Re: Authoritative and caching

[Danjel Jungersen via bind-users]

Hi everyone.

Thank you for all your help!

One key info that I missed, the DS record should be placed on the TLD host.

I tried (and failed) using the "normal" public available DNS for my domain.

Now back to the original problem, getting DANE set up.

All the best!
Danjel

On 23-03-2025 11:18, Danjel Jungersen via bind-users wrote:



On 19-02-2025 12:04, Greg Choules wrote:

Hi Danjel.
To obtain a packet capture use tcpdump, which is probably installed 
already. If not, add it using your preferred package manager.
You can dump to the screen, but I find it more useful to dump to a 
file, which can then be analysed offline in Wireshark.


A typical capture command might be:

sudo tcpdump -nvc 1000 -w  host "(

192.168.20.10 or 192.168.20.11)" and port 53



OK, I tried that.

I also studied the output in wireshark.
But since this is my first try, I don't know what to look for, and 
cannot find out what's wrong.


I get:
root@mail:~# dig A mail.jungersen.dk @127.0.0.1

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A mail.jungersen.dk @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47697
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 41461c3ea02342e4010067dfdba11eea65ad9061831f (good)
;; QUESTION SECTION:
;mail.jungersen.dk. IN  A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Mar 23 11:00:01 CET 2025
;; MSG SIZE  rcvd: 74

The mentioned tcpdump command gave the attached result.

Just to sum it up:
My setup:
I have a mailserver (192.168.20.9), on the same box I have bind as 
resolver.


I have 2 bind boxes running as "local authoritative" for the 
jungersen.dk zone (192.168.20.10 and 192.168.20.11)


This was meant to give me the result of 192.168.20.9 when looking up 
my local mailserver on my local network, while giving the 212.27.12.12 
result  when asked from the public.

The public DNS is hosted at one.com

I tried setting up dnssec to satisfy the suggested solution:

1) create a working chain of trust that links to your private zone content

But you may have guessed it, it does not work.

Does the above give enough info to give me more guidance?

TIA
Danjel


That will capture to disk all DNS traffic to and from your 
forwarders, up to a limit of 1000 packets, just as a safety net. Once 
that is running, make your tests to the local machine, stop the 
capture, upload it here if you wish or just open it in Wireshark and 
follow the conversations and their timeline.

It is almost certainly a DNSSEC problem though, as Mark says.

Hope that helps.
Cheers, Greg

On Wed, 19 Feb 2025 at 10:22, Danjel Jungersen via bind-users 
 wrote:


On 19-02-2025 11:11, Marco Moock wrote:
> Am Wed, 19 Feb 2025 10:58:14 +0100
> schrieb Danjel Jungersen via bind-users :
>
>> But if I change /etc/resolv.conf to 127.0.0.1 something happens
>> If I do a dig or ping from my postfixbox to something that the
2 main
>> bind-boxes are authoratative for, it doesn't work.
> Please sniff the DNS traffic between the 2 machines and check
if the
> request goes out to the authoritative server and check what it
replied.
>
> You can trigger the request by
>
> dig A/ non-working domain @IP.
>
> Try +recurse/+norecurse to check if the issue is related to
those flags.
root@mail:~# dig A mail.jungersen.dk 
@127.0.0.1 

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A mail.jungersen.dk
 @127.0.0.1 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9792
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: d55e55f5d6573eaf010067b5af13a2e4bdccbb3ce36b (good)
;; QUESTION SECTION:
;mail.jungersen.dk . IN  A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Feb 19 11:14:43 CET 2025
;; MSG SIZE  rcvd: 74


dig +recurse A mail.jungersen.dk 
@127.0.0.1 

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +recurse A
mail.jungersen.dk 
@127.0.0.1 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19526
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1579e49c3774139b010067b5af24e95ccd20f610d99d (good)
;; QUESTION SECTION:
;mail.jungersen.dk . IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Feb 19 11:1

Grief after upgrade to macOS Sequioa 15.4

[Niall O'Reilly]

I don't know whether this needs attention by Apple or by ISC.

Something in the depths seems to have been changed (by Apple)
in a way that gives dig (and perhaps other code using
libisc-9.20.7.dylib) indigestion during release of
resources before exiting.

Here's what I'm seeing:

```
niall@m2a ~ % dig +short defo.ie
213.108.108.101
mem.c:367: INSIST(s >= size) failed, back trace
0   libisc-9.20.7.dylib 0x00010050bf3c 
default_callback + 72
1   libisc-9.20.7.dylib 0x00010050bed4 
isc_assertion_failed + 20
2   libisc-9.20.7.dylib 0x00010051fd30 
isc__mem_strdup + 0
3   libxml2.2.dylib 0x0001a7979764 
xmlCleanupCharEncodingHandlers + 96
4   libxml2.2.dylib 0x0001a7997cac 
xmlCleanupParser + 36
5   libisc-9.20.7.dylib 0x000100532688 
isc__xml_shutdown + 12
6   libisc-9.20.7.dylib 0x0001005198c0 isc__shutdown 
+ 20
7   libsystem_c.dylib   0x00019e239944 
__cxa_finalize_ranges + 480

8   libsystem_c.dylib   0x00019e239704 exit + 44
9   libdyld.dylib   0x00019e38bdc8 
_ZNK5dyld416LibSystemHelpers6getenvEPKc + 0
10  dyld0x00019dfe2c60 
_ZNK5dyld423LibSystemHelpersWrapper4exitEi + 172

11  dyld0x00019dfe2b7c start + 6048
zsh: abort  dig +short defo.ie
niall@m2a ~ %
```

/Niall
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Grief after upgrade to macOS Sequioa 15.4

[Ondřej Surý]

It’s been tracked as https://gitlab.isc.org/isc-projects/bind9/-/issues/5268 and https://github.com/Homebrew/homebrew-core/issues/217127Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 3. 4. 2025, at 20:48, Niall O'Reilly  wrote:





I don't know whether this needs attention by Apple or by ISC.
Something in the depths seems to have been changed (by Apple)
in a way that gives dig (and perhaps other code using
libisc-9.20.7.dylib) indigestion during release of
resources before exiting.
Here's what I'm seeing:
niall@m2a ~ % dig +short defo.ie
213.108.108.101
mem.c:367: INSIST(s >= size) failed, back trace
0   libisc-9.20.7.dylib 0x00010050bf3c default_callback + 72
1   libisc-9.20.7.dylib 0x00010050bed4 isc_assertion_failed + 20
2   libisc-9.20.7.dylib 0x00010051fd30 isc__mem_strdup + 0
3   libxml2.2.dylib 0x0001a7979764 xmlCleanupCharEncodingHandlers + 96
4   libxml2.2.dylib 0x0001a7997cac xmlCleanupParser + 36
5   libisc-9.20.7.dylib 0x000100532688 isc__xml_shutdown + 12
6   libisc-9.20.7.dylib 0x0001005198c0 isc__shutdown + 20
7   libsystem_c.dylib   0x00019e239944 __cxa_finalize_ranges + 480
8   libsystem_c.dylib   0x00019e239704 exit + 44
9   libdyld.dylib   0x00019e38bdc8 _ZNK5dyld416LibSystemHelpers6getenvEPKc + 0
10  dyld0x00019dfe2c60 _ZNK5dyld423LibSystemHelpersWrapper4exitEi + 172
11  dyld0x00019dfe2b7c start + 6048
zsh: abort  dig +short defo.ie
niall@m2a ~ %

/Niall






-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing listbind-users@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Grief after upgrade to macOS Sequioa 15.4

[Daniel Stirnimann via bind-users]

Hi Niall,

If you use brew, I solved it with this:

brew uninstall bind
brew cleanup
brew install libxml2
export LDFLAGS="-L/opt/homebrew/opt/libxml2/lib"
export CPPFLAGS="-I/opt/homebrew/opt/libxml2/include"
export PKG_CONFIG_PATH="/opt/homebrew/opt/libxml2/lib/pkgconfig"
brew install --build-from-source bind

Daniel


On 03.04.2025 20:48, Niall O'Reilly wrote:

I don't know whether this needs attention by Apple or by ISC.

Something in the depths seems to have been changed (by Apple)
in a way that gives dig (and perhaps other code using
libisc-9.20.7.dylib) indigestion during release of
resources before exiting.

Here's what I'm seeing:

|niall@m2a ~ % dig +short defo.ie 213.108.108.101 mem.c:367: INSIST(s >= 
size) failed, back trace 0 libisc-9.20.7.dylib 0x00010050bf3c 
default_callback + 72 1 libisc-9.20.7.dylib 0x00010050bed4 
isc_assertion_failed + 20 2 libisc-9.20.7.dylib 0x00010051fd30 
isc__mem_strdup + 0 3 libxml2.2.dylib 0x0001a7979764 
xmlCleanupCharEncodingHandlers + 96 4 libxml2.2.dylib 0x0001a7997cac 
xmlCleanupParser + 36 5 libisc-9.20.7.dylib 0x000100532688 
isc__xml_shutdown + 12 6 libisc-9.20.7.dylib 0x0001005198c0 
isc__shutdown + 20 7 libsystem_c.dylib 0x00019e239944 
__cxa_finalize_ranges + 480 8 libsystem_c.dylib 0x00019e239704 exit 
+ 44 9 libdyld.dylib 0x00019e38bdc8 
_ZNK5dyld416LibSystemHelpers6getenvEPKc + 0 10 dyld 0x00019dfe2c60 
_ZNK5dyld423LibSystemHelpersWrapper4exitEi + 172 11 dyld 
0x00019dfe2b7c start + 6048 zsh: abort dig +short defo.ie niall@m2a ~ % |


/Niall




--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users