Iβm on Rocky 9.5. bind-chroot 32:9.16.23-24.el9_5.3
I am not trying to sign a zone. I am just trying to get the resolver to work using DNSSEC.
I have read docs for bind, bind-dnssec, searched for how tos, read setup instructions from several different sites and still cannot get bind to resolve hosts or domains when dnssec-validation is set to yes or auto. With it set to auto or yes, the resolver does not return an address.
When I set dnssec-validation to no, then the domains the have DNSSEC registered resolve and provide an IP address.
Looking for some insight on what options to put in named.conf and anything else needed in order to get DNSSEC working in the bind resolver.
I would prefer to use βauto,β so it is more maintenance free, but βyesβ is preferable to βnoβ which is what I have to use presently.
From this link: https://kb.isc.org/docs/aa-01182
Do you have the managed-keys entries that are mentioned? These exist on my Debian installations, and when I set it to auto I can still use DNS, and even make DNSSEC queries. Thatβs about the only thing I can think of, since nothing else was changed in bind configuration.
On my Rocky 9 I just installed the bind and bind-dnssec-utils packages, then checked /etc/named.conf to see if dnssec-validation was changed from yes to auto, and then started the service. I could make DNS queries without problem, and also verify dnssec using something like below:
dig @localhost com. SOA +dnssec
and verifying the files I mentioned:
root@rocky9:~# ls -lha /var/named/dynamic/
total 8.0K
drwxrwx---. 2 named named 60 Mar 12 09:54 .
drwxrwx--T. 5 root named 127 Mar 12 09:52 ..
-rw-r--r--. 1 named named 1.4K Mar 12 09:54 managed-keys.bind
-rw-r--r--. 1 named named 1.4K Mar 12 09:53 managed-keys.bind.jnl
for your chroot environment it will be similar, but youβll need to make sure that the chroot has access to those managed-keys files.
I need to clarify.
It is not that it wonβt resolve any hosts when it is set to auto. It is it wonβt resolve any hosts or domains that are DNSSEC signed.
comcast.net is DNSSEC signed.
This is the results of dog when set to auto:
dig @192.168.1.5 +dnssec +multiline comcast.net
; <<>> DiG 9.16.23-RH <<>> @192.168.1.5 +dnssec +multiline comcast.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31817
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 67080a0d9751c94e0100000067d19e6a9641015b4caec558 (good)
;; QUESTION SECTION:
;comcast.net. IN A
;; Query time: 267 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Wed Mar 12 10:47:06 EDT 2025
;; MSG SIZE rcvd: 68
This is the output of dig when it is set to no:
dig @192.168.1.5 +dnssec +multiline comcast.net
; <<>> DiG 9.16.23-RH <<>> @192.168.1.5 +dnssec +multiline comcast.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34559
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: eeb3aa4944a6b9ca0100000067d19f1783add808651449e5 (good)
;; QUESTION SECTION:
;comcast.net. IN A
;; ANSWER SECTION:
comcast.net. 7200 IN A 96.99.227.0
comcast.net. 7200 IN RRSIG A 5 2 7200 (
20250321144439 20250304143939 26550 comcast.net.
ko1btIlVgI8syUael9yZx3BeJE7QOcDgBruI3hqrrox4
LMnyondSbTkO6yQj/LnKDKtqstR1Q9BTOwWcvLX7TFW9
4ZIluBFfZeQjnvXTkIh2yTGkUNrVo/zjODI/MNXKxTsN
SE/miWIGlrelsjEtH2QNtZzPzw7kUQ1xenLgobQ= )
;; Query time: 302 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Wed Mar 12 10:49:59 EDT 2025
;; MSG SIZE rcvd: 255
I still think your configuration is wrong. As I said before, check your config. Iβve just done this on mine that I installed this morning when attempting to help you, and it works:
root@rocky9:~# dig @localhost comcast.net +dnssec
; <<>> DiG 9.16.23-RH <<>> @localhost comcast.net +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44953
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 2d0db96cd68fe4a10100000067d1ac2a088b491211d5e6ef (good)
;; QUESTION SECTION:
;comcast.net. IN A
;; ANSWER SECTION:
comcast.net. 7136 IN A 96.99.227.0
comcast.net. 7136 IN RRSIG A 5 2 7200 20250321144439 20250304143939 26550 comcast.net. ko1btIlVgI8syUael9yZx3BeJE7QOcDgBruI3hqrrox4LMnyondSbTkO 6yQj/LnKDKtqstR1Q9BTOwWcvLX7TFW94ZIluBFfZeQjnvXTkIh2yTGk UNrVo/zjODI/MNXKxTsNSE/miWIGlrelsjEtH2QNtZzPzw7kUQ1xenLg obQ=
please use the formatting tools when posting like Iβve done here, it makes posts easier to read. Iβve just edited your post above to format it correctly.
Are you running as caching using forwarding?
I am configured as authoritative for my internal zones using root hints.
I was using this same conf under Fedora without an issue.
I used named-checkconf and it didnβt find any errors, but it doesnβt check semantics.
I just configured a zone file without dnssec, and I am still able to make internal and external (forwarded) queries. My internal DNS resolves and I can still resolve comcast with dnssec entries.
You will have to show all your configuration and file locations for anyone to help further, but it would suggest whatever configuration you are using is incorrect. Fedora is not Rocky, so you cannot just copy/paste configuration from one machine to another.
Sorry about the formatting. I was posting from my phone.
I will post conf file and directory structure. I noticed what I posted also suffered from formatting issues.
Here is the output of named-checkconf -p .
controls {
inet 127.0.0.1 allow {
"localhost";
} keys {
"rndc-key";
};
};
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
geoip-directory "/usr/share/GeoIP";
listen-on-v6 port 53 {
"any";
};
managed-keys-directory "/var/named/dynamic";
memstatistics-file "/var/named/data/named_mem_stats.txt";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
statistics-file "/var/named/data/named_stats.txt";
dnssec-validation no;
allow-query {
"any";
};
notify no;
};
key "rndc-key" {
algorithm "hmac-sha256";
secret "<redacted>";
};
trust-anchors {
"." initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update {
"none";
};
};
zone "internal.grifent.com" {
type master;
file "master/db.internal.grifent.com";
allow-update {
"none";
};
};
zone "1.168.192.in-addr.arpa" {
type master;
file "master/db.192.168.1";
allow-update {
"none";
};
};
zone "15.168.192.in-addr.arpa" {
type master;
file "master/db.192.168.15";
allow-update {
"none";
};
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.IP6.ARPA" {
type master;
file "master/db.fe80::";
allow-update {
"none";
};
};
Here is the chroot tree.
βββ [drwxr-x--- root named ] dev
β βββ [crw-rw-r-- root named ] null
β βββ [crw-rw-r-- root named ] random
β βββ [crw-rw-r-- root named ] urandom
β βββ [crw-rw-r-- root named ] zero
βββ [drwxr-x--- root named ] etc
β βββ [drwxr-x--- root named ] crypto-policies
β β βββ [drwxr-x--- root named ] back-ends
β β βββ [-rw-r--r-- root root ] bind.config
β βββ [-rw-r--r-- root root ] localtime
β βββ [drwxr-x--- root named ] named
β β βββ [-rw-r--r-- root named ] named.dynamic.zones
β β βββ [-rw-r--r-- root named ] named.forwarding.zones
β β βββ [-rw-r----- root named ] named.master.zones
β β βββ [-rw-r----- root named ] named.slave.zones
β βββ [-rw-r--r-- root root ] named.conf
β βββ [-rw-r----- root named ] named.rfc1912.zones
β βββ [-rw-r--r-- root named ] named.root.key
β βββ [drwxr-x--- root named ] pki
β β βββ [drwxr-x--- root named ] dnssec-keys
β βββ [-rw-r--r-- root root ] protocols
β βββ [-rw-r----- root named ] rndc.key
β βββ [-rw-r--r-- root root ] services
βββ [drwxr-xr-x root root ] proc
β βββ [drwxr-xr-x root root ] sys
β βββ [drwxr-xr-x root root ] net
β βββ [drwxr-xr-x root root ] ipv4
β βββ [-rw-r--r-- root root ] ip_local_port_range
βββ [drwxr-x--- root named ] run
β βββ [drwxr-xr-x named named ] named
β βββ [-rw-r--r-- named named ] named.pid
β βββ [-rw------- named named ] session.key
βββ [drwxr-xr-x root root ] usr
β βββ [drwxr-xr-x root root ] lib64
β β βββ [drwxr-xr-x root root ] bind
β β βββ [drwxr-xr-x root root ] named
β β βββ [-rwxr-xr-x root root ] filter-aaaa.so
β βββ [drwxr-xr-x root root ] share
β βββ [drwxr-xr-x root root ] GeoIP
β βββ [-rw-r--r-- root root ] GeoLite2-City.mmdb
β βββ [-rw-r--r-- root root ] GeoLite2-Country.mmdb
βββ [drwxr-x--- root named ] var
βββ [drwxrwx--- named named ] log
βββ [drwxrwx--- root named ] named
β βββ [drwxr-x--- root named ] chroot
β β βββ [drwxr-x--- root named ] dev
β β β βββ [crw-rw-r-- root named ] null
β β β βββ [crw-rw-r-- root named ] random
β β β βββ [crw-rw-r-- root named ] urandom
β β β βββ [crw-rw-r-- root named ] zero
β β βββ [drwxr-x--- root named ] etc
β β β βββ [drwxr-x--- root named ] crypto-policies
β β β β βββ [drwxr-x--- root named ] back-ends
β β β β βββ [-rw-r--r-- root root ] bind.config
β β β βββ [-rw-r--r-- root root ] localtime
β β β βββ [drwxr-x--- root named ] named
β β β βββ [-rw-r--r-- root root ] named.conf
β β β βββ [-rw-r--r-- root root ] named.rfc1912.zones
β β β βββ [-rw-r--r-- root root ] named.root.key
β β β βββ [drwxr-x--- root named ] pki
β β β β βββ [drwxr-x--- root named ] dnssec-keys
β β β βββ [-rw-r--r-- root root ] protocols
β β β βββ [-rw-r--r-- root root ] rndc.key
β β β βββ [-rw-r--r-- root root ] services
β β βββ [drwxr-xr-x root root ] proc
β β β βββ [drwxr-xr-x root root ] sys
β β β βββ [drwxr-xr-x root root ] net
β β β βββ [drwxr-xr-x root root ] ipv4
β β β βββ [-rw-r--r-- root root ] ip_local_port_range
β β βββ [drwxr-x--- root named ] run
β β β βββ [drwxr-xr-x named named ] named
β β βββ [drwxr-xr-x root root ] usr
β β β βββ [drwxr-xr-x root root ] lib64
β β β β βββ [drwxr-xr-x root root ] bind
β β β β βββ [drwxr-xr-x root root ] named
β β β βββ [drwxr-xr-x root root ] share
β β β βββ [drwxr-xr-x root root ] GeoIP
β β βββ [drwxr-x--- root named ] var
β β βββ [drwxrwx--- named named ] log
β β βββ [drwxrwx--T root named ] named
β β βββ [lrwxrwxrwx named named ] run -> ../run
β β βββ [drwxrwx--- named named ] tmp
β βββ [drwxrwx--- named named ] data
β β βββ [-rw-r--r-- named named ] named.run
β β βββ [-rw-r--r-- named named ] named.run-20250216
β β βββ [-rw-r--r-- named named ] named.run-20250223
β β βββ [-rw-r--r-- named named ] named.run-20250302
β β βββ [-rw-r--r-- named named ] named.run-20250309
β βββ [drwxrwx--- named named ] dynamic
β β βββ [-rw-r--r-- named named ] managed-keys.bind
β β βββ [-rw-r--r-- named named ] managed-keys.bind.jnl
β βββ [drwxrwx--- named named ] master
β β βββ [-rw-rw---- named named ] db.192.168.1
β β βββ [-rw-rw---- named named ] db.192.168.15
β β βββ [-rw-rw---- named named ] db.fe80::
β β βββ [-rw-rw---- named named ] db.internal.grifent.com
β β βββ [-rw-rw---- named named ] internal.grifent.soa
β βββ [-rw-r----- root named ] named.ca
β βββ [-rw-r----- root named ] named.empty
β βββ [-rw-r----- root named ] named.localhost
β βββ [-rw-r----- root named ] named.loopback
β βββ [drwxrwx--- named named ] slaves
βββ [lrwxrwxrwx named named ] run -> ../run
βββ [drwxrwx--- named named ] tmp
53 directories, 51 files
Can you also add this to named.conf so that we can enable/disable debugging:
logging {
channel default_debug {
file "data/named.run" size 10m;
severity dynamic;
/*severity debug 3;*/
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_debug; };
};
then to enable debug do this:
rndc trace 3
and then try to make some DNS queries normal and dnssec ones. To disable debugging afterwards do:
rndc notrace
check log files as well for potential hints on where problems might be when you make a query. If you leave the named.conf stuff relating to debugging, you can enable/disable debug just using the trace/notrace commands given. Later on you may remove from named.conf once the problem is resolved.
Looks like the resolver is trying to use IPv6 to validate the DNSSEC query.
My ISP doesnβt support IPv6 yet.
I use IPv6 on my internal (non public) domain.
I donβt know how to make the resolver use IPv4 for external queries.
The web searches say to disable IPv6 in Network Manager. If that is the solution, Iβll have to remove IPv6 use internally.
Probably better to listen only on ipv4 not on ipv6. You can do this:
listen-on-v6 { none; };
and for listening on ipv4:
listen-on port 53 { 127.0.0.1; };
change 127.0.0.1 to the IP of your machine so that other hosts can query it or just change it to any:
listen-on port 53 { any; };
but then obviously that means youβre not going to be able to use ipv6 addresses internally. Seems strange though if you change it to no, that it suddenly starts resolving even for ipv6. I donβt use ipv6 and donβt plan on using it internally anyway. Both my LAN and WAN/Internet is ipv4.
I can do that. Of course then I will have to disable IPv6 on my internal hosts.
Choice: get DNSSEC working and lose IPv6
or keep IPv6 and disable DNSSEC.
Thank you for your help @iwalker .
1 Like
I have the reverse to be honest. If I just do a standard dig command then it will give me ipv4 as you saw from the comcast output before. Now if I do:
dig aaaa comcast.net
it should reply with ipv6 but doesnβt. Most likely because Iβm using ipv4, even though I did a query to ipv6 localhost ::1.
Or at least for comcast I do. For google, it will reply with the ipv6 DNS entry. It would suggest that Comcast DNS servers see me coming from a public ipv4 address and only replies with ipv4 entries and not ipv6. Yet, google replies even if I do dig aaaa or dig a.
Just changing
listen-on-v6 { none; };
didnβt solve the issue.
I guess something in the resolver sees my server has an IPv6 address and makes an assumption that the query to the root servers should be done using IPv6. Each root is tried at the IPv6 address but no IPv4 address is ever tried.
There ought to be a way to configure bind to use IPv4 (or 6 or either) for query transport.
I found this:
β¦
Canβt remember where I found this solution, but here it is
In /etc/bind/named.conf.local:
// disable lookup over IPv6
server ::/0 {
bogus yes;
};
It then pretends that IP addresses in the IPv6 range are non reachable and does it with IPv4 instead.
β¦
at Configure BIND to prefer IPv4 without disabling IPv6 - Server Fault
Then for the internal server IPv6 address
should be able to have more specific server blocks with bogus no for your internal servers.
What do you think @iwalker ?
I donβt have either of those options, but my bind listens on localhost ipv4 and ipv6 and does resolve each entry. You can put both options on any like I have. Unfortunately, I donβt use ipv6 so am unable to help any further. I can post my config for you, but itβs not a chroot config, just basic bind server, but should still work irrespective of whether itβs normal named or chrooted.
Just tried
β¦
blackhole {
::/0;
};
β¦
That didnβt work either.
Next. - disable IPv6 zones and addresses.
Sigh
From what I seen in searching, Iβm not the only one that wants to do this. Bind just canβt handle it.
Actually, newer version of bind probably does because I truly believe this configuration was working on Fedora 40.
My config, which is pretty vanilla:
root@rocky9:~# named-checkconf -p
logging {
channel "default_debug" {
file "data/named.run";
severity dynamic;
};
};
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
geoip-directory "/usr/share/GeoIP";
listen-on port 53 {
127.0.0.1/32;
};
listen-on-v6 port 53 {
::1/128;
};
managed-keys-directory "/var/named/dynamic";
memstatistics-file "/var/named/data/named_mem_stats.txt";
pid-file "/run/named/named.pid";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
session-keyfile "/run/named/session.key";
statistics-file "/var/named/data/named_stats.txt";
disable-algorithms "." {
"RSAMD5";
"RSASHA1";
"NSEC3RSASHA1";
"DSA";
"NSEC3DSA";
"ED25519";
"ED448";
"ECCGOST";
};
disable-ds-digests "." {
"SHA-1";
"GOST";
};
dnssec-validation yes;
recursion yes;
allow-query {
"localhost";
};
};
trust-anchors {
"." initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "myzone.com" IN {
type master;
file "/var/named/myzone.com.zone";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update {
"none";
};
};