Adding a Forwarding Zone (Bind 9.9.2)

Charles Tryon charles.tryon at gmail.com
Mon Dec 10 10:07:59 MST 2012 

OK, this is getting weirder and weirder....

If I turn OFF the DNSSEC options in BIND, then I can restart the named
service, and get exactly ONE valid response.  After that initial response,
it returns: not found: 3(NXDOMAIN)

<samba:ctryon>? sudo service named restart
Restarting named (via systemctl):                          [  OK  ]
<samba:ctryon>? host -t SRV _kerberos._udp.global.local.
_kerberos._udp.global.local has SRV record 0 100 88 usa-dc2.global.local.
_kerberos._udp.global.local has SRV record 0 100 88 intl-dc2.global.local.
_kerberos._udp.global.local has SRV record 0 100 88 intl-dc1.global.local.
_kerberos._udp.global.local has SRV record 0 100 88 usa-dc1.global.local.
<samba:ctryon>? host -t SRV _kerberos._udp.global.local.
;; Truncated, retrying in TCP mode.
Host _kerberos._udp.global.local. not found: 3(NXDOMAIN)

    Huh???

  I don't see any indications in the log file for what is going on, other
than the "*Truncated, retrying in TCP mode*" message on the failure.  Could
it possibly be that the Windows AD server isn't giving a standards
compliant response???   (Say it isn't so!!)



On Fri, Dec 7, 2012 at 2:00 PM, Charles Tryon <charles.tryon at gmail.com>wrote:

> Going back to the forwarding of DNS queries, I'm not sure now if this is a
> Samba4 issue or a Bind DNS issue.  I set the dnssec-validation to "no",
> which means I'm not really using dnssec, but that will work for the time
> being.
>
> What I find now is, if I do a "dig" of names in either my main domain on
> the S4 server, or of a name in the "global.local" domain, I get answers
> from the DNS service on Samba4.
>
> HOWEVER, if I try to query a "SRV" record, that request doesn't seem to go
> through.  (????)
>
> ? host -t SRV _kerberos._udp.global.local.
> ;; Truncated, retrying in TCP mode.
> Host _kerberos._udp.global.local. not found: 3(NXDOMAIN)
>
> ? host -t SRV _kerberos._udp.global.local. 10.4.0.1
> Using domain server:
> Name: 10.4.0.1
> Address: 10.4.0.1#53
> Aliases:
>
> _kerberos._udp.global.local has SRV record 0 100 88 usa-dc1.global.local.
> _kerberos._udp.global.local has SRV record 0 100 88 intl-dc1.global.local.
> _kerberos._udp.global.local has SRV record 0 100 88 usa-dc2.global.local.
> _kerberos._udp.global.local has SRV record 0 100 88 intl-dc2.global.local.
>
>
>
> On Fri, Dec 7, 2012 at 10:54 AM, Charles Tryon <charles.tryon at gmail.com>wrote:
>
>> OK, I found another hint to the problem.  Googling the "insecurity proof
>> failed" error message, I found references in some bug reports that people
>> began to see this issue when DNSSEC was turned on.  I have the following in
>> my named.conf file:
>>
>>
>>     dnssec-enable yes;
>>     dnssec-validation yes;
>>     dnssec-lookaside auto;
>>
>> As an experiment, I flipped this around to:
>>
>>     dnssec-validation no;
>>
>> ...and sure enough, the sub-domain queries work fine.
>>
>> It seems that the DNS server on the Windows AD controller is not
>> complying with the DNSSEC requirement, so the BIND server ignores it.
>>
>>
>> On Thu, Dec 6, 2012 at 7:00 PM, Charles Tryon <charles.tryon at gmail.com>wrote:
>>
>>> OK, here is the log:
>>>
>>> (with the correct IP addresses: 10.4.2.6 Samba / 10.4.0.164 AD)
>>>
>>> Note that this log is with the forward zone defined in the named.conf
>>> file.
>>>
>>> <samba:etc>? sudo /usr/sbin/named -u named -f -g 2>&1 | tee
>>> /tmp/named.log
>>>
>>> 06-Dec-2012 17:12:58.533 starting BIND 9.9.2-RedHat-9.9.2-2.fc17 -u
>>> named -f -g
>>>
>>> 06-Dec-2012 17:12:58.533 built with '--build=x86_64-redhat-linux-gnu'
>>> '--host=x86_64-redhat-linux-gnu' '--program-prefix='
>>> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
>>> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
>>> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
>>> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
>>> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
>>> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
>>> '--disable-static' '--disable-openssl-version-check' '--enable-exportlib'
>>> '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include'
>>> '--includedir=/usr/include/bind9'
>>> '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes'
>>> '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
>>> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
>>> '--disable-isc-spnego' '--enable-fixed-rrset'
>>> 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
>>> 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>>> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
>>> 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
>>>
>>> 06-Dec-2012 17:12:58.533
>>> ----------------------------------------------------
>>>
>>> 06-Dec-2012 17:12:58.533 BIND 9 is maintained by Internet Systems
>>> Consortium,
>>>
>>> 06-Dec-2012 17:12:58.533 Inc. (ISC), a non-profit 501(c)(3)
>>> public-benefit
>>>
>>> 06-Dec-2012 17:12:58.533 corporation.  Support and training for BIND 9
>>> are
>>>
>>> 06-Dec-2012 17:12:58.533 available at https://www.isc.org/support
>>>
>>> 06-Dec-2012 17:12:58.533
>>> ----------------------------------------------------
>>>
>>> 06-Dec-2012 17:12:58.533 adjusted limit on open files from 4096 to
>>> 1048576
>>>
>>> 06-Dec-2012 17:12:58.533 found 4 CPUs, using 4 worker threads
>>>
>>> 06-Dec-2012 17:12:58.533 using 4 UDP listeners per interface
>>>
>>> 06-Dec-2012 17:12:58.533 using up to 4096 sockets
>>>
>>> 06-Dec-2012 17:12:58.541 loading configuration from '/etc/named.conf'
>>>
>>> 06-Dec-2012 17:12:58.542 reading built-in trusted keys from file
>>> '/etc/named.iscdlv.key'
>>>
>>> 06-Dec-2012 17:12:58.542 using default UDP/IPv4 port range: [1024, 65535]
>>>
>>> 06-Dec-2012 17:12:58.543 using default UDP/IPv6 port range: [1024, 65535]
>>>
>>> 06-Dec-2012 17:12:58.545 listening on IPv4 interface lo, 127.0.0.1#53
>>>
>>> 06-Dec-2012 17:12:58.547 listening on IPv4 interface eth0, 10.4.2.6#53
>>>
>>> 06-Dec-2012 17:12:58.549 listening on IPv6 interface lo, ::1#53
>>>
>>> 06-Dec-2012 17:12:58.552 generating session key for dynamic DNS
>>>
>>> 06-Dec-2012 17:12:58.552 sizing zone task pool based on 7 zones
>>>
>>> 06-Dec-2012 17:12:58.553 Loading 'AD DNS Zone' using driver dlopen
>>>
>>> 06-Dec-2012 17:12:59.005 samba_dlz: started for DN DC=usa,DC=om,DC=org
>>>
>>> 06-Dec-2012 17:12:59.005 samba_dlz: starting configure
>>>
>>> 06-Dec-2012 17:12:59.007 samba_dlz: configured writeable zone
>>> '4.10.in-addr.arpa'
>>>
>>> 06-Dec-2012 17:12:59.008 samba_dlz: configured writeable zone '
>>> usa.om.org'
>>>
>>> 06-Dec-2012 17:12:59.010 samba_dlz: configured writeable zone '_
>>> msdcs.usa.om.org'
>>>
>>> 06-Dec-2012 17:12:59.013 using built-in DLV key for view _default
>>>
>>> 06-Dec-2012 17:12:59.013 set up managed keys zone for view _default,
>>> file '/var/named/dynamic/managed-keys.bind'
>>>
>>> 06-Dec-2012 17:12:59.013 automatic empty zone: 10.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.013 automatic empty zone: 16.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.013 automatic empty zone: 17.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.013 automatic empty zone: 18.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 19.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 20.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 21.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 22.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 23.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 24.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 25.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 26.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 27.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 28.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 29.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 30.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 31.172.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 168.192.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 127.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 254.169.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 2.0.192.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 100.51.198.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 113.0.203.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone:
>>> 255.255.255.255.IN-ADDR.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone:
>>> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: D.F.IP6.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 8.E.F.IP6.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 9.E.F.IP6.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: A.E.F.IP6.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: B.E.F.IP6.ARPA
>>>
>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
>>>
>>> 06-Dec-2012 17:12:59.018 command channel listening on 127.0.0.1#953
>>>
>>> 06-Dec-2012 17:12:59.018 command channel listening on ::1#953
>>>
>>> 06-Dec-2012 17:12:59.018 ignoring config file logging statement due to
>>> -g option
>>>
>>> 06-Dec-2012 17:12:59.019 managed-keys-zone: loaded serial 16345
>>>
>>> 06-Dec-2012 17:12:59.020 zone 0.in-addr.arpa/IN: loaded serial 0
>>>
>>> 06-Dec-2012 17:12:59.021 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
>>>
>>> 06-Dec-2012 17:12:59.024 zone
>>> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
>>> loaded serial 0
>>>
>>> 06-Dec-2012 17:12:59.025 zone localhost/IN: loaded serial 0
>>>
>>> 06-Dec-2012 17:12:59.025 zone localhost.localdomain/IN: loaded serial 0
>>>
>>> 06-Dec-2012 17:12:59.026 all zones loaded
>>>
>>> 06-Dec-2012 17:12:59.026 running
>>>
>>> 06-Dec-2012 17:13:05.093 error (network unreachable) resolving
>>> './NS/IN': 2001:503:ba3e::2:30#53
>>>
>>> 06-Dec-2012 17:13:05.093 error (network unreachable) resolving
>>> './NS/IN': 2001:dc3::35#53
>>>
>>> 06-Dec-2012 17:13:05.226 error (insecurity proof failed) resolving
>>> 'global.local/SOA/IN': 10.4.0.164#53
>>>
>>> 06-Dec-2012 17:13:05.226 error (network unreachable) resolving
>>> 'global.local/SOA/IN': 2001:503:ba3e::2:30#53
>>>
>>> 06-Dec-2012 17:13:05.226 error (network unreachable) resolving
>>> 'global.local/SOA/IN': 2001:dc3::35#53
>>>
>>> Interesting...  Looks like the server is saying that it is secure, but
>>> sending back an insecure response???
>>>
>>> (And yes, the other dig command works as expected.)
>>>
>>
>>
>>
>> --
>>     Charles Tryon
>> _________________________________________________________________________
>>   “Risks are not to be evaluated in terms of the probability of success,
>> but in terms of the value of the goal.”
>>                 - Ralph D. Winter
>>
>>
>
>
> --
>     Charles Tryon
> _________________________________________________________________________
>   “Risks are not to be evaluated in terms of the probability of success,
> but in terms of the value of the goal.”
>                 - Ralph D. Winter
>
>


-- 
    Charles Tryon
_________________________________________________________________________
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list