RE: bind9 and dns forward

To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: RE: bind9 and dns forward
From: Bonno Bloksma <b.bloksma@tio.nl>
Date: Tue, 2 May 2023 09:33:37 +0000
Message-id: <[🔎] AM6PR04MB5095508A88EE5DF291C629A89D6F9@AM6PR04MB5095.eurprd04.prod.outlook.com>
In-reply-to: <875y9fqjbt.fsf@free.fr>
References: <AM6PR04MB50950098FC30BF288508987E9D6B9@AM6PR04MB5095.eurprd04.prod.outlook.com> <875y9fqjbt.fsf@free.fr>
Hi,

Lots of info and log quotes. I hope you can find the "normal" text.

>> We use a different dns server(s) and zonefile for the external dns environment from what we use internally. Company dns is Windows server 2016 incase that is relevant.
> 
> It's better to use dig (package bind9-dnsutils) to first eliminate problems on other DNS. Give us:
> 
> dig @13.107.206.240 trafficmanager.net SOA dig @13.107.206.240 outlook.ha.office365.com IN dig @172.16.128.40 vijl.staf.tio.nl AAAA dig @172.16.128.10 vijl.staf.tio.nl AAAA

Yes I also have dig.
About your 4 dig statements. Like I wrote the problem with office365 is not MY problem, that is a Microsoft problem.
And even though I have a working ipv6 environment at home I do not have a working ipv6 VPN tunnel to work, nor do we use ipv6 there internally. So here are the ipv4 results. As you can see there is a working dns server at those 2 ip numbers.

------<Quote>------------------------
linbobo:/etc/bind# dig @172.16.128.40 vijl.staf.tio.nl A

; <<>> DiG 9.16.37-Debian <<>> @172.16.128.40 vijl.staf.tio.nl A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61639
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;vijl.staf.tio.nl.              IN      A

;; ANSWER SECTION:
vijl.staf.tio.nl.       1200    IN      A       172.16.72.97

;; Query time: 8 msec
;; SERVER: 172.16.128.40#53(172.16.128.40)
;; WHEN: Tue May 02 11:20:52 CEST 2023
;; MSG SIZE  rcvd: 61

linbobo:/etc/bind# dig @172.16.208.10 vijl.staf.tio.nl A

; <<>> DiG 9.16.37-Debian <<>> @172.16.208.10 vijl.staf.tio.nl A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12968
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;vijl.staf.tio.nl.              IN      A

;; ANSWER SECTION:
vijl.staf.tio.nl.       1200    IN      A       172.16.72.97

;; Query time: 16 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Tue May 02 11:21:04 CEST 2023
;; MSG SIZE  rcvd: 61
------<Quote>------------------------

But if I query my own bind server...

------<Quote>------------------------
linbobo:~# dig vijl.staf.tio.nl

; <<>> DiG 9.16.37-Debian <<>> vijl.staf.tio.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16945
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 63ecb9edc2f5036e010000006450d2a73c1c133db0bfc629 (good)
;; QUESTION SECTION:
;vijl.staf.tio.nl.              IN      A

;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 02 11:06:47 CEST 2023
;; MSG SIZE  rcvd: 73

And from /var/log/syslog
May  2 11:06:32 linbobo named[574]: DNS format error from 172.16.128.40#53 resolving vijl.staf.tio.nl/AAAA for 127.0.0.1#56241: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
May  2 11:06:32 linbobo named[574]: FORMERR resolving 'vijl.staf.tio.nl/AAAA/IN': 172.16.128.40#53
May  2 11:06:32 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May  2 11:06:32 linbobo named[574]: no valid RRSIG resolving 'staf.tio.nl/DS/IN': 172.16.128.40#53
May  2 11:06:32 linbobo named[574]: DNS format error from 172.16.208.10#53 resolving vijl.staf.tio.nl/AAAA for 127.0.0.1#56241: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
May  2 11:06:32 linbobo named[574]: FORMERR resolving 'vijl.staf.tio.nl/AAAA/IN': 172.16.208.10#53
May  2 11:06:32 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May  2 11:06:32 linbobo named[574]: no valid RRSIG resolving 'staf.tio.nl/DS/IN': 172.16.208.10#53
May  2 11:06:32 linbobo named[574]: broken trust chain resolving 'vijl.staf.tio.nl/A/IN': 172.16.128.40#53
May  2 11:06:35 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May  2 11:06:35 linbobo named[574]: no valid RRSIG resolving 'student.tio.nl/DS/IN': 172.16.128.40#53
May  2 11:06:35 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May  2 11:06:35 linbobo named[574]: no valid RRSIG resolving 'student.tio.nl/DS/IN': 172.16.208.10#53
May  2 11:06:35 linbobo named[574]: broken trust chain resolving 'vijl.staf.tio.nl.student.tio.nl/A/IN': 172.16.128.40#53
May  2 11:06:35 linbobo named[574]: broken trust chain resolving 'vijl.staf.tio.nl.student.tio.nl/AAAA/IN': 172.16.128.40#53
May  2 11:06:47 linbobo named[574]: validating vijl.staf.tio.nl/A: bad cache hit (staf.tio.nl/DS)
May  2 11:06:47 linbobo named[574]: broken trust chain resolving 'vijl.staf.tio.nl/A/IN': 172.16.128.40#53
------<Quote>------------------------

Bind does not give me more info. 
I query my own dns server/resolver. It forwards any request for a host in staf.tio.nl to one of two servers of which 172.16.208.10 is one and 172.16.128.40 is the other.



>> Apr 28 12:07:53 linbobo named[546]: DNS format error from 
>> 172.16.128.40#53 resolving staf.tio.nl/AAAA for client 
>> 172.16.17.11#65033: Name tio.nl (SOA) not subdomain of zone 
>> staf.tio.nl -- invalid response
>
> I suppose you reboot after your upgrade ?
Yes I do, however by now the machine has been up and running for over 3 days.


> Do you have defined somewhere on linbobo a zone staf.tio.nl ?
> I guess not but do a grep just to be sure.

Yes, like I wrote in my original mail.  
> And similar lines for each possible subdomain like staf.tio.nl

linbobo:/etc/bind# cat named.conf.local
-----<Quote>----------------------
[....]
zone "tio.nl" IN {
        type forward;
        forward only;
        forwarders {172.16.128.40; 172.16.208.10;};
};

zone "staf.tio.nl" IN {
        type forward;
        forward only;
        forwarders {172.16.128.40; 172.16.208.10;};
};

zone "student.tio.nl" IN {
        type forward;
        forward only;
        forwarders {172.16.128.40; 172.16.208.10;};
}; 
[....]
-----<End Quote>----------------------

The problem is not that the company dns servers are not working, it is that it somehow thinks the answers are not valid, not even for the top level domain.

-----<Quote>----------------------
linbobo:/etc/bind# dig @172.16.208.10 tio.nl SOA

; <<>> DiG 9.16.37-Debian <<>> @172.16.208.10 tio.nl SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64473
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;tio.nl.                                IN      SOA

;; ANSWER SECTION:
tio.nl.                 3600    IN      SOA     eintiodc-04.tio.nl. hostmaster. 700724 900 600 86400 3600

;; ADDITIONAL SECTION:
eintiodc-04.tio.nl.     3600    IN      A       172.16.208.10

;; Query time: 16 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Tue May 02 11:28:55 CEST 2023
;; MSG SIZE  rcvd: 109


linbobo:/etc/bind# dig einsccmdp-01.tio.nl

; <<>> DiG 9.16.37-Debian <<>> einsccmdp-01.tio.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9441
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7987510150822e69010000006450d6cb9b864512d5302462 (good)
;; QUESTION SECTION:
;einsccmdp-01.tio.nl.           IN      A

;; Query time: 32 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 02 11:24:27 CEST 2023
;; MSG SIZE  rcvd: 76

linbobo:/etc/bind# dig einsccmdp-01.tio.nl @172.16.208.10

; <<>> DiG 9.16.37-Debian <<>> einsccmdp-01.tio.nl @172.16.208.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4796
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;einsccmdp-01.tio.nl.           IN      A

;; ANSWER SECTION:
einsccmdp-01.tio.nl.    1200    IN      A       172.16.212.18

;; Query time: 20 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Tue May 02 11:24:46 CEST 2023
;; MSG SIZE  rcvd: 64

-----<Quote>----------------------

May  2 11:24:27 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May  2 11:24:27 linbobo named[574]: no valid RRSIG resolving 'einsccmdp-01.tio.nl/DS/IN': 172.16.128.40#53
May  2 11:24:27 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May  2 11:24:27 linbobo named[574]: no valid RRSIG resolving 'einsccmdp-01.tio.nl/DS/IN': 172.16.208.10#53
May  2 11:24:27 linbobo named[574]: broken trust chain resolving 'einsccmdp-01.tio.nl/A/IN': 172.16.128.40#53
-----<Quote>----------------------

Bonno Bloksma
Reply to:
Follow-Ups:
- Re: bind9 and dns forward
  - From: Michel Verdier <mv524@free.fr>
Prev by Date: Re: EPSON ET M 1120 new printer: If You can read this, you are using the wrong driver
Next by Date: shame on me (was: Re: No fool like an old fool (debian installation probs))
Previous by thread: Re: Request for guidance to output(print, i.e.) mouse movements, key press, perepherals insert, etc., on a terminal
Next by thread: Re: bind9 and dns forward
Index(es):
- Date
- Thread