Adding a Forwarding Zone (Bind 9.9.2)

Charles Tryon charles.tryon at gmail.com
Thu Dec 6 17:00:59 MST 2012 

OK, here is the log:

(with the correct IP addresses: 10.4.2.6 Samba / 10.4.0.164 AD)

Note that this log is with the forward zone defined in the named.conf file.

<samba:etc>? sudo /usr/sbin/named -u named -f -g 2>&1 | tee /tmp/named.log

06-Dec-2012 17:12:58.533 starting BIND 9.9.2-RedHat-9.9.2-2.fc17 -u named
-f -g

06-Dec-2012 17:12:58.533 built with '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
'--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
'--disable-static' '--disable-openssl-version-check' '--enable-exportlib'
'--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include'
'--includedir=/usr/include/bind9'
'--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
'--disable-isc-spnego' '--enable-fixed-rrset'
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'

06-Dec-2012 17:12:58.533
----------------------------------------------------

06-Dec-2012 17:12:58.533 BIND 9 is maintained by Internet Systems
Consortium,

06-Dec-2012 17:12:58.533 Inc. (ISC), a non-profit 501(c)(3) public-benefit

06-Dec-2012 17:12:58.533 corporation.  Support and training for BIND 9 are

06-Dec-2012 17:12:58.533 available at https://www.isc.org/support

06-Dec-2012 17:12:58.533
----------------------------------------------------

06-Dec-2012 17:12:58.533 adjusted limit on open files from 4096 to 1048576

06-Dec-2012 17:12:58.533 found 4 CPUs, using 4 worker threads

06-Dec-2012 17:12:58.533 using 4 UDP listeners per interface

06-Dec-2012 17:12:58.533 using up to 4096 sockets

06-Dec-2012 17:12:58.541 loading configuration from '/etc/named.conf'

06-Dec-2012 17:12:58.542 reading built-in trusted keys from file
'/etc/named.iscdlv.key'

06-Dec-2012 17:12:58.542 using default UDP/IPv4 port range: [1024, 65535]

06-Dec-2012 17:12:58.543 using default UDP/IPv6 port range: [1024, 65535]

06-Dec-2012 17:12:58.545 listening on IPv4 interface lo, 127.0.0.1#53

06-Dec-2012 17:12:58.547 listening on IPv4 interface eth0, 10.4.2.6#53

06-Dec-2012 17:12:58.549 listening on IPv6 interface lo, ::1#53

06-Dec-2012 17:12:58.552 generating session key for dynamic DNS

06-Dec-2012 17:12:58.552 sizing zone task pool based on 7 zones

06-Dec-2012 17:12:58.553 Loading 'AD DNS Zone' using driver dlopen

06-Dec-2012 17:12:59.005 samba_dlz: started for DN DC=usa,DC=om,DC=org

06-Dec-2012 17:12:59.005 samba_dlz: starting configure

06-Dec-2012 17:12:59.007 samba_dlz: configured writeable zone
'4.10.in-addr.arpa'

06-Dec-2012 17:12:59.008 samba_dlz: configured writeable zone 'usa.om.org'

06-Dec-2012 17:12:59.010 samba_dlz: configured writeable zone '_
msdcs.usa.om.org'

06-Dec-2012 17:12:59.013 using built-in DLV key for view _default

06-Dec-2012 17:12:59.013 set up managed keys zone for view _default, file
'/var/named/dynamic/managed-keys.bind'

06-Dec-2012 17:12:59.013 automatic empty zone: 10.IN-ADDR.ARPA

06-Dec-2012 17:12:59.013 automatic empty zone: 16.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.013 automatic empty zone: 17.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.013 automatic empty zone: 18.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 19.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 20.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 21.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 22.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 23.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 24.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 25.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 26.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 27.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 28.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 29.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 30.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 31.172.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 168.192.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 127.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 254.169.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 2.0.192.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 100.51.198.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 113.0.203.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: D.F.IP6.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 8.E.F.IP6.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 9.E.F.IP6.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: A.E.F.IP6.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: B.E.F.IP6.ARPA

06-Dec-2012 17:12:59.014 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA

06-Dec-2012 17:12:59.018 command channel listening on 127.0.0.1#953

06-Dec-2012 17:12:59.018 command channel listening on ::1#953

06-Dec-2012 17:12:59.018 ignoring config file logging statement due to -g
option

06-Dec-2012 17:12:59.019 managed-keys-zone: loaded serial 16345

06-Dec-2012 17:12:59.020 zone 0.in-addr.arpa/IN: loaded serial 0

06-Dec-2012 17:12:59.021 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0

06-Dec-2012 17:12:59.024 zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0

06-Dec-2012 17:12:59.025 zone localhost/IN: loaded serial 0

06-Dec-2012 17:12:59.025 zone localhost.localdomain/IN: loaded serial 0

06-Dec-2012 17:12:59.026 all zones loaded

06-Dec-2012 17:12:59.026 running

06-Dec-2012 17:13:05.093 error (network unreachable) resolving './NS/IN':
2001:503:ba3e::2:30#53

06-Dec-2012 17:13:05.093 error (network unreachable) resolving './NS/IN':
2001:dc3::35#53

06-Dec-2012 17:13:05.226 error (insecurity proof failed) resolving
'global.local/SOA/IN': 10.4.0.164#53

06-Dec-2012 17:13:05.226 error (network unreachable) resolving
'global.local/SOA/IN': 2001:503:ba3e::2:30#53

06-Dec-2012 17:13:05.226 error (network unreachable) resolving
'global.local/SOA/IN': 2001:dc3::35#53

Interesting...  Looks like the server is saying that it is secure, but
sending back an insecure response???

(And yes, the other dig command works as expected.)

More information about the samba-technical mailing list