broken trust chain with my DNS setup

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

broken trust chain with my DNS setup

Bind-Users forum mailing list

Hi hope someone can help here is my setup on Bind 9.17.10.

https://bridgemode.bounceme.net/DNS%20BIND%20setup.html

https://bridgemode.bounceme.net/DNS%20BIND%20setup2.txt

When working what happens is:

first lookup

Lookup by 127.0.0.1 on main PC then bind forwards to 192.168.255.53 from 192.168.255.56 then HTPC by bind forwards to 192.168.255.55 from 192.168.255.53 Main PC then does the recursion lookup in the given view/ACL

second lookup

Lookup by 192.168.255.53 on main PC from 192.168.255.55 then HTPC by bind forwards to 192.168.255.56 from 192.168.255.54 Main PC then does the recursion lookup in the given view/ACL

issue

What happens is this after many days of working fine:

querylog yes;

client @00000227150F1FE8 127.0.0.1#55768 (community.zyxel.com): view loopbackPC: query failed (broken trust chain) for community.zyxel.com/IN/A at c:\builds\isc-private\bind9\lib\ns\query.c:7581

^This is from windows event viewer

Only way to fix is to restart bind on the main PC.

Thanks if you can help


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

broken trust chain with my DNS setup

Bind-Users forum mailing list

https://bridgemode.bounceme.net/DNS%20BIND%20setup2.txt

%ProgramFiles%\ISC BIND 9\bin run CMD rndc-confgen -a 
folder managed-keys in ect

file rndc.conf in etc

include "C:\Program Files\ISC BIND 9\etc\rndc.key";

options {
 	default-key "rndc-key";
  default-server 127.0.0.1;
  default-port 953;
};

file named.root in etc
ftp.internic.net
file localhost in etc

$TTL 86400
@              IN  SOA   @  root (
                         0   ; Serial
                         8H  ; Refresh
                         15M ; Retry
                         1W  ; Expire
                         1D) ; Minimum TTL
               IN   NS   @
               IN   A    127.0.0.1
	       IN   AAAA   ::1

file 127.0.0.zone in etc

$TTL    3D
@       IN      SOA     localhost. root.localhost. (
                            1               ; serial
                            8H              ; refresh
                            2H              ; retry
                            4W              ; expiry
                            1D )            ; minimum
         IN       NS      localhost.
1        IN       PTR     localhost.

Main PC file named.conf in ect

acl private { 192.168.255.54; };
acl loopbackPC { 127.0.0.1; };
acl PClooplookup { 192.168.255.53;  };
acl bogusnets { 0.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12;! 192.168.255.56;! 192.168.255.55;! 192.168.255.54;! 192.168.255.53; 192.168.0.0/16; 169.254.0.0/16; };
acl Rebinding { ::ffff:127.0.0.1/128; ::ffff:192.168.0.0/120; ::ffff:172.16.0.0/116; ::ffff:10.0.0.0/120; ::1/128; 127.0.0.0/24;0.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; 169.254.0.0/16; };
options {
  version none;
  hostname none;
  server-id none;
  deny-answer-addresses { "Rebinding";} except-from { "private";"loopbackPC";"PClooplookup"; };
  directory "C:\Program Files\ISC BIND 9\etc";
  listen-on-v6 { ::1; };
  listen-on port 53 { 127.0.0.1; 192.168.255.56;192.168.255.55; };
  avoid-v4-udp-ports { 53;67;68;69;533;445;500;135;137;138;139;546;547;1900;3702;4500;5000;5004;5005; };
  use-v4-udp-ports { range 1 65535; };
  avoid-v6-udp-ports { 53;67;68;69;533;445;500;135;137;138;139;546;547;1900;3702;4500;5000;5004;5005; };
  use-v6-udp-ports { range 1 65535; };
  blackhole { bogusnets; };
//  dnssec-enable yes;
  managed-keys-directory "managed-keys";
  lame-ttl 0;
  max-recursion-depth 1000;
  max-recursion-queries 1000;
  resolver-query-timeout 30000;
  querylog yes;
};
view private {
	match-clients { private; };
// root zone
zone "." in { type hint; file "named.root";
};
// local direct zone
zone	"localhost"	{ type master; file "localhost";
};
// local reverse zone
zone	"0.0.127.in-addr.arpa"	{ type master; file "127.0.0.zone"; 
};
};
view loopbackPC {
	match-clients { loopbackPC; };
	forward only;
	forwarders { 192.168.255.53; };
	query-source address 192.168.255.56 port *;
// root zone
zone "." in { type hint; file "named.root";
};
// local direct zone
zone	"localhost"	{ type master; file "localhost";
};
// local reverse zone
zone	"0.0.127.in-addr.arpa"	{ type master; file "127.0.0.zone";
};
};
view PClooplookup {
	match-clients { PClooplookup; };
// root zone
zone "." in { type hint; file "named.root";
};
// local direct zone
zone	"localhost"	{ type master; file "localhost";
};
// local reverse zone
zone	"0.0.127.in-addr.arpa"	{ type master; file "127.0.0.zone";
};
};

HTPC file named.conf in ect

acl lookup2backtoPC { 192.168.255.55; };
acl lookupbacktoPC { 192.168.255.56; };
acl bogusnets { 0.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12;!  192.168.255.56;! 192.168.255.55;! 192.168.255.54;! 192.168.255.53; 192.168.0.0/16; 169.254.0.0/16; };
acl Rebinding { ! 192.168.255.253; ::ffff:127.0.0.1/128; ::ffff:192.168.0.0/120; ::ffff:172.16.0.0/116; ::ffff:10.0.0.0/120; ::1/128; 127.0.0.0/24;0.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; 169.254.0.0/16; };
options {
  version none;
  hostname none;
  server-id none;
  deny-answer-addresses { "Rebinding";} except-from { lookupbacktoPC; lookup2backtoPC; };
  directory "C:\Program Files\ISC BIND 9\etc";
  listen-on-v6 { ::1; };
  listen-on port 53 { 127.0.0.1; 192.168.255.54;192.168.255.53; };
  avoid-v4-udp-ports { 53;67;68;69;53;533;445;500;135;137;138;546;547;1900;3702;4500;5000;5004;5005; };
  use-v4-udp-ports { range 1 65535; };
  avoid-v6-udp-ports { 53;67;68;69;53;533;445;500;135;137;138;546;547;1900;3702;4500;5000;5004;5005; };
  use-v6-udp-ports { range 1 65535; };
  blackhole { bogusnets; };
//  dnssec-enable yes;
  lame-ttl 0;
  max-recursion-depth 1000;
  max-recursion-queries 1000;
  resolver-query-timeout 30000;
  managed-keys-directory "managed-keys";
  querylog yes;
};
view "lookupbacktoPC" {
	match-clients { lookupbacktoPC;};
	forward only; 
	forwarders  { 192.168.255.55; };
	query-source address 192.168.255.53 port *;
// root zone
zone "." in { type hint; file "named.root";
};
// local direct zone
zone	"localhost"	{ type master; file "localhost";
};
// local reverse zone
zone	"0.0.127.in-addr.arpa"	{ type master; file "127.0.0.zone";
};
};
view "lookup2backtoPC" {
	match-clients { lookup2backtoPC; };
	forward only; 
	forwarders  { 192.168.255.56; };
	query-source address 192.168.255.54 port *;
// root zone
zone "." in { type hint; file "named.root";
};
// local direct zone
zone	"localhost"	{ type master; file "localhost";
};
// local reverse zone
zone	"0.0.127.in-addr.arpa"	{ type master; file "127.0.0.zone";
};
};

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users