Re: DNS on F13



On 11/10/10 11:24, Rick Sewill wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/10/2010 10:28 AM, Paolo Galtieri wrote:
On 11/10/10 00:13, François Patte wrote:
Le 10/11/2010 00:14, Paolo Galtieri a écrit :
I had configured a local DNS server under F12 and everything was working
fine. I upgraded the system to F13 and
setup DNS again. Now I see the following errors.

Nov 9 15:46:28 darkstar named[17913]: validating @0xb4e48968:
dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent
indicates it should be secure
Nov 9 15:46:28 darkstar named[17913]: error (insecurity proof failed)
resolving 'dlv.isc.org/DLV/IN<http://dlv.isc.org/DLV/IN>': 168.158.8.15#53
Nov 9 15:48:02 darkstar named[17913]: validating @0xb49766e8:
dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent
indicates it should be secure
Nov 9 15:48:02 darkstar named[17913]: validating @0xb4977160:
dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent
indicates it should be secure
Nov 9 15:48:02 darkstar named[17913]: validating @0xb4977bd8:
dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent
indicates it should be secure
Nov 9 15:48:02 darkstar named[17913]: error (no valid RRSIG) resolving
'howtoforge.com.dlv.isc.org/DS/IN
<http://howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53
Nov 9 15:48:02 darkstar named[17913]: error (insecurity proof failed)
resolving 'howtoforge.com.dlv.isc.org/DLV/IN
<http://howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53
Nov 9 15:48:02 darkstar named[17913]: validating @0xb4724d60:
dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent
indicates it should be secure
Nov 9 15:48:02 darkstar named[17913]: error (no valid RRSIG) resolving
'www.howtoforge.com.dlv.isc.org/DS/IN
<http://www.howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53
Nov 9 15:48:02 darkstar named[17913]: error (insecurity proof failed)
resolving 'www.howtoforge.com.dlv.isc.org/DLV/IN
<http://www.howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53

I have 2 servers configured in the forwarders section of named.conf

forwarders { 68.2.16.30; 168.158.8.15; };

It only complains about the second one.

I found Bug 577639 which seems related, but it's marked closed notabug.

So if it's not a bug why am I seeing these errors and how do I go about
resolving them?

Is this a configuration issue on my side, or is this an issue with my ISP?

The file "/etc/named.iscdlv.key" contains the correct key.

Any assistance is appreciated.

Did you test if it is not related to selinux?


I don't believe it has anything to do with SElinux since the errors only
show up for one of the 2 DNS servers I have listed in the forwarders
entry. Also I don't get any SElinux alert messages.

Paolo

May we see your /etc/named.conf file please?

I am wondering if you have an old /etc/named.conf file.
Please look for /etc/named.conf.rpmnew, and if it's there,
please compare the two files, save your current /etc/named.conf,
and mv /etc/named.conf.rpmnew /etc/named.conf

When I do,
[root@rsewill ~]# service named start
Starting named: [ OK ]
followed by
[root@rsewill ~]# host -a energy.gov localhost
<Too much stuff got printed to reproduce here without reason>
<Output looks reasonable>

I do not have bind-chroot installed. Are you using bind-chroot?

For this test, I am using
[root@rsewill ~]# rpm -q bind
bind-9.7.1-2.P2.fc13.x86_64
What version of bind are you using please?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkza40YACgkQyc8Kn0p/AZRDHQCglJg1SNUT0qN/PAWKyE1+CDHJ
VbQAn1ueb1AKs4SUXIj2iZi3CJapPrdP
=yyT5
-----END PGP SIGNATURE-----

I am using bind-chroot. As was using it under F12 also. I have attached both the named.conf and the named.rfc1912.zones files.
What initially triggered the post was that suddenly all name resolution stopped. If I bypassed my DNS server everything worked fine. I restarted named and everything started to work again. When I looked at /var/log/messages to see if there were any messages explaining why my DNS server had failed I saw all these error messages.

Paolo //
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 10.0.0.70;192.168.10.70; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 10.0.0.0/24;192.168.10.0/24;192.168.11.0/24; };
recursion yes;
# forwarders { 168.158.8.15; 68.2.16.30; };
forwarders { 68.2.16.30; 168.158.8.15; };

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "homenet10.com" {
type master;
file "named.homenet10";
allow-update { none; };
};

zone "homenet192.com" {
type master;
file "named.homenet192";
allow-update { none; };
};

zone "10.168.192.in-addr.arpa" IN {
type master;
file "named.rev-homenet192";
allow-update { none; };
};

zone "0.0.10.in-addr.arpa" IN {
type master;
file "named.rev-homenet10";
allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines