Adding a Forwarding Zone (Bind 9.9.2)

Charles Tryon charles.tryon at gmail.com
Mon Dec 10 11:55:47 MST 2012 

Just did a OS level yum update and reboot on that computer.  (Always a good
idea when you've got really weird errors.)  It *SEEMS* to be working
consistently now.  Still have to turn OFF the dnssec options, but at least
I've been able to get consistent responses to the SRV record requests.

... still testing ...





On Mon, Dec 10, 2012 at 12:07 PM, Charles Tryon <charles.tryon at gmail.com>wrote:

>
> OK, this is getting weirder and weirder....
>
> If I turn OFF the DNSSEC options in BIND, then I can restart the named
> service, and get exactly ONE valid response.  After that initial response,
> it returns: not found: 3(NXDOMAIN)
>
> <samba:ctryon>? sudo service named restart
> Restarting named (via systemctl):                          [  OK  ]
> <samba:ctryon>? host -t SRV _kerberos._udp.global.local.
> _kerberos._udp.global.local has SRV record 0 100 88 usa-dc2.global.local.
> _kerberos._udp.global.local has SRV record 0 100 88 intl-dc2.global.local.
> _kerberos._udp.global.local has SRV record 0 100 88 intl-dc1.global.local.
> _kerberos._udp.global.local has SRV record 0 100 88 usa-dc1.global.local.
> <samba:ctryon>? host -t SRV _kerberos._udp.global.local.
> ;; Truncated, retrying in TCP mode.
> Host _kerberos._udp.global.local. not found: 3(NXDOMAIN)
>
>     Huh???
>
>   I don't see any indications in the log file for what is going on, other
> than the "*Truncated, retrying in TCP mode*" message on the failure.
>  Could it possibly be that the Windows AD server isn't giving a standards
> compliant response???   (Say it isn't so!!)
>
>
>
> On Fri, Dec 7, 2012 at 2:00 PM, Charles Tryon <charles.tryon at gmail.com>wrote:
>
>> Going back to the forwarding of DNS queries, I'm not sure now if this is
>> a Samba4 issue or a Bind DNS issue.  I set the dnssec-validation to "no",
>> which means I'm not really using dnssec, but that will work for the time
>> being.
>>
>> What I find now is, if I do a "dig" of names in either my main domain on
>> the S4 server, or of a name in the "global.local" domain, I get answers
>> from the DNS service on Samba4.
>>
>> HOWEVER, if I try to query a "SRV" record, that request doesn't seem to
>> go through.  (????)
>>
>> ? host -t SRV _kerberos._udp.global.local.
>> ;; Truncated, retrying in TCP mode.
>> Host _kerberos._udp.global.local. not found: 3(NXDOMAIN)
>>
>> ? host -t SRV _kerberos._udp.global.local. 10.4.0.1
>> Using domain server:
>> Name: 10.4.0.1
>> Address: 10.4.0.1#53
>> Aliases:
>>
>> _kerberos._udp.global.local has SRV record 0 100 88 usa-dc1.global.local.
>> _kerberos._udp.global.local has SRV record 0 100 88 intl-dc1.global.local.
>> _kerberos._udp.global.local has SRV record 0 100 88 usa-dc2.global.local.
>> _kerberos._udp.global.local has SRV record 0 100 88 intl-dc2.global.local.
>>
>>
>>
>> On Fri, Dec 7, 2012 at 10:54 AM, Charles Tryon <charles.tryon at gmail.com>wrote:
>>
>>> OK, I found another hint to the problem.  Googling the "insecurity proof
>>> failed" error message, I found references in some bug reports that people
>>> began to see this issue when DNSSEC was turned on.  I have the following in
>>> my named.conf file:
>>>
>>>
>>>     dnssec-enable yes;
>>>     dnssec-validation yes;
>>>     dnssec-lookaside auto;
>>>
>>> As an experiment, I flipped this around to:
>>>
>>>     dnssec-validation no;
>>>
>>> ...and sure enough, the sub-domain queries work fine.
>>>
>>> It seems that the DNS server on the Windows AD controller is not
>>> complying with the DNSSEC requirement, so the BIND server ignores it.
>>>
>>>
>>> On Thu, Dec 6, 2012 at 7:00 PM, Charles Tryon <charles.tryon at gmail.com>wrote:
>>>
>>>> OK, here is the log:
>>>>
>>>> (with the correct IP addresses: 10.4.2.6 Samba / 10.4.0.164 AD)
>>>>
>>>> Note that this log is with the forward zone defined in the named.conf
>>>> file.
>>>>
>>>> <samba:etc>? sudo /usr/sbin/named -u named -f -g 2>&1 | tee
>>>> /tmp/named.log
>>>>
>>>> 06-Dec-2012 17:12:58.533 starting BIND 9.9.2-RedHat-9.9.2-2.fc17 -u
>>>> named -f -g
>>>>
>>>> 06-Dec-2012 17:12:58.533 built with '--build=x86_64-redhat-linux-gnu'
>>>> '--host=x86_64-redhat-linux-gnu' '--program-prefix='
>>>> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
>>>> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
>>>> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
>>>> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
>>>> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
>>>> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
>>>> '--disable-static' '--disable-openssl-version-check' '--enable-exportlib'
>>>> '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include'
>>>> '--includedir=/usr/include/bind9'
>>>> '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes'
>>>> '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
>>>> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
>>>> '--disable-isc-spnego' '--enable-fixed-rrset'
>>>> 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
>>>> 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>>>> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
>>>> 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
>>>>
>>>> 06-Dec-2012 17:12:58.533
>>>> ----------------------------------------------------
>>>>
>>>> 06-Dec-2012 17:12:58.533 BIND 9 is maintained by Internet Systems
>>>> Consortium,
>>>>
>>>> 06-Dec-2012 17:12:58.533 Inc. (ISC), a non-profit 501(c)(3)
>>>> public-benefit
>>>>
>>>> 06-Dec-2012 17:12:58.533 corporation.  Support and training for BIND 9
>>>> are
>>>>
>>>> 06-Dec-2012 17:12:58.533 available at https://www.isc.org/support
>>>>
>>>> 06-Dec-2012 17:12:58.533
>>>> ----------------------------------------------------
>>>>
>>>> 06-Dec-2012 17:12:58.533 adjusted limit on open files from 4096 to
>>>> 1048576
>>>>
>>>> 06-Dec-2012 17:12:58.533 found 4 CPUs, using 4 worker threads
>>>>
>>>> 06-Dec-2012 17:12:58.533 using 4 UDP listeners per interface
>>>>
>>>> 06-Dec-2012 17:12:58.533 using up to 4096 sockets
>>>>
>>>> 06-Dec-2012 17:12:58.541 loading configuration from '/etc/named.conf'
>>>>
>>>> 06-Dec-2012 17:12:58.542 reading built-in trusted keys from file
>>>> '/etc/named.iscdlv.key'
>>>>
>>>> 06-Dec-2012 17:12:58.542 using default UDP/IPv4 port range: [1024,
>>>> 65535]
>>>>
>>>> 06-Dec-2012 17:12:58.543 using default UDP/IPv6 port range: [1024,
>>>> 65535]
>>>>
>>>> 06-Dec-2012 17:12:58.545 listening on IPv4 interface lo, 127.0.0.1#53
>>>>
>>>> 06-Dec-2012 17:12:58.547 listening on IPv4 interface eth0, 10.4.2.6#53
>>>>
>>>> 06-Dec-2012 17:12:58.549 listening on IPv6 interface lo, ::1#53
>>>>
>>>> 06-Dec-2012 17:12:58.552 generating session key for dynamic DNS
>>>>
>>>> 06-Dec-2012 17:12:58.552 sizing zone task pool based on 7 zones
>>>>
>>>> 06-Dec-2012 17:12:58.553 Loading 'AD DNS Zone' using driver dlopen
>>>>
>>>> 06-Dec-2012 17:12:59.005 samba_dlz: started for DN DC=usa,DC=om,DC=org
>>>>
>>>> 06-Dec-2012 17:12:59.005 samba_dlz: starting configure
>>>>
>>>> 06-Dec-2012 17:12:59.007 samba_dlz: configured writeable zone
>>>> '4.10.in-addr.arpa'
>>>>
>>>> 06-Dec-2012 17:12:59.008 samba_dlz: configured writeable zone '
>>>> usa.om.org'
>>>>
>>>> 06-Dec-2012 17:12:59.010 samba_dlz: configured writeable zone '_
>>>> msdcs.usa.om.org'
>>>>
>>>> 06-Dec-2012 17:12:59.013 using built-in DLV key for view _default
>>>>
>>>> 06-Dec-2012 17:12:59.013 set up managed keys zone for view _default,
>>>> file '/var/named/dynamic/managed-keys.bind'
>>>>
>>>> 06-Dec-2012 17:12:59.013 automatic empty zone: 10.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.013 automatic empty zone: 16.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.013 automatic empty zone: 17.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.013 automatic empty zone: 18.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 19.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 20.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 21.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 22.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 23.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 24.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 25.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 26.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 27.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 28.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 29.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 30.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 31.172.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 168.192.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 127.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 254.169.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 2.0.192.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 100.51.198.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 113.0.203.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone:
>>>> 255.255.255.255.IN-ADDR.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone:
>>>> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: D.F.IP6.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 8.E.F.IP6.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 9.E.F.IP6.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: A.E.F.IP6.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: B.E.F.IP6.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.014 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
>>>>
>>>> 06-Dec-2012 17:12:59.018 command channel listening on 127.0.0.1#953
>>>>
>>>> 06-Dec-2012 17:12:59.018 command channel listening on ::1#953
>>>>
>>>> 06-Dec-2012 17:12:59.018 ignoring config file logging statement due to
>>>> -g option
>>>>
>>>> 06-Dec-2012 17:12:59.019 managed-keys-zone: loaded serial 16345
>>>>
>>>> 06-Dec-2012 17:12:59.020 zone 0.in-addr.arpa/IN: loaded serial 0
>>>>
>>>> 06-Dec-2012 17:12:59.021 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
>>>>
>>>> 06-Dec-2012 17:12:59.024 zone
>>>> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
>>>> loaded serial 0
>>>>
>>>> 06-Dec-2012 17:12:59.025 zone localhost/IN: loaded serial 0
>>>>
>>>> 06-Dec-2012 17:12:59.025 zone localhost.localdomain/IN: loaded serial 0
>>>>
>>>> 06-Dec-2012 17:12:59.026 all zones loaded
>>>>
>>>> 06-Dec-2012 17:12:59.026 running
>>>>
>>>> 06-Dec-2012 17:13:05.093 error (network unreachable) resolving
>>>> './NS/IN': 2001:503:ba3e::2:30#53
>>>>
>>>> 06-Dec-2012 17:13:05.093 error (network unreachable) resolving
>>>> './NS/IN': 2001:dc3::35#53
>>>>
>>>> 06-Dec-2012 17:13:05.226 error (insecurity proof failed) resolving
>>>> 'global.local/SOA/IN': 10.4.0.164#53
>>>>
>>>> 06-Dec-2012 17:13:05.226 error (network unreachable) resolving
>>>> 'global.local/SOA/IN': 2001:503:ba3e::2:30#53
>>>>
>>>> 06-Dec-2012 17:13:05.226 error (network unreachable) resolving
>>>> 'global.local/SOA/IN': 2001:dc3::35#53
>>>>
>>>> Interesting...  Looks like the server is saying that it is secure, but
>>>> sending back an insecure response???
>>>>
>>>> (And yes, the other dig command works as expected.)
>>>>
>>>
>>>
>>>
>>> --
>>>     Charles Tryon
>>> _________________________________________________________________________
>>>   “Risks are not to be evaluated in terms of the probability of success,
>>> but in terms of the value of the goal.”
>>>                 - Ralph D. Winter
>>>
>>>
>>
>>
>> --
>>     Charles Tryon
>> _________________________________________________________________________
>>   “Risks are not to be evaluated in terms of the probability of success,
>> but in terms of the value of the goal.”
>>                 - Ralph D. Winter
>>
>>
>
>
> --
>     Charles Tryon
> _________________________________________________________________________
>   “Risks are not to be evaluated in terms of the probability of success,
> but in terms of the value of the goal.”
>                 - Ralph D. Winter
>
>


-- 
    Charles Tryon
_________________________________________________________________________
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list