Adding a Forwarding Zone (Bind 9.9.2)

Charles Tryon charles.tryon at gmail.com
Fri Dec 7 08:54:05 MST 2012 

OK, I found another hint to the problem.  Googling the "insecurity proof
failed" error message, I found references in some bug reports that people
began to see this issue when DNSSEC was turned on.  I have the following in
my named.conf file:

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

As an experiment, I flipped this around to:

    dnssec-validation no;

...and sure enough, the sub-domain queries work fine.

It seems that the DNS server on the Windows AD controller is not complying
with the DNSSEC requirement, so the BIND server ignores it.


On Thu, Dec 6, 2012 at 7:00 PM, Charles Tryon <charles.tryon at gmail.com>wrote:

> OK, here is the log:
>
> (with the correct IP addresses: 10.4.2.6 Samba / 10.4.0.164 AD)
>
> Note that this log is with the forward zone defined in the named.conf file.
>
> <samba:etc>? sudo /usr/sbin/named -u named -f -g 2>&1 | tee /tmp/named.log
>
> 06-Dec-2012 17:12:58.533 starting BIND 9.9.2-RedHat-9.9.2-2.fc17 -u named
> -f -g
>
> 06-Dec-2012 17:12:58.533 built with '--build=x86_64-redhat-linux-gnu'
> '--host=x86_64-redhat-linux-gnu' '--program-prefix='
> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
> '--disable-static' '--disable-openssl-version-check' '--enable-exportlib'
> '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include'
> '--includedir=/usr/include/bind9'
> '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes'
> '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
> '--disable-isc-spnego' '--enable-fixed-rrset'
> 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
> 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
> 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
>
> 06-Dec-2012 17:12:58.533
> ----------------------------------------------------
>
> 06-Dec-2012 17:12:58.533 BIND 9 is maintained by Internet Systems
> Consortium,
>
> 06-Dec-2012 17:12:58.533 Inc. (ISC), a non-profit 501(c)(3) public-benefit
>
> 06-Dec-2012 17:12:58.533 corporation.  Support and training for BIND 9 are
>
> 06-Dec-2012 17:12:58.533 available at https://www.isc.org/support
>
> 06-Dec-2012 17:12:58.533
> ----------------------------------------------------
>
> 06-Dec-2012 17:12:58.533 adjusted limit on open files from 4096 to 1048576
>
> 06-Dec-2012 17:12:58.533 found 4 CPUs, using 4 worker threads
>
> 06-Dec-2012 17:12:58.533 using 4 UDP listeners per interface
>
> 06-Dec-2012 17:12:58.533 using up to 4096 sockets
>
> 06-Dec-2012 17:12:58.541 loading configuration from '/etc/named.conf'
>
> 06-Dec-2012 17:12:58.542 reading built-in trusted keys from file
> '/etc/named.iscdlv.key'
>
> 06-Dec-2012 17:12:58.542 using default UDP/IPv4 port range: [1024, 65535]
>
> 06-Dec-2012 17:12:58.543 using default UDP/IPv6 port range: [1024, 65535]
>
> 06-Dec-2012 17:12:58.545 listening on IPv4 interface lo, 127.0.0.1#53
>
> 06-Dec-2012 17:12:58.547 listening on IPv4 interface eth0, 10.4.2.6#53
>
> 06-Dec-2012 17:12:58.549 listening on IPv6 interface lo, ::1#53
>
> 06-Dec-2012 17:12:58.552 generating session key for dynamic DNS
>
> 06-Dec-2012 17:12:58.552 sizing zone task pool based on 7 zones
>
> 06-Dec-2012 17:12:58.553 Loading 'AD DNS Zone' using driver dlopen
>
> 06-Dec-2012 17:12:59.005 samba_dlz: started for DN DC=usa,DC=om,DC=org
>
> 06-Dec-2012 17:12:59.005 samba_dlz: starting configure
>
> 06-Dec-2012 17:12:59.007 samba_dlz: configured writeable zone
> '4.10.in-addr.arpa'
>
> 06-Dec-2012 17:12:59.008 samba_dlz: configured writeable zone 'usa.om.org'
>
> 06-Dec-2012 17:12:59.010 samba_dlz: configured writeable zone '_
> msdcs.usa.om.org'
>
> 06-Dec-2012 17:12:59.013 using built-in DLV key for view _default
>
> 06-Dec-2012 17:12:59.013 set up managed keys zone for view _default, file
> '/var/named/dynamic/managed-keys.bind'
>
> 06-Dec-2012 17:12:59.013 automatic empty zone: 10.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.013 automatic empty zone: 16.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.013 automatic empty zone: 17.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.013 automatic empty zone: 18.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 19.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 20.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 21.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 22.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 23.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 24.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 25.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 26.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 27.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 28.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 29.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 30.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 31.172.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 168.192.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 127.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 254.169.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 2.0.192.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 100.51.198.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 113.0.203.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone:
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: D.F.IP6.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 8.E.F.IP6.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 9.E.F.IP6.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: A.E.F.IP6.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: B.E.F.IP6.ARPA
>
> 06-Dec-2012 17:12:59.014 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
>
> 06-Dec-2012 17:12:59.018 command channel listening on 127.0.0.1#953
>
> 06-Dec-2012 17:12:59.018 command channel listening on ::1#953
>
> 06-Dec-2012 17:12:59.018 ignoring config file logging statement due to -g
> option
>
> 06-Dec-2012 17:12:59.019 managed-keys-zone: loaded serial 16345
>
> 06-Dec-2012 17:12:59.020 zone 0.in-addr.arpa/IN: loaded serial 0
>
> 06-Dec-2012 17:12:59.021 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
>
> 06-Dec-2012 17:12:59.024 zone
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
> loaded serial 0
>
> 06-Dec-2012 17:12:59.025 zone localhost/IN: loaded serial 0
>
> 06-Dec-2012 17:12:59.025 zone localhost.localdomain/IN: loaded serial 0
>
> 06-Dec-2012 17:12:59.026 all zones loaded
>
> 06-Dec-2012 17:12:59.026 running
>
> 06-Dec-2012 17:13:05.093 error (network unreachable) resolving './NS/IN':
> 2001:503:ba3e::2:30#53
>
> 06-Dec-2012 17:13:05.093 error (network unreachable) resolving './NS/IN':
> 2001:dc3::35#53
>
> 06-Dec-2012 17:13:05.226 error (insecurity proof failed) resolving
> 'global.local/SOA/IN': 10.4.0.164#53
>
> 06-Dec-2012 17:13:05.226 error (network unreachable) resolving
> 'global.local/SOA/IN': 2001:503:ba3e::2:30#53
>
> 06-Dec-2012 17:13:05.226 error (network unreachable) resolving
> 'global.local/SOA/IN': 2001:dc3::35#53
>
> Interesting...  Looks like the server is saying that it is secure, but
> sending back an insecure response???
>
> (And yes, the other dig command works as expected.)
>



-- 
    Charles Tryon
_________________________________________________________________________
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list