On 11/10/10 21:04, Rick Sewill wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >>>>> Le 10/11/2010 00:14, Paolo Galtieri a écrit : >>>>>>>> I had configured a local DNS server under F12 and everything was >>>>>>>> working >>>>>>>> fine. I upgraded the system to F13 and >>>>>>>> setup DNS again. Now I see the following errors. >>>>>>>> >>>>>>>> Nov 9 15:46:28 darkstar named[17913]: validating @0xb4e48968: >>>>>>>> dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent >>>>>>>> indicates it should be secure >>>>>>>> Nov 9 15:46:28 darkstar named[17913]: error (insecurity proof >>>>>>>> failed) >>>>>>>> resolving 'dlv.isc.org/DLV/IN<http://dlv.isc.org/DLV/IN>': >>>>>>>> 168.158.8.15#53 >>>>>>>> Nov 9 15:48:02 darkstar named[17913]: validating @0xb49766e8: >>>>>>>> dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent >>>>>>>> indicates it should be secure >>>>>>>> Nov 9 15:48:02 darkstar named[17913]: validating @0xb4977160: >>>>>>>> dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent >>>>>>>> indicates it should be secure >>>>>>>> Nov 9 15:48:02 darkstar named[17913]: validating @0xb4977bd8: >>>>>>>> dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent >>>>>>>> indicates it should be secure >>>>>>>> Nov 9 15:48:02 darkstar named[17913]: error (no valid RRSIG) >>>>>>>> resolving >>>>>>>> 'howtoforge.com.dlv.isc.org/DS/IN >>>>>>>> <http://howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53 >>>>>>>> Nov 9 15:48:02 darkstar named[17913]: error (insecurity proof >>>>>>>> failed) >>>>>>>> resolving 'howtoforge.com.dlv.isc.org/DLV/IN >>>>>>>> <http://howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53 >>>>>>>> Nov 9 15:48:02 darkstar named[17913]: validating @0xb4724d60: >>>>>>>> dlv.isc.org<http://dlv.isc.org> SOA: got insecure response; parent >>>>>>>> indicates it should be secure >>>>>>>> Nov 9 15:48:02 darkstar named[17913]: error (no valid RRSIG) >>>>>>>> resolving >>>>>>>> 'www.howtoforge.com.dlv.isc.org/DS/IN >>>>>>>> <http://www.howtoforge.com.dlv.isc.org/DS/IN>': 168.158.8.15#53 >>>>>>>> Nov 9 15:48:02 darkstar named[17913]: error (insecurity proof >>>>>>>> failed) >>>>>>>> resolving 'www.howtoforge.com.dlv.isc.org/DLV/IN >>>>>>>> <http://www.howtoforge.com.dlv.isc.org/DLV/IN>': 168.158.8.15#53 >>>>>>>> >>>>>>>> I have 2 servers configured in the forwarders section of named.conf >>>>>>>> >>>>>>>> forwarders { 68.2.16.30; 168.158.8.15; }; > > I didn't see anything wrong in your named.conf or named.rfc1912.zones > > I tried dig, found in bind-utils-9.7.1-2.P2.fc13.x86_64. > > When I did, > [root@rsewill etc]# dig +dnssec @168.158.8.15 energy.gov > > ;<<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13<<>> +dnssec @168.158.8.15 > energy.gov > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 28148 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;energy.gov. IN A > > ;; Query time: 78 msec > ;; SERVER: 168.158.8.15#53(168.158.8.15) > ;; WHEN: Wed Nov 10 21:33:15 2010 > ;; MSG SIZE rcvd: 39 > > It appears I didn't get a valid answer. > > When I just changed the nameserver, > [root@rsewill etc]# dig +dnssec @68.2.16.30 energy.gov > > ;<<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13<<>> +dnssec @68.2.16.30 > energy.gov > ; (1 server found) > <...> > ;; Query time: 99 msec > ;; SERVER: 68.2.16.30#53(68.2.16.30) > ;; WHEN: Wed Nov 10 21:34:23 2010 > ;; MSG SIZE rcvd: 1720 > > I got a very large, which looks valid to me, answer. > > If I leave off the +dnssec option, > [root@rsewill etc]# dig @168.158.8.15 energy.gov > > ;<<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13<<>> @168.158.8.15 energy.gov > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31441 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;energy.gov. IN A > > ;; ANSWER SECTION: > energy.gov. 2380 IN A 205.254.148.200 > > ;; Query time: 79 msec > ;; SERVER: 168.158.8.15#53(168.158.8.15) > ;; WHEN: Wed Nov 10 21:37:37 2010 > ;; MSG SIZE rcvd: 44 > > I seem to get a valid answer. > The bind I am using is > [root@rsewill etc]# rpm -q bind > bind-9.7.1-2.P2.fc13.x86_64 > > What version of bind are you using? > > I have two questions about the name server at 168.158.8.15 > 1) Do we know if that name server supports dnssec? > > 2) If it supports dnssec, can we find out what name server > (software and version) is being used so we can search the > Internet to see if that name server is supposed to be > interoperable with bind-9.x.x when doing dnssec? > > I am wondering why FC12 worked. > I don't know what version of bind (rpm -q bind) is in FC12. > > I can see 3 possibilities why FC12 bind might have worked > 1) perhaps the name server at 168.158.8.15 has a bug when doing dnssec, > but was interoperable with the bind found in FC12, but not bind FC13. > > 2) Perhaps there is an error introduced into FC13 > > 3) Perhaps, if 168.158.8.15 is not doing dnssec, FC12 bind > would fall back to normal DNS. I'd be surprised if FC13 bind > didn't also fall back to normal DNS...unless there is an option > in your /etc/named.conf telling FC13 bind to only do dnssec. > I am still parsing those options in /etc/named.conf...if someone > who already has experience with this can answer, it would be nice. > > I don't know where to go from here. > If I had access to another platform (not Fedora), running bind 9.x.x, > and having bind-utils-9.x.x, I might like to compare and see if that > named (and dig command) have the same problem. > > I'd probably do google searches to try and find cases where > dig +dnssec fails for various reasons. > > I might look for a mailing list for bind or dnssec, to see if they have > any help. > > Otherwise, I am stuck. Sorry. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzbazMACgkQyc8Kn0p/AZSEDACeIWFJgaOa8JV5pR/Rph6QKlbg > EA0An1WSVF2IqJgCxzrORhyEoXHX0oo2 > =X3qx > -----END PGP SIGNATURE----- I'm using bind-9.7.1-2.P2.fc13.i686 same as you. I really appreciate your help. I'm starting to suspect that it's something to do with dnssec support with the ISP. Thanks again, Paolo -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
