On 09/01/2015 09:20 AM, John Miller wrote:
If you check pcap, logs, etc., is the server's following delegation
for 0.centos.pool.ntp.org? Where do outbound packets stop?
I don't believe this and I have some serious problems.
Part of my challenge is I am running the new server on an armv7 board
that does not have a rtc. So when the system boots, the time is jan 1
1970. The first thing you want to run is ntp to set the time, but
requires named running and resolving.
For the 'fun' of it, I used 'date' to set the time to now, and then no
problem resolving 0.centos.pool.ntp.org. So there is something about
that resolution that does not like the early date.
So I am caught in a time bind here!
Is there anyway to get bind not to be particular about system time at first?
John
On Tue, Sep 1, 2015 at 9:09 AM, Robert Moskowitz <r...@htt-consult.com> wrote:
I have one nameserver running bind 9.8.2 and a new one running 9.9.4.
Both can resolve www.ietf.org
Only the 9.8.2 can resolve 0.centos.pool.ntp.org
I literally rsynced all the of the conf and zone files from the old to the
new, then changed all of the server name references. I have done this
before. I have another box running the 9.8.2 code that I built the same way
and it resolves both fqdns just fine.
I am a lost at what is the problem. Both have the same named.conf:
//
//
include "/etc/named/named.acl";
options
{
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-query { localhost; };
allow-query-cache { localhost; };
recursion no;
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory
(/var/named).
* By default, SELinux policy does not allow named to modify the
/var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "internal"
{
include "/etc/named/named.internal";
};
view "external"
{
include "/etc/named/named.external";
};
include "/etc/named/rndc.key";
==============
and named.internal has:
/* This view will contain zones you want to serve only to "internal" clients
* that have addresses that are not on your directly attached LAN interface
subnets:
*/
match-clients { httnets; };
match-destinations { httnets; };
allow-query { httnets; };
allow-query-cache { httnets; };
allow-recursion { httnets; };
recursion yes;
empty-zones-enable yes;
// include "/etc/named/named.trusted.key";
include "/etc/named.rfc1912.zones";
zone "." IN {
type hint;
file "named.root";
};
// These are your "authoritative" internal zones:
zone "htt-consult.com" {
type master;
file "httin-consult.com.zone";
};
etc.
==============
Is the dnssec disabled possibly the problem? Like required now?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users