To get this moving again and after Simons reply I was trying to set this up with potential copy and paste for anyone retrying. But it doesn't reproduce the error on Bionic (where it should still happen), so please help me what is missing.
This follows: - https://help.ubuntu.com/community/BIND9ServerHowto#Secondary_Master_Server_configuration - https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=2882 I wonder: - does it have to be powerdns? - does it need multiple masters (is that even an allowed config)? - does it need on top of all that also DNSSEC to trigger? - what else? Master: add to /etc/bind/named.conf.local: zone "example.com" { type master; file "/etc/bind/db.example.com"; allow-transfer { 192.168.122.212; }; }; zone "122.168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192"; allow-transfer { 192.168.122.212; }; }; Create your db /etc/bind/db.example.com like: ; ; BIND data file for local loopback interface ; $TTL 604800 @ IN SOA example.com. root.example.com. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS example.com. @ IN A 192.168.122.46 @ IN AAAA ::1 ;test system is the client client IN A 192.168.122.115 Reverse zone in /etc/bind/db.192 like: ; ; BIND reverse data file for local loopback interface ; $TTL 604800 @ IN SOA ns.example.com. root.example.com. ( 5 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns. 46 IN PTR ns.example.com. 46 IN PTR example.com. ;test system is the client 115 IN PTR client.example.com. # restart and verify the Nameserver like: $ systemctl restart bind9 $ dig 122.168.192.in-addr.arpa. AXFR @127.0.0.1 ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> 122.168.192.in-addr.arpa. AXFR @127.0.0.1 ;; global options: +cmd 122.168.192.in-addr.arpa. 604800 IN SOA ns.example.com. root.example.com. 5 604800 86400 2419200 604800 122.168.192.in-addr.arpa. 604800 IN NS ns. 115.122.168.192.in-addr.arpa. 604800 IN PTR client.example.com. 46.122.168.192.in-addr.arpa. 604800 IN PTR ns.example.com. 46.122.168.192.in-addr.arpa. 604800 IN PTR example.com. 122.168.192.in-addr.arpa. 604800 IN SOA ns.example.com. root.example.com. 5 604800 86400 2419200 604800 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Nov 30 11:29:17 UTC 2018 ;; XFR size: 6 records (messages 1, bytes 244) # Slave Link it to the master in /etc/bind/named.conf.local: zone "example.com" { type slave; file "/var/cache/bind/db.example.com"; masters { 192.168.122.46; }; }; zone "1.168.192.in-addr.arpa" { type slave; file "/var/cache/bind/db.192"; masters { 192.168.122.46; }; }; On a restart you should see a successful transfer $ sudo systemctl restart bind9 $ sudo systemctl status bind9 ● bind9.service - BIND Domain Name Server Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2018-11-30 11:33:54 UTC; 1s ago Docs: man:named(8) Process: 1154 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS) Main PID: 1294 (named) Tasks: 7 (limit: 547) CGroup: /system.slice/bind9.service └─1294 /usr/sbin/named -f -u bind Nov 30 11:33:54 bionic-unb-slave named[1294]: checkhints: b.root-servers.net/A (192.228.79.201) extra record in hints Nov 30 11:33:54 bionic-unb-slave named[1294]: checkhints: b.root-servers.net/AAAA (2001:500:200::b) missing from hints Nov 30 11:33:54 bionic-unb-slave named[1294]: checkhints: b.root-servers.net/AAAA (2001:500:84::b) extra record in hints Nov 30 11:33:54 bionic-unb-slave named[1294]: checkhints: l.root-servers.net/AAAA (2001:500:9f::42) missing from hints Nov 30 11:33:54 bionic-unb-slave named[1294]: checkhints: l.root-servers.net/AAAA (2001:500:3::42) extra record in hints Nov 30 11:33:55 bionic-unb-slave named[1294]: zone example.com/IN: Transfer started. Nov 30 11:33:55 bionic-unb-slave named[1294]: transfer of 'example.com/IN' from 192.168.122.46#53: connected using 192.168.122.212#56633 Nov 30 11:33:55 bionic-unb-slave named[1294]: zone example.com/IN: transferred serial 6 Nov 30 11:33:55 bionic-unb-slave named[1294]: transfer of 'example.com/IN' from 192.168.122.46#53: Transfer status: success Nov 30 11:33:55 bionic-unb-slave named[1294]: transfer of 'example.com/IN' from 192.168.122.46#53: Transfer completed: 1 messages, 6 records, 187 bytes, 0.003 secs (62333 bytes/sec) Both can resolve client.example.com on 127.0.0.1 now. Client The client can now resolve against both servers IPs $ dig client.example.com @192.168.122.46 $ dig client.example.com @192.168.122.212 # both delivers 192.168.122.115 in the current example # install unbound $ apt install unbound # configure unbound to the two bind9 servers in /etc/unbound/unbound.conf.d/exampl.com.conf domain-insecure: "example.com" stub-zone: name: "example.com" stub-addr: 192.168.122.46 stub-addr: 192.168.122.212 $ sudo systemctl restart unbound.service # you should it see run locally $ sudo netstat -eeapn | grep unb tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 0 22350 1422/unbound Local resolve now goes through unbound to one of the bin9 servers. $ dig client.example.com @127.0.0.1 ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> client.example.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38064 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;client.example.com. IN A ;; ANSWER SECTION: client.example.com. 604800 IN A 192.168.122.115 ;; AUTHORITY SECTION: example.com. 604800 IN NS example.com. ;; ADDITIONAL SECTION: example.com. 604800 IN A 192.168.122.46 example.com. 604800 IN AAAA ::1 ;; Query time: 5 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Nov 30 11:43:40 UTC 2018 ;; MSG SIZE rcvd: 121 But I can shut down one of the bind9 servers just fine and still get fast responses from unbound. ** Changed in: unbound (Ubuntu Bionic) Status: Triaged => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732150 Title: Unbound behaviour changes (wrong) when domain-insecure is set for a stub zone with multiple stub-addr(s) To manage notifications about this bug go to: https://bugs.launchpad.net/unbound/+bug/1732150/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
