date:20150714

SERVFAIL on stub zone (WAS: dig @server foobar +trace +recurse)

2015-07-14 Thread Anne Bennett


Tony Finch  enlightens me thus:

> The difference between stub and static-stub is that stub works like the
> root zone hints, i.e. the servers in the zone override the ones that you
> configure for a stub zone, whereas the servers you configure for a
> static-stub zone override the servers in the zone.

... so, since I want my parent zone to be able to give me the
set of servers it wants me to use, I configured my resolver
to have (this snippet from "named-checkconf -p" to deal with
include files and such):

  zone "concordia.ca" {
type stub;
file "StubData/concordia.ca.SEC";
masters {
132.205.1.1 ;
132.205.7.51 ;
};
multi-master yes;
  };

"named-checkconf" gave no errors.  I issued a "reconfig", again
no errors logged or reported.  I can confirm that the zone was
transferred correctly (showing me the internal view), because
I have "masterfile-format text" as a general option (small
enough number of zones that performance is not an issue, but
human ability to debug *is*), and "StubData/concordia.ca.SEC"
contains a perfectly normal-looking zone "stub":

--
$ORIGIN .
$TTL 86400  ; 1 day
concordia.caIN SOA  ns1.concordia.ca. hostmaster.concordia.ca. (
2028969738 ; serial
43200  ; refresh (12 hours)
1800   ; retry (30 minutes)
2592000; expire (4 weeks 2 days)
1800   ; minimum (30 minutes)
)
NS  ns1.concordia.ca.
NS  ns2.concordia.ca.
--

It all looks just peachy, but when I issued:
  dig @localhost -t ns concordia.ca.
it gave me a SERVFAIL.  I couldn't find anything abnormal
in the syslogs.  I can't for the life of my figure out why
it's unhappy.  How can I debug this?  Is it normal that a
zone could be badly enough out of whack to SERVFAIL, yet
the named would syslog nothing?

(I'm syslogging default "syslog_all", minus edns-disabled,
lame-servers, rpz, and unmatched.)


Anne.
-- 
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
a...@encs.concordia.ca+1 514 848-2424 x2285
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-enable made named stop working

2015-07-14 Thread Leandro


Suddenly   server stop working ; on logs following messages appeared :

alidating @0x7f2c60591400: . NS: got insecure response; parent indicates 
it should be secure

error (insecurity proof failed) resolving './NS/IN': 199.7.83.42#53
validating @0x7f2c60528430: net SOA: verify failed due to bad signature 
(keyid=48497): RRSIG validity period has not begun

validating @0x7f2c60528430: net SOA: no valid signature found
After add
dnssec-enable = no ;
and restart the server, it began working again.


a)Why did it happen if server was already working ?
In my original named.conf I had default settings like this:
the include statement:
include "/etc/named.root.key";
and the file named.root.key containing:

managed-keys {
# DNSKEY for the root zone.
# Updates are published on root-dnssec-annou...@icann.org
. initial-key 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";

};

b) Is it bad practice  to disable dnssec option ?
c) Which is a good practice about dnssec use ?
e) Named using dnssec have problems very often ?
c) Using dnssec will decrease server performance ?


Sorry for the questions battery butIm very concerned about it, my server 
was ready to go on production but now I have to figure out this issue.

I am reading some docs and researching about this.
Any comments or thought  would be wellcome
Leandro.







___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

make test fails without Net::DNS::Nameserver

2015-07-14 Thread Maria Iano

I don't see this mentioned anywhere else, although I'm suprised by that
so maybe I'm missing something. When I build bind-9.10.2-P2 I find
that "make test" fails for reclimit with "Couldn't start server ans2" if
I don't have Net::DNS::Nameserver installed. After I install it the
testing is successful.

Maria

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-enable made named stop working

2015-07-14 Thread Mark Andrews


In message <55a57b9c.6050...@gmail.com>, Leandro writes:
> Suddenly   server stop working ; on logs following messages appeared :
> 
> alidating @0x7f2c60591400: . NS: got insecure response; parent indicates 
> it should be secure
> error (insecurity proof failed) resolving './NS/IN': 199.7.83.42#53
> validating @0x7f2c60528430: net SOA: verify failed due to bad signature 
> (keyid=48497): RRSIG validity period has not begun
> validating @0x7f2c60528430: net SOA: no valid signature found
> After add
> dnssec-enable = no ;
> and restart the server, it began working again.

It looks like the clock is wrong based on "RRSIG validity period has
not begun".  Run "date -u" and check everything.

> a)Why did it happen if server was already working ?
> In my original named.conf I had default settings like this:
> the include statement:
> include "/etc/named.root.key";
> and the file named.root.key containing:
> 
> managed-keys {
>  # DNSKEY for the root zone.
>  # Updates are published on root-dnssec-annou...@icann.org
>  . initial-key 257 3 8 
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
> };
> 
> b) Is it bad practice  to disable dnssec option ?
> c) Which is a good practice about dnssec use ?
> e) Named using dnssec have problems very often ?
> c) Using dnssec will decrease server performance ?
> 
> 
> Sorry for the questions battery butIm very concerned about it, my server 
> was ready to go on production but now I have to figure out this issue.
> I am reading some docs and researching about this.
> Any comments or thought  would be wellcome
> Leandro.
> 
> 
> 
> 
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: make test fails without Net::DNS::Nameserver

2015-07-14 Thread Jeremy C. Reed

On Tue, 14 Jul 2015, Maria Iano wrote:

> I don't see this mentioned anywhere else, although I'm suprised by that
> so maybe I'm missing something. When I build bind-9.10.2-P2 I find
> that "make test" fails for reclimit with "Couldn't start server ans2" if
> I don't have Net::DNS::Nameserver installed. After I install it the
> testing is successful.

We recently added a bin/tests/system/reclimit/prereq.sh script to check 
for it.

CHANGES entry:

4113.   [test]  Check for Net::DNS is some system test
prerequisites. [RT #39369]
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL on stub zone (WAS: dig @server foobar +trace +recurse)

2015-07-14 Thread Anne Bennett


>   zone "concordia.ca" {
> type stub;
> file "StubData/concordia.ca.SEC";
> masters {
> 132.205.1.1 ;
> 132.205.7.51 ;
> };
> multi-master yes;
>   };

[results in transferring:]

> --
> $ORIGIN .
> $TTL 86400  ; 1 day
> concordia.caIN SOA  ns1.concordia.ca. hostmaster.concordia.ca. (
> 2028969738 ; serial
> 43200  ; refresh (12 hours)
> 1800   ; retry (30 minutes)
> 2592000; expire (4 weeks 2 days)
> 1800   ; minimum (30 minutes)
> )
> NS  ns1.concordia.ca.
> NS  ns2.concordia.ca.
> --

[but querying it for NS gives SERVFAIL]

Midnight insight: glue records???  The two listed NS are below the
zone cut.  How can a stub zone work in those circumstances, if at all?


Anne.
-- 
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
a...@encs.concordia.ca+1 514 848-2424 x2285
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

SERVFAIL on stub zone (WAS: dig @server foobar +trace +recurse)

dnssec-enable made named stop working

make test fails without Net::DNS::Nameserver

Re: dnssec-enable made named stop working

Re: make test fails without Net::DNS::Nameserver

Re: SERVFAIL on stub zone (WAS: dig @server foobar +trace +recurse)

6 matches

Site Navigation

Mail list logo

Footer information