I have two CentOS6 boxes, both running Bind as a local resolver, with
what appears to me to be the same configuration as each other. I have
a problem on one but not the other, to do with DNSSEC Lookaside Validation.
On the box with the problem, if I do: host www.bbc.co.uk 127.0.0.1
(for example), it sits there for a while, then gives me a timeout error.
I did some tests while running a tcpdump packet capture on udp port 53,
and I discovered that bind was fetching the correct answer normally,
and then performing a validation query to one of the DLV servers at ISC
(e.g. 199.6.0.29, 199.6.0.30, 199.6.1.29 or 199.6.1.30). It was not
receiving any reply. After several seconds, it tried another DLV server
and again received no reply.
A similar test on the other box receives replies from ISC no problem.
I have tried disabling iptables on the failing box, but that didn't help.
I'm assuming something in the request causes ISC to ignore it.
The relevant parts of named.conf are the same on both boxes, and
are pretty close to the stock installation from CentOS6:
//-------------------------------------------------------------
options {
listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//allow-query { localhost; };
//allow-recursion { localhost; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
//-------------------------------------------------------------
I have compared named.iscdlv.key, named.root.key and named.rfc1912.zones,
the they are the same on both systems. The key records stored in
/var/named/dynamic
are also the same on both.
The failing box fails whether allow-query and allow-recursion are commented
out or not. I can make it work by commenting out the dnssec lines, but of
course that it just disabling the queries to ISC.
Can anyone give me any ideas why one box would get DLV replies and the other
would not? And hopefully how to fix it!
Thanks!
Tony
--
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org