Adding a Forwarding Zone (Bind 9.9.2)

Charles Tryon charles.tryon at gmail.com
Fri Dec 7 12:00:55 MST 2012 

Going back to the forwarding of DNS queries, I'm not sure now if this is a
Samba4 issue or a Bind DNS issue.  I set the dnssec-validation to "no",
which means I'm not really using dnssec, but that will work for the time
being.

What I find now is, if I do a "dig" of names in either my main domain on
the S4 server, or of a name in the "global.local" domain, I get answers
from the DNS service on Samba4.

HOWEVER, if I try to query a "SRV" record, that request doesn't seem to go
through.  (????)

? host -t SRV _kerberos._udp.global.local.
;; Truncated, retrying in TCP mode.
Host _kerberos._udp.global.local. not found: 3(NXDOMAIN)

? host -t SRV _kerberos._udp.global.local. 10.4.0.1
Using domain server:
Name: 10.4.0.1
Address: 10.4.0.1#53
Aliases:

_kerberos._udp.global.local has SRV record 0 100 88 usa-dc1.global.local.
_kerberos._udp.global.local has SRV record 0 100 88 intl-dc1.global.local.
_kerberos._udp.global.local has SRV record 0 100 88 usa-dc2.global.local.
_kerberos._udp.global.local has SRV record 0 100 88 intl-dc2.global.local.



On Fri, Dec 7, 2012 at 10:54 AM, Charles Tryon <charles.tryon at gmail.com>wrote:

> OK, I found another hint to the problem.  Googling the "insecurity proof
> failed" error message, I found references in some bug reports that people
> began to see this issue when DNSSEC was turned on.  I have the following in
> my named.conf file:
>
>
>     dnssec-enable yes;
>     dnssec-validation yes;
>     dnssec-lookaside auto;
>
> As an experiment, I flipped this around to:
>
>     dnssec-validation no;
>
> ...and sure enough, the sub-domain queries work fine.
>
> It seems that the DNS server on the Windows AD controller is not complying
> with the DNSSEC requirement, so the BIND server ignores it.
>
>
> On Thu, Dec 6, 2012 at 7:00 PM, Charles Tryon <charles.tryon at gmail.com>wrote:
>
>> OK, here is the log:
>>
>> (with the correct IP addresses: 10.4.2.6 Samba / 10.4.0.164 AD)
>>
>> Note that this log is with the forward zone defined in the named.conf
>> file.
>>
>> <samba:etc>? sudo /usr/sbin/named -u named -f -g 2>&1 | tee /tmp/named.log
>>
>> 06-Dec-2012 17:12:58.533 starting BIND 9.9.2-RedHat-9.9.2-2.fc17 -u named
>> -f -g
>>
>> 06-Dec-2012 17:12:58.533 built with '--build=x86_64-redhat-linux-gnu'
>> '--host=x86_64-redhat-linux-gnu' '--program-prefix='
>> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
>> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
>> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
>> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
>> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
>> '--disable-static' '--disable-openssl-version-check' '--enable-exportlib'
>> '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include'
>> '--includedir=/usr/include/bind9'
>> '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes'
>> '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
>> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
>> '--disable-isc-spnego' '--enable-fixed-rrset'
>> 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
>> 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
>> 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
>>
>> 06-Dec-2012 17:12:58.533
>> ----------------------------------------------------
>>
>> 06-Dec-2012 17:12:58.533 BIND 9 is maintained by Internet Systems
>> Consortium,
>>
>> 06-Dec-2012 17:12:58.533 Inc. (ISC), a non-profit 501(c)(3)
>> public-benefit
>>
>> 06-Dec-2012 17:12:58.533 corporation.  Support and training for BIND 9
>> are
>>
>> 06-Dec-2012 17:12:58.533 available at https://www.isc.org/support
>>
>> 06-Dec-2012 17:12:58.533
>> ----------------------------------------------------
>>
>> 06-Dec-2012 17:12:58.533 adjusted limit on open files from 4096 to 1048576
>>
>> 06-Dec-2012 17:12:58.533 found 4 CPUs, using 4 worker threads
>>
>> 06-Dec-2012 17:12:58.533 using 4 UDP listeners per interface
>>
>> 06-Dec-2012 17:12:58.533 using up to 4096 sockets
>>
>> 06-Dec-2012 17:12:58.541 loading configuration from '/etc/named.conf'
>>
>> 06-Dec-2012 17:12:58.542 reading built-in trusted keys from file
>> '/etc/named.iscdlv.key'
>>
>> 06-Dec-2012 17:12:58.542 using default UDP/IPv4 port range: [1024, 65535]
>>
>> 06-Dec-2012 17:12:58.543 using default UDP/IPv6 port range: [1024, 65535]
>>
>> 06-Dec-2012 17:12:58.545 listening on IPv4 interface lo, 127.0.0.1#53
>>
>> 06-Dec-2012 17:12:58.547 listening on IPv4 interface eth0, 10.4.2.6#53
>>
>> 06-Dec-2012 17:12:58.549 listening on IPv6 interface lo, ::1#53
>>
>> 06-Dec-2012 17:12:58.552 generating session key for dynamic DNS
>>
>> 06-Dec-2012 17:12:58.552 sizing zone task pool based on 7 zones
>>
>> 06-Dec-2012 17:12:58.553 Loading 'AD DNS Zone' using driver dlopen
>>
>> 06-Dec-2012 17:12:59.005 samba_dlz: started for DN DC=usa,DC=om,DC=org
>>
>> 06-Dec-2012 17:12:59.005 samba_dlz: starting configure
>>
>> 06-Dec-2012 17:12:59.007 samba_dlz: configured writeable zone
>> '4.10.in-addr.arpa'
>>
>> 06-Dec-2012 17:12:59.008 samba_dlz: configured writeable zone 'usa.om.org
>> '
>>
>> 06-Dec-2012 17:12:59.010 samba_dlz: configured writeable zone '_
>> msdcs.usa.om.org'
>>
>> 06-Dec-2012 17:12:59.013 using built-in DLV key for view _default
>>
>> 06-Dec-2012 17:12:59.013 set up managed keys zone for view _default, file
>> '/var/named/dynamic/managed-keys.bind'
>>
>> 06-Dec-2012 17:12:59.013 automatic empty zone: 10.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.013 automatic empty zone: 16.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.013 automatic empty zone: 17.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.013 automatic empty zone: 18.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 19.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 20.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 21.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 22.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 23.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 24.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 25.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 26.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 27.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 28.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 29.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 30.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 31.172.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 168.192.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 127.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 254.169.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 2.0.192.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 100.51.198.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 113.0.203.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone:
>> 255.255.255.255.IN-ADDR.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone:
>> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: D.F.IP6.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 8.E.F.IP6.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 9.E.F.IP6.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: A.E.F.IP6.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: B.E.F.IP6.ARPA
>>
>> 06-Dec-2012 17:12:59.014 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
>>
>> 06-Dec-2012 17:12:59.018 command channel listening on 127.0.0.1#953
>>
>> 06-Dec-2012 17:12:59.018 command channel listening on ::1#953
>>
>> 06-Dec-2012 17:12:59.018 ignoring config file logging statement due to -g
>> option
>>
>> 06-Dec-2012 17:12:59.019 managed-keys-zone: loaded serial 16345
>>
>> 06-Dec-2012 17:12:59.020 zone 0.in-addr.arpa/IN: loaded serial 0
>>
>> 06-Dec-2012 17:12:59.021 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
>>
>> 06-Dec-2012 17:12:59.024 zone
>> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
>> loaded serial 0
>>
>> 06-Dec-2012 17:12:59.025 zone localhost/IN: loaded serial 0
>>
>> 06-Dec-2012 17:12:59.025 zone localhost.localdomain/IN: loaded serial 0
>>
>> 06-Dec-2012 17:12:59.026 all zones loaded
>>
>> 06-Dec-2012 17:12:59.026 running
>>
>> 06-Dec-2012 17:13:05.093 error (network unreachable) resolving './NS/IN':
>> 2001:503:ba3e::2:30#53
>>
>> 06-Dec-2012 17:13:05.093 error (network unreachable) resolving './NS/IN':
>> 2001:dc3::35#53
>>
>> 06-Dec-2012 17:13:05.226 error (insecurity proof failed) resolving
>> 'global.local/SOA/IN': 10.4.0.164#53
>>
>> 06-Dec-2012 17:13:05.226 error (network unreachable) resolving
>> 'global.local/SOA/IN': 2001:503:ba3e::2:30#53
>>
>> 06-Dec-2012 17:13:05.226 error (network unreachable) resolving
>> 'global.local/SOA/IN': 2001:dc3::35#53
>>
>> Interesting...  Looks like the server is saying that it is secure, but
>> sending back an insecure response???
>>
>> (And yes, the other dig command works as expected.)
>>
>
>
>
> --
>     Charles Tryon
> _________________________________________________________________________
>   “Risks are not to be evaluated in terms of the probability of success,
> but in terms of the value of the goal.”
>                 - Ralph D. Winter
>
>


-- 
    Charles Tryon
_________________________________________________________________________
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list