Redhat – Bind9 forwarding zone not working

bindforwardingredhat

i've setup a forwarding zone on a RHEL6 Bind server like this:

zone "office.local" IN {
        type forward;
        forward only;
        forwarders { 192.168.0.2; 192.168.0.3; };
};

when i try to query using dig @127.0.0.1 monitorsms.office.local i see the following message in the syslog:

client 127.0.0.1#39376: query: monitorsms.office.local IN A + (127.0.0.1)
validating @0x7ff7640357d0: monitorsms.office.local A: bad cache hit (monitorsms.office.local/DS)

google tells me, that there is an issue with DNSSEC, but both servers do not have DNSSEC configured and thus do not send any DNSSEC records.

What's wrong with my configuration?

Best Answer

ha, just found it out. i had to deactivate the dnssec-lookaside auto setting:

options { dnssec-lookaside auto; }

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Looking at the IP addresses in your resolv.conf I get the feeling that your BIND server is on 192.168.1.52. As far as I can tell, you can't specify in resolv.conf something like "for these domains, use this name server". Basically, your BIND server will never be queried. As you can see in your dig lookup (which is incorrect, it is asking for a reverse DNS entry), it tries 80.58.0.33, which I assume is your provider's DNS server.

You already set up BIND as caching nameserver by using the 'forwarders' option, so what you need to do is have only 192.168.1.52 in the client PCs as nameserver.

To see if your BIND is configured correctly, try this:

dig example.test @192.168.1.52

Recursive forward a zone in BIND

First of all, I would suggest you use something other than 5353 as an alternate port for DNS servers. 5353 conflicts with zeroconf/mDNS.

The reason it only works when you use vps.example.org as a recursive resolver is because that's the only recursive server that's been told that it needs to go to a special DNS server on port 5353 to find foo.example.org.

Because you can't specify a port number in an NS record, it's generally impossible to have a an authoritative server on a port other than 53. All of the recursive nameservers in the world are going to find the NS record for the domain in question and are going to try to contact that server on port 53. If you wanted them to use a different port, you'd have to configure every one of them with a forward zone pointing to port 5353.

By the way, it isn't clear why you want to host foo.example.org on a separate nameserver on a different port (or IP address). Why don't you just add the foo.example.org zone to the same authoritative nameserver that serves example.org?

Best Answer

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Recursive forward a zone in BIND

Related Topic