Dominik
2021-05-17 07:13:59 UTC
Hello,
yesterday I tried version 9.17.12 because of the new TLS features.
My resolv.conf only contains the local resolver 127.0.0.1 and ::1.
The problem is that the new Bind9 doesn't start without having an
alternative resolver in resolv.conf. It looks like something in the
Bind9 startup process relies on DNS before itself is serving queries.
The last message in the logfile is:
named[14264]: managed-keys-zone: Failed to create fetch for DNSKEY update
After that the Bind9 process is running but doesn't answer queries.
Thanks for any help.
--
Regards
Dominik
The named.conf looks like this:
tls mytls {
cert-file "/etc/ssl/example.crt";
key-file "/etc/ssl/example.key";
};
options {
directory "/usr/local/bind9/var/cache";
querylog no;
auth-nxdomain no;
dnssec-validation auto;
minimal-responses no-auth-recursive;
listen-on port 53 { any; };
listen-on-v6 { ::1; };
listen-on port 853 tls mytls { any; };
allow-transfer { none; };
allow-recursion { 127.0.0.1; ::1; };
recursion yes;
};
logging {
category lame-servers { null; };
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/local/bind9/etc/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/usr/local/bind9/etc/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/usr/local/bind9/etc/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/usr/local/bind9/etc/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/usr/local/bind9/etc/db.255";
};
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
yesterday I tried version 9.17.12 because of the new TLS features.
My resolv.conf only contains the local resolver 127.0.0.1 and ::1.
The problem is that the new Bind9 doesn't start without having an
alternative resolver in resolv.conf. It looks like something in the
Bind9 startup process relies on DNS before itself is serving queries.
The last message in the logfile is:
named[14264]: managed-keys-zone: Failed to create fetch for DNSKEY update
After that the Bind9 process is running but doesn't answer queries.
Thanks for any help.
--
Regards
Dominik
The named.conf looks like this:
tls mytls {
cert-file "/etc/ssl/example.crt";
key-file "/etc/ssl/example.key";
};
options {
directory "/usr/local/bind9/var/cache";
querylog no;
auth-nxdomain no;
dnssec-validation auto;
minimal-responses no-auth-recursive;
listen-on port 53 { any; };
listen-on-v6 { ::1; };
listen-on port 853 tls mytls { any; };
allow-transfer { none; };
allow-recursion { 127.0.0.1; ::1; };
recursion yes;
};
logging {
category lame-servers { null; };
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/local/bind9/etc/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/usr/local/bind9/etc/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/usr/local/bind9/etc/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/usr/local/bind9/etc/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/usr/local/bind9/etc/db.255";
};
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users