN ': 
172.64.33.136#53
04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving './NS/IN': 
108.162.193.136#53

---end---

You’ll notice the above are Cloudflare resolvers (pete/roxy)
I get a DNSSEC related error when the same resolution is attempted on 
the OpenDNS servers


---snip---
04-Dec-2020 17:30:05.084 validating ./DNSKEY: unable to find a DNSKEY 
which verifies the DNSKEY RRset and also matches a trusted key for '.'
04-Dec-2020 17:30:05.085 no valid KEY resolving './DNSKEY/IN': 
208.67.220.220#53
04-Dec-2020 17:30:05.108 validating ./DNSKEY: unable to find a DNSKEY 
which verifies the DNSKEY RRset and also matches a trusted key for '.'
04-Dec-2020 17:30:05.108 no valid KEY resolving './DNSKEY/IN': 
208.67.222.222#53

---end---

Named.conf has the correct sources for queries;

---snip---
acl permit {
172.30.0.0/16 ;
---end---

Named.conf.options has the correct forwarders, recursion and query 
statements (ignore syntax, pulling partials);


---snip---
                forwarders {
                                108.162.193.136;
                                172.64.33.136;
                                108.162.192.142;
                                172.64.32.142;
                                173.245.58.142;
                                208.67.220.220;
                                208.67.222.222;
                                };
                allow-recursion {
172.30.0.0/16 ;
                allow-query {
172.30.0.0/16 ;
---end---

What am I missing here (flame away…)?

    -W

“Solo puedo explicártelo a ti. No puedo entenderlo por ti”



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind 9.10 recursion issues

[Wade Blackwell]

Good morning from the West Coast,
It’s been a while since I’ve setup an authoritative bind
server from scratch so I may be missing something very basic. First time in
a docker container, besides the point but maybe it plays (this looks like a
configuration issue in Bind). I’m getting the following errors when trying
to resolve domains external to my own;
---snip---
17:30:04.843 REFUSED unexpected RCODE resolving './NS/IN': 172.64.32.142#53




04-Dec-2020 17:30:04.859 REFUSED unexpected RCODE resolving '
www.cat.com/A/IN': 172.64.32.142#53




04-Dec-2020 17:30:04.865 REFUSED unexpected RCODE resolving './NS/IN':
172.64.33.136#53




04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving '
E.ROOT-SERVERS.NET//IN': 172.64.32.142#53




04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving '
G.ROOT-SERVERS.NET//IN': 172.64.32.142#53




04-Dec-2020 17:30:04.877 REFUSED unexpected RCODE resolving '
www.cat.com/A/IN': 172.64.33.136#53




04-Dec-2020 17:30:04.883 REFUSED unexpected RCODE resolving './NS/IN':
108.162.192.142#53




04-Dec-2020 17:30:04.884 REFUSED unexpected RCODE resolving '
E.ROOT-SERVERS.NET//IN': 108.162.192.142#53




04-Dec-2020 17:30:04.889 REFUSED unexpected RCODE resolving '
G.ROOT-SERVERS.NET//IN': 108.162.192.142#53




04-Dec-2020 17:30:04.897 REFUSED unexpected RCODE resolving '
www.cat.com/A/IN': 108.162.192.142#53




04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving '
E.ROOT-SERVERS.NET//IN': 172.64.33.136#53




04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving './NS/IN':
108.162.193.136#53
---end---

You’ll notice the above are Cloudflare resolvers (pete/roxy)
I get a DNSSEC related error when the same resolution is attempted on the
OpenDNS servers

---snip---
04-Dec-2020 17:30:05.084 validating ./DNSKEY: unable to find a DNSKEY which
verifies the DNSKEY RRset and also matches a trusted key for '.'




04-Dec-2020 17:30:05.085 no valid KEY resolving './DNSKEY/IN':
208.67.220.220#53




04-Dec-2020 17:30:05.108 validating ./DNSKEY: unable to find a DNSKEY which
verifies the DNSKEY RRset and also matches a trusted key for '.'




04-Dec-2020 17:30:05.108 no valid KEY resolving './DNSKEY/IN':
208.67.222.222#53
---end---

Named.conf has the correct sources for queries;

---snip---
acl permit {
172.30.0.0/16;
---end---

Named.conf.options has the correct forwarders, recursion and query
statements (ignore syntax, pulling partials);

---snip---
forwarders {
108.162.193.136;
172.64.33.136;
108.162.192.142;
172.64.32.142;
173.245.58.142;
208.67.220.220;
208.67.222.222;
};
allow-recursion {
172.30.0.0/16;
allow-query {
172.30.0.0/16;
---end---

What am I missing here (flame away…)?

-W



“Solo puedo explicártelo a ti. No puedo entenderlo por ti”
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users