Re: .onion and dnssec
Hello Erich, more below. On 11/12/19 2:22 PM, Erich Eckner wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, 12 Nov 2019, Tony Finch wrote: Erich Eckner wrote: I have also a hard time, generating some useful debug output - setting `-d 9` does not give additional information in the system log. You might find it is being written to the file named.run in named's working directory (this is the default_debug logging channel configuration). I generally use `rndc trace 11` to tell named to log details of resolution and validation, including sent and received DNS mesaages. It's very verbose but it can tell you what is happening to your .onion queries. Thanks! I now get the desired log. I noticed, that there were *no* queries sent by the dns server at all (even when asking for subdomains of onion.eckner.net - which were successfully resolved by tor). I suspected, that the slave "." zone superseeds every other zone I have, and confirmed that by commenting out the other (slaved opennic) tlds which did *not* break the resolving. I replaced "." by a hint zone and now it works as intended: - - opennic tlds are resolved via their slave zones (before, they were not: I could comment them out and still resolve) - - normal tlds are resolved via hint root zone (I think) - - onion. is forwarded to tor thanks a lot! That was because when slave, your server was authoritative to say: onion does not exist. Local authoritative zone is preferred over forwards, your server knew all top level domains. I have another (minor) question, though: To my understanding, the difference between "forward first;" and "forward only;" is, that the former caches and the latter forwards all queries. However, I see the same behaviour in the log for both. Where is my mistake? forward only; means it will forward all queries. If it fails, report failure. forward first; means forward all queries. If it fails, try iterative queries from root servers. To prevent leaking of onion queries outside, use only; In both cases, bind would cache responses. cheers, Erich Regards, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
Erich Eckner wrote: > > To my understanding, the difference between "forward first;" and "forward > only;" is, that the former caches and the latter forwards all queries. > However, I see the same behaviour in the log for both. Where is my mistake? My understanding is that first vs. only is related to fallback behaviour, though I don't know what kind of forwarding failures cause named to revert to iterating. [I don't use forwarding myself, but I view `forward first` with deep suspicion since it looks like the kind of thing that turns misconfigurations into performance problems and mysterious weirdness.] Tony. -- f.anthony.n.finchhttp://dotat.at/ Wight, Portland, Plymouth: West or northwest 6 to gale 8, decreasing 4 or 5. Moderate or rough, occasionally very rough at first in Plymouth, then occasionally slight later. Thundery showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, 12 Nov 2019, Tony Finch wrote: Erich Eckner wrote: I have also a hard time, generating some useful debug output - setting `-d 9` does not give additional information in the system log. You might find it is being written to the file named.run in named's working directory (this is the default_debug logging channel configuration). I generally use `rndc trace 11` to tell named to log details of resolution and validation, including sent and received DNS mesaages. It's very verbose but it can tell you what is happening to your .onion queries. Thanks! I now get the desired log. I noticed, that there were *no* queries sent by the dns server at all (even when asking for subdomains of onion.eckner.net - which were successfully resolved by tor). I suspected, that the slave "." zone superseeds every other zone I have, and confirmed that by commenting out the other (slaved opennic) tlds which did *not* break the resolving. I replaced "." by a hint zone and now it works as intended: - - opennic tlds are resolved via their slave zones (before, they were not: I could comment them out and still resolve) - - normal tlds are resolved via hint root zone (I think) - - onion. is forwarded to tor thanks a lot! I have another (minor) question, though: To my understanding, the difference between "forward first;" and "forward only;" is, that the former caches and the latter forwards all queries. However, I see the same behaviour in the log for both. Where is my mistake? cheers, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3KsgIACgkQCu7JB1Xa e1o+rg/8Cdvrih+r9bYtwGSu12GTQtzVrSJY8Xtmjcoh4O4QJPZ/CRCEP/q3ok2Z mgDVoVp+whJRnVZJIPHJKx+Iq8PJ5Gp9RTH26gWpZ4jMxpilTnSLC9SVY5CSsMeY CFZ6A5QEGg5I2fzZKVUa6CbKW/3AjqrcbOASoORarWEdZRIv9U/CwfS8D0o2zywW rH4CEqVswx0SWwFtBLkY5+C/90AkEOB40W1RJymHMJK3+r+AQdnj/p3BXHwA2VbD 8R4tK3VoTWd4exuXet8JCvGHM7uJZVBfkChGy+uCBiY9oY0CHLGnc1dEp0E4QcVX 6V58YHehPgYJ4S1OQVJzk4F2I3PD4Bp47pKCxOhTwhRt9VnlYCK3XGD0sOSbccJa KxloL3D8RLSE7l/kQk7mcnH2cdSZVCuJUPYraK38zBumwh6uFGKHiRyhYWhsBZEU ODdDn1hPsPfe/X/cEdBMpt/zv2J7HMrm15MBYDCxw3obnmPlsibc4ztlf71yyflN lJJvvkJgDmT+jpjazVWs/1NJd7vvTp6QrsQwPnGjQNTxmh+FDvTP6BT9qWjQxcd8 bFgqdziI7gFH26FwfzKpC9TkZFxga4Bg5PI5F2M1k0sAEe7ykwsOvukQVNZL9VYO CD/s5qpvrmAEuI5oO49oYiY4+7tfxOrxyY0CumRoWObpmq+zRJc= =9vdi -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
Erich Eckner wrote: > I have also a hard time, generating some useful debug output > - setting `-d 9` does not give additional information in the system log. You might find it is being written to the file named.run in named's working directory (this is the default_debug logging channel configuration). I generally use `rndc trace 11` to tell named to log details of resolution and validation, including sent and received DNS mesaages. It's very verbose but it can tell you what is happening to your .onion queries. Tony. -- f.anthony.n.finchhttp://dotat.at/ Mull of Kintyre to Ardnamurchan Point: North 5 to 7, becoming variable 2 or 3, then east 3 to 5 later. Rough or very rough, occasionally moderate later in shelter from easterly swell. Showers. Good occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Tony,
On Mon, 11 Nov 2019, Tony Finch wrote:
Erich Eckner wrote:
However, I encounter the issue here:
https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html
If you are running 9.14 (or newer) you can use the validate-except
configuration option. In older versions you can use `rndc nta` but
that is very inconvenient if you need a long-term exception.
I'm running 9.14.7 and tried both, but while it does not give any errors,
the lookup still fails (`rndc nta onion` is logged successfully, so it
seems to do the right thing). I have also a hard time, generating some
useful debug output - setting `-d 9` does not give additional information
in the system log. And running named manually with -d 9 prints nothing to
stdout (though, it seems, it generates a log file, then)
Digging a little through my configuration, I noticed, that "." is actually
a slave zone:
zone "." in {
type slave;
file "/etc/opennic/slave/tld-root";
notify no;
masters {
45.56.115.189; # ns0.opennic.glue
45.56.116.224; # ns0.opennic.glue
2001:470:1f0e:8a0::2; # ns0.opennic.glue
2600:3c02::f03c:91ff:fe33:e1ba; # ns0.opennic.glue
};
};
Might this be an issue? (I notice, that the lookup succeeds when I comment
out the root zone.)
Cheers,
Erich
-BEGIN PGP SIGNATURE-
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3Jr+EACgkQCu7JB1Xa
e1oB3w//XDc4qamyWEgKc/kEDwcmE0EKCYZnA7uP5D/yQjm0wHLUbz+mOccB7x22
S+G4FE320B5E7r3mHBNAS441G/9tRdAhH69DlTQUsUyyE5g0ETP/8lyoPcZdJLwJ
Uip/ibaff71AE+HURre8xOIG0yTvPyA1rOJ7viGS99TSPLLC35QhAU5niPw6KhPt
398ApmJab3cTLtO+Vg+aRZLhMmPxNdbeJCIF7pKsHqFMOde2P+Ru5bvnGIxf6Fmi
WPpHY+EG26A7cD0XfQKvskjgAlcgLW2SinLV6NwScjH60fxIhzWgKe2QH9+Z5GDi
NKH8MeGPCDs9KHI5cn4lBJ6eCFSbXVmWa9J+MBcbOB7OdHBuBLm1Vbvu6py65djz
hlfSZ4HXgCHTUjipSGkLIvcG2tcVwyiRA8k6vBTrNjY6orFW1E52MaRvtml0aM16
xmOwfhlSuFPZ2X/l8m8hR5/Sz6aEyBGBl6tK56ESmvgYoOhiAVke7PGGBnArP8N2
BpeZQn5DTXg0tAtr4mjEetTeb2LJUa29cnWYdkheN3+2kK4eloSfAEynDfgpzfVu
zbZpayZIXzQf8F2XmtEOgEyTWJiKa+lvwJHrqelGpqFsMinPSJfqYeKMguEG32p5
w8N+QBDI1jlmjqhiYn0A9ww4AgtDBspDD6CYIgX1YA2Bu3kv2Q8=
=64oN
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: .onion and dnssec
Erich Eckner wrote: > > However, I encounter the issue here: > https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html If you are running 9.14 (or newer) you can use the validate-except configuration option. In older versions you can use `rndc nta` but that is very inconvenient if you need a long-term exception. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forth, Tyne, Dogger: Cyclonic 5 to 7. Moderate or rough. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
