gitbls/ndm

dns forward does not work

peritonow opened this issue · 10 comments

I am using ndm on Ubuntu 20.04.2 LTS and getting following errors:
May 11 15:40:53 beta named[9921]: validating com/DS: no valid signature found
May 11 15:40:53 beta named[9921]: validating com/DS: no valid signature found
May 11 15:40:53 beta named[9921]: validating com/DS: no valid signature found
May 11 15:40:53 beta named[9921]: validating com/DS: no valid signature found
May 11 15:40:53 beta named[9921]: validating com/DS: no valid signature found
...

when querying local dns I am getting following:

dig @localhost www.apnic.net

; <<>> DiG 9.16.1-Ubuntu <<>> @localhost www.apnic.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8256
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b99e979feb36a2dd01000000609a89e0428519c49e517115 (good)
;; QUESTION SECTION:
;www.apnic.net. IN A

;; Query time: 463 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 11 15:42:56 CEST 2021
;; MSG SIZE rcvd: 70

None of the windows clients are able to use the local DNS. Since I am not interested
using DNSSEC I have put following directive in /etc/bind/named.conf.options 'dnssec-validation no;'

After this I am able to query without issues.

dig @localhost www.apnic.net

; <<>> DiG 9.16.1-Ubuntu <<>> @localhost www.apnic.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30271
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3875a94aa33684a701000000609a8aaee80351dbd0db5826 (good)
;; QUESTION SECTION:
;www.apnic.net. IN A

;; ANSWER SECTION:
www.apnic.net. 86400 IN CNAME www.apnic.net.cdn.cloudflare.net.
www.apnic.net.cdn.cloudflare.net. 299 IN A 104.18.235.68
www.apnic.net.cdn.cloudflare.net. 299 IN A 104.18.236.68

;; Query time: 87 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 11 15:46:22 CEST 2021
;; MSG SIZE rcvd: 148

I am enjoying this tools tremendously and it have saved me a lot of time from maintaining the dhcp and bind manually as I was doing it still recently. Thank you.

Thanks for the kind comments, great to know that it's helping you!

As far as this issue, it does not repro on my RasPiOS system, so I'll spin up an Ubuntu system later today and have a look at it.

I probably will switch sometime later to RasPiOS since I think I am on the bleeding edge of linux features introduced in Ubuntu 20.04.2 LTS release... I am usually using redhat/centos type versions but on 'raspberry pi' it is not an option anymore...

I have a vanilla Ubuntu 21.04 system with a "vanilla" configuration and I'm not seeing the error you're seeing. Is there some other way that dnssec got enabled on your system? In any event, if you'd prefer to correct "using" ndm, you might be able to do so using a --dnsinclude file assuming bind supports the 'dnssec-validation no;' statement at the end of the config file.

I don't use DNSsec but my forwards probably due 8.8.8.8; 208.67.220.220; 8.8.4.4; 208.67.222.222;
Currently I am using dhcp isc-dhcpd-4.4.1 and BIND 9.16.1-Ubuntu (Stable Release)... the ndm files are without modifications except for these two issues with workaround that I have reported.

How do I use --dnsinclude with the ndm config and what does it do.?

by the way, I was think that maybe the error was due to not defining any cnames, so I create today a single record for it and same error showed up on restart:
May 12 15:43:02 beta named[17730]: dns_master_load: /etc/bind/db.192.168.72:59: 10.72.168.192.in-addr.arpa: CNAME and other data
May 12 15:43:02 beta named[17730]: $GENERATE: /etc/bind/db.192.168.72:59: CNAME and other data
May 12 15:43:02 beta named[17730]: zone 72.168.192.in-addr.arpa/IN: loading from master file /etc/bind/db.192.168.72 failed: CNAME>
May 12 15:43:02 beta named[17730]: zone 72.168.192.in-addr.arpa/IN: not loaded due to errors.

So, I will use the workaround for this...

I tested my suggestion this morning (using --dnsinclude) and it doesn't work for dnssec-validation. What's needed is a way to add additional statements inside the 'options' block at the top of named.conf.options. This is a reasonable thing to do, so will look into it.

I've added the --bindoptions switch, which you can use to address this. In the file /path/to/bindoptions.txt (or whatever you want to call it), add the single line:

dnssec-validation no;

The trailing semicolon is important, as the statement must be syntactically correct.

Then, using the newest ndm bits:

ndm config --bindoptions /path/to/bindoptions.txt
ndm build
# Inspect and/or diff against your running version
ndm install

Using this you won't have to edit the output from ndm build before installing it.

Thank you