RE: bind9 and dns forward
Hi,
Lots of info and log quotes. I hope you can find the "normal" text.
>> We use a different dns server(s) and zonefile for the external dns environment from what we use internally. Company dns is Windows server 2016 incase that is relevant.
>
> It's better to use dig (package bind9-dnsutils) to first eliminate problems on other DNS. Give us:
>
> dig @13.107.206.240 trafficmanager.net SOA dig @13.107.206.240 outlook.ha.office365.com IN dig @172.16.128.40 vijl.staf.tio.nl AAAA dig @172.16.128.10 vijl.staf.tio.nl AAAA
Yes I also have dig.
About your 4 dig statements. Like I wrote the problem with office365 is not MY problem, that is a Microsoft problem.
And even though I have a working ipv6 environment at home I do not have a working ipv6 VPN tunnel to work, nor do we use ipv6 there internally. So here are the ipv4 results. As you can see there is a working dns server at those 2 ip numbers.
------<Quote>------------------------
linbobo:/etc/bind# dig @172.16.128.40 vijl.staf.tio.nl A
; <<>> DiG 9.16.37-Debian <<>> @172.16.128.40 vijl.staf.tio.nl A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61639
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;vijl.staf.tio.nl. IN A
;; ANSWER SECTION:
vijl.staf.tio.nl. 1200 IN A 172.16.72.97
;; Query time: 8 msec
;; SERVER: 172.16.128.40#53(172.16.128.40)
;; WHEN: Tue May 02 11:20:52 CEST 2023
;; MSG SIZE rcvd: 61
linbobo:/etc/bind# dig @172.16.208.10 vijl.staf.tio.nl A
; <<>> DiG 9.16.37-Debian <<>> @172.16.208.10 vijl.staf.tio.nl A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12968
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;vijl.staf.tio.nl. IN A
;; ANSWER SECTION:
vijl.staf.tio.nl. 1200 IN A 172.16.72.97
;; Query time: 16 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Tue May 02 11:21:04 CEST 2023
;; MSG SIZE rcvd: 61
------<Quote>------------------------
But if I query my own bind server...
------<Quote>------------------------
linbobo:~# dig vijl.staf.tio.nl
; <<>> DiG 9.16.37-Debian <<>> vijl.staf.tio.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16945
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 63ecb9edc2f5036e010000006450d2a73c1c133db0bfc629 (good)
;; QUESTION SECTION:
;vijl.staf.tio.nl. IN A
;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 02 11:06:47 CEST 2023
;; MSG SIZE rcvd: 73
And from /var/log/syslog
May 2 11:06:32 linbobo named[574]: DNS format error from 172.16.128.40#53 resolving vijl.staf.tio.nl/AAAA for 127.0.0.1#56241: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
May 2 11:06:32 linbobo named[574]: FORMERR resolving 'vijl.staf.tio.nl/AAAA/IN': 172.16.128.40#53
May 2 11:06:32 linbobo named[574]: validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May 2 11:06:32 linbobo named[574]: no valid RRSIG resolving 'staf.tio.nl/DS/IN': 172.16.128.40#53
May 2 11:06:32 linbobo named[574]: DNS format error from 172.16.208.10#53 resolving vijl.staf.tio.nl/AAAA for 127.0.0.1#56241: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
May 2 11:06:32 linbobo named[574]: FORMERR resolving 'vijl.staf.tio.nl/AAAA/IN': 172.16.208.10#53
May 2 11:06:32 linbobo named[574]: validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May 2 11:06:32 linbobo named[574]: no valid RRSIG resolving 'staf.tio.nl/DS/IN': 172.16.208.10#53
May 2 11:06:32 linbobo named[574]: broken trust chain resolving 'vijl.staf.tio.nl/A/IN': 172.16.128.40#53
May 2 11:06:35 linbobo named[574]: validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May 2 11:06:35 linbobo named[574]: no valid RRSIG resolving 'student.tio.nl/DS/IN': 172.16.128.40#53
May 2 11:06:35 linbobo named[574]: validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May 2 11:06:35 linbobo named[574]: no valid RRSIG resolving 'student.tio.nl/DS/IN': 172.16.208.10#53
May 2 11:06:35 linbobo named[574]: broken trust chain resolving 'vijl.staf.tio.nl.student.tio.nl/A/IN': 172.16.128.40#53
May 2 11:06:35 linbobo named[574]: broken trust chain resolving 'vijl.staf.tio.nl.student.tio.nl/AAAA/IN': 172.16.128.40#53
May 2 11:06:47 linbobo named[574]: validating vijl.staf.tio.nl/A: bad cache hit (staf.tio.nl/DS)
May 2 11:06:47 linbobo named[574]: broken trust chain resolving 'vijl.staf.tio.nl/A/IN': 172.16.128.40#53
------<Quote>------------------------
Bind does not give me more info.
I query my own dns server/resolver. It forwards any request for a host in staf.tio.nl to one of two servers of which 172.16.208.10 is one and 172.16.128.40 is the other.
>> Apr 28 12:07:53 linbobo named[546]: DNS format error from
>> 172.16.128.40#53 resolving staf.tio.nl/AAAA for client
>> 172.16.17.11#65033: Name tio.nl (SOA) not subdomain of zone
>> staf.tio.nl -- invalid response
>
> I suppose you reboot after your upgrade ?
Yes I do, however by now the machine has been up and running for over 3 days.
> Do you have defined somewhere on linbobo a zone staf.tio.nl ?
> I guess not but do a grep just to be sure.
Yes, like I wrote in my original mail.
> And similar lines for each possible subdomain like staf.tio.nl
linbobo:/etc/bind# cat named.conf.local
-----<Quote>----------------------
[....]
zone "tio.nl" IN {
type forward;
forward only;
forwarders {172.16.128.40; 172.16.208.10;};
};
zone "staf.tio.nl" IN {
type forward;
forward only;
forwarders {172.16.128.40; 172.16.208.10;};
};
zone "student.tio.nl" IN {
type forward;
forward only;
forwarders {172.16.128.40; 172.16.208.10;};
};
[....]
-----<End Quote>----------------------
The problem is not that the company dns servers are not working, it is that it somehow thinks the answers are not valid, not even for the top level domain.
-----<Quote>----------------------
linbobo:/etc/bind# dig @172.16.208.10 tio.nl SOA
; <<>> DiG 9.16.37-Debian <<>> @172.16.208.10 tio.nl SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64473
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;tio.nl. IN SOA
;; ANSWER SECTION:
tio.nl. 3600 IN SOA eintiodc-04.tio.nl. hostmaster. 700724 900 600 86400 3600
;; ADDITIONAL SECTION:
eintiodc-04.tio.nl. 3600 IN A 172.16.208.10
;; Query time: 16 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Tue May 02 11:28:55 CEST 2023
;; MSG SIZE rcvd: 109
linbobo:/etc/bind# dig einsccmdp-01.tio.nl
; <<>> DiG 9.16.37-Debian <<>> einsccmdp-01.tio.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9441
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7987510150822e69010000006450d6cb9b864512d5302462 (good)
;; QUESTION SECTION:
;einsccmdp-01.tio.nl. IN A
;; Query time: 32 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 02 11:24:27 CEST 2023
;; MSG SIZE rcvd: 76
linbobo:/etc/bind# dig einsccmdp-01.tio.nl @172.16.208.10
; <<>> DiG 9.16.37-Debian <<>> einsccmdp-01.tio.nl @172.16.208.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4796
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;einsccmdp-01.tio.nl. IN A
;; ANSWER SECTION:
einsccmdp-01.tio.nl. 1200 IN A 172.16.212.18
;; Query time: 20 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Tue May 02 11:24:46 CEST 2023
;; MSG SIZE rcvd: 64
-----<Quote>----------------------
May 2 11:24:27 linbobo named[574]: validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May 2 11:24:27 linbobo named[574]: no valid RRSIG resolving 'einsccmdp-01.tio.nl/DS/IN': 172.16.128.40#53
May 2 11:24:27 linbobo named[574]: validating tio.nl/SOA: got insecure response; parent indicates it should be secure
May 2 11:24:27 linbobo named[574]: no valid RRSIG resolving 'einsccmdp-01.tio.nl/DS/IN': 172.16.208.10#53
May 2 11:24:27 linbobo named[574]: broken trust chain resolving 'einsccmdp-01.tio.nl/A/IN': 172.16.128.40#53
-----<Quote>----------------------
Bonno Bloksma
Reply to: