Understanding TTL in "rndc dumpdb"-output
Hi After querying my resolver for "testbla11.example.com", I receive a NXDOMAIN response with a minimum-ttl (in the soa) of 3600. When I afterwards dump the cache of my resolver (9.12.2-P1) with "rndc dumpdb" and look for the negative ttl, then a value much bigger than 3600 is shown (608363): # grep testbla /var/named/data/named_dump.db testbla11.example.com. 608363 \-ANY ;-$NXDOMAIN This number decrements every second. What is this number? The same behavior for positive answers too. The A-record for "www.google.com" has a TTL for 300 seconds. In the "rndc dumpdb"-output I have a value for 605082. Any hints? Thank you. Kind regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND chasing DNSKEY breaks island-of-trust zone
Hello all, DNSSEC validating BIND resolver could not resolve cdn.ckeditor.com. Meanwhile the zone owner "fixed" the problem and the domain name can be resolved again. However, I wonder if BIND should do better for an island-of-trust zone. BIND resolver: (1) ask upstream com. servers for cdn.ckeditor.com. A receive delegation NSset and NSEC3 proof that this is an insecure delegation (2) ask 216.87.155.33 (dns1.registrar-servers.com) for cdn.ckeditor.com. A receive CNAME to d3vxtqk803u6i6.cloudfront.net. and RRSIG ;; ANSWER SECTION: cdn.ckeditor.com. 3600IN CNAME d3vxtqk803u6i6.cloudfront.net. cdn.ckeditor.com. 3600IN RRSIG CNAME 13 3 3600 2018102500 2018100400 65395 ckeditor.com. vobyFapYElhr25pc0gCuCvB6vf4bEMvmQA5IaWeZQ25dfp5qv0LqyLAf Man+ukIrEKw7qtDWrJF1JXM9vXFeow== (3) ask 216.87.155.33 (dns1.registrar-servers.com) for ckeditor.com. DNSKEY receive CNAME to d3vxtqk803u6i6.cloudfront.net. and RRSIG. Invalid answer. BIND returns SERVFAIL to client and logs: lame-servers: info: broken trust chain resolving 'cdn.ckeditor.com/A/IN': 216.87.155.33#53 The main problem is that ckeditor.com. has a CNAME at zone apex. However, what triggered this error is in fact that cdn.ckeditor.com. contained an RRSIG which BIND tried to validate. Meanwhile the zone owner disabled DNSSEC which prevents BIND from chasing the DNSKEY and the domain name resolves again. However, I'm wondering if BIND should not SERVFAIL for an island-of-trust zone when it can not chase the DNSKEY. Is this something to improve upon? Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 and AS112
Hi, reviving an old thread with some new information: > On Fri, Mar 09, 2018 at 12:32:41PM +0300, > Diarmuid O Briain wrote > a message of 122 lines which said: > >> Mar 09 08:11:43 as112 named[3787]: internal_send: 2620:4f:8000::42#53: >> Invalid argument >> Mar 09 08:11:43 as112 named[3787]: internal_send: 192.175.48.42#53: Invalid >> argument > > I suspect that your machine is not configured for these IP > addresses. See with ifconfig or ip addr show. Diarmuid didn't say what platform he's running BIND on. This may make a difference wrt. a bug I recently stumbled over: https://gitlab.isc.org/isc-projects/bind9/issues/589 This will typically hit the BSD lineage of OSes (NetBSD in my case), which will refuse to apply an IPv6 control header on a socket used for IPv4. The particular symptom is that attempts to send a message over 1432 bytes in size over IPv4/UDP will cause the above error message and the message to be dropped. What's up with the IPv6 error message I do not know. Best regards, - HÃ¥vard ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users