Barry;
Thanks, I fixed that!
I am also not sure if that will help with the server "fail" or status
"refused" issue when checked from outside.
Eduardo
On 11/14/11 6:58 PM, Barry Margolin wrote:
In article<mailman.95.1321308136.68562.bind-us...@lists.isc.org>,
Eduardo Bonsi<beart...@pacbell.net> wrote:
Since my servers are getting status "refused" from outside, could
someone shine me a light what is wrong here? Here is a copy of my named
conf file for the master.
You have the same 'match-clients {any;}' clause in both the internal and
external views. Although I don't see how this would cause us to get
"refused" responses. It should mean that we see the internal zones
instead of the external ones.
BTW, it's customary to put all the view options (like match-clients) at
the beginning of the view clause, not hide them in the middle of all the
zone sub-clauses.
Thanks!
//
// Include keys file
key rndc-key {
algorithm hmac-md5;
secret "yyxx-not-the-real-key-xmc/xxx/z/x==";
};
//
//
// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.
//
// Default controls
controls {
inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
};
//
//20
//21
//
options {
directory "/var/named";
version "Undisclosed";
//
// If there is a firewall between you and name servers you want
// to talk to, you might need to un-comment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 uses an unprivileged
// port by default.
//query-source address 192.168.1.cc port 53;
//
dnssec-enable yes;
dnssec-validation yes;
forward first;
transfer-format one-answer;
forwarders {
68.94.156.1 port 53;
68.94.157.1 port 53;
};
dnssec-lookaside . trust-anchor dlv.isc.org.;
};
//44
//45
//
//
statistics-channels {
inet * port 8053 allow { 127.0.0.1; };
};
//
// ACL statement
acl trusted {
192.168.1.254;
192.168.1.0/24;
localhost;
localnets;
};
view "internal" {
match-clients { 192.168.1.0/24; };
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
allow-query { any; };
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
allow-query {
any;
};
file "named.local";
allow-update {
none;
};
allow-transfer {
none;
};
};
//
//90
//100
// internal zones
//
zone "bonsi.org" IN {
type master;
allow-query {
any;
};
notify yes;
file "/var/named/db.bonsi.org";
also-notify {
192.168.1.cc;
};
};
zone "1.168.192.in-addr.arpa" IN {
type master;
allow-query {
any;
};
notify no;
file "/var/named/db.192.168.1";
also-notify {
192.168.1.cc;
};
};
zone "168.192.in-addr.arpa" IN {
type master;
allow-query {
any;
};
file "/var/named/db.192.168";
also-notify {
192.168.1.cc;
};
};
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.internal.hosts";
};
allow-query {
any;
};
also-notify {
192.168.1.cc;
};
};
//150
// www.external zones
//
view "external" {
match-clients { any; };
recursion no;
zone "bonsi.org" {
type master;
allow-query {
any;
};
file "/var/named/bonsi.org.external.hosts";
notify yes;
also-notify {
192.168.1.cc;
};
};
zone "ns1.bonsi.org" {
type master;
allow-query {
any;
};
file "ns1.bonsi.org.external.hosts";
also-notify {
192.168.1.cc;
};
};
zone "sub.bonsi.org" {
type master;
allow-query { any; };
file "sub.bonsi.org.external.hosts";
};
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.com.external.hosts";
};
zone "45.200.63.in-addr.arpa" {
type master;
allow-query {
any;
};
file "63.200.45.external.rev";
also-notify {
192.168.1.cc;
};
};
allow-query {
any;
};
also-notify {
63.200.45.19;
};
};
//
server 192.168.1.cc {
keys {
rndc-key;
};
};
//
trusted-keys {
dlv.isc.org. 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70
jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ
2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoB
AADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9
UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
dlv.isc.org. 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0E
zrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxk
jf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzC
TMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmq
rAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};
//
logging {
channel dnssec_log {
file "log/dnssec" size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
category dnssec {
dnssec_log;
default_syslog;
default_debug;
default_stderr;
};
};
On 11/14/11 12:44 PM, Adamiec, Lawrence wrote:
Here are some results using the same commands you used.
# dig bonsi.org
;<<>> DiG 9.6.1-P3<<>> bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;bonsi.org. IN A
;; Query time: 666 msec
;; SERVER: 64.131.119.11#53(64.131.119.11)
;; WHEN: Mon Nov 14 14:41:54 2011
;; MSG SIZE rcvd: 27
# dig @63.200.45.18 ns1.bonsi.org soa
;<<>> DiG 9.6.1-P3<<>> @63.200.45.18 ns1.bonsi.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 986
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns1.bonsi.org. IN SOA
;; Query time: 75 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Mon Nov 14 14:42:25 2011
;; MSG SIZE rcvd: 31
#
-----Original Message-----
From: bind-users-bounces+ladamiec=kentlaw....@lists.isc.org
[mailto:bind-users-
bounces+ladamiec=kentlaw....@lists.isc.org] On Behalf Of Eduardo Bonsi
Sent: Monday, November 14, 2011 14:39
To: bind-us...@isc.org
Subject: Help with dig to check NS servers for DNSSEC setup
I am checking my DNS setup from inside using dig and I am getting
everything ok but I need a second opinion from outside of the server
to
see if my ns1 and ns2 are responding ok to setup DNSSEC.
Thanks!
user:~ user1$ dig bonsi.org
;<<>> DiG 9.6-ESV-R4-P3<<>> bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35880
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;bonsi.org. IN A
;; ANSWER SECTION:
bonsi.org. 3600 IN A 63.200.45.21
;; AUTHORITY SECTION:
bonsi.org. 3600 IN NS ns2.bonsi.org.
bonsi.org. 3600 IN NS ns1.bonsi.org.
;; ADDITIONAL SECTION:
ns2.bonsi.org. 3600 IN A 63.200.45.19
;; Query time: 14 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Mon Nov 14 12:09:43 2011
;; MSG SIZE rcvd: 95
********************************************************************
user:~ user1$ dig @63.200.45.18 ns1.bonsi.org soa
;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.18 ns1.bonsi.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31586
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns1.bonsi.org. IN SOA
;; ANSWER SECTION:
ns1.bonsi.org. 3600 IN SOA ns1.bonsi.org.
hostmaster.bonsi.org.
2011101403 10800 3600 604800 3600
;; AUTHORITY SECTION:
ns1.bonsi.org. 3600 IN NS ns1.bonsi.org.
;; Query time: 14 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Mon Nov 14 12:10:19 2011
;; MSG SIZE rcvd: 92
********************************************************************
user:~ user1$ dig @63.200.45.19 ns2.bonsi.org
;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.19 ns2.bonsi.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38660
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns2.bonsi.org. IN A
;; ANSWER SECTION:
ns2.bonsi.org. 3600 IN A 63.200.45.19
;; AUTHORITY SECTION:
ns2.bonsi.org. 3600 IN NS ns2.bonsi.org.
;; Query time: 12 msec
;; SERVER: 63.200.45.19#53(63.200.45.19)
;; WHEN: Mon Nov 14 12:11:04 2011
;; MSG SIZE rcvd: 61
********************************************************************
user:~ user1$ dig @63.200.45.19 ns2.bonsi.org soa
;<<>> DiG 9.6-ESV-R4-P3<<>> @63.200.45.19 ns2.bonsi.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17334
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns2.bonsi.org. IN SOA
;; ANSWER SECTION:
ns2.bonsi.org. 3600 IN SOA ns2.bonsi.org.
hostmaster.bonsi.org.
2011101409 10800 3600 604800 3600
;; AUTHORITY SECTION:
ns2.bonsi.org. 3600 IN NS ns2.bonsi.org.
;; ADDITIONAL SECTION:
ns2.bonsi.org. 3600 IN A 63.200.45.19
;; Query time: 58 msec
;; SERVER: 63.200.45.19#53(63.200.45.19)
;; WHEN: Mon Nov 14 12:19:50 2011
;; MSG SIZE rcvd: 108
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
webmas...@beart.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
webmas...@beart.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
