DNSSEC: pas de mise à jour via DHCP

vandman · Février 21, 2016, 9:26pm

Bonjour,

J’ai mis en place un serveur DNS local et un serveur DHCP.
J’ai utilisé ce tuto pour ma config, WIKI Debian DNSSEC
Cependant, cela ne fonctionne pas.

Ce qui marche:
le serveur dhcp (attribution des ip et des paramètre router, ntp, serveur dns…)
le serveur DNS (résolution de nom pour l’internet via un forwarder)

Ce qui ne marche pas:
serveur DNS : pas de résolution de nom pour les appareils en local.
Il semble, mais sans certitude, que le serveur DHCP ne mette pas à jour le serveur DNS???

Ou est mon erreur?

Voici ma config:
SERVEUR DNS
name.conf

include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/ns-local-fr_rndc-key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; }; inet 192.168.1.0 port 953 allow { 192.168.1.0; }; };
name.conf.options

[code]options {
directory “/var/cache/bind”;
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
//dnssec-enable no;
dnssec-validation auto;
dnssec-lookaside no;

    // Port d'échange entre les serveurs DNS
    query-source address * port *;

    // Transmettre les requêtes à 192.168.1.1 si ce serveur ne sait pas résoudre ces adresses.
    // On pourrait aussi bien renseigner les serveurs DNS du FAI plutôt que de renseigner
    // l'adresse IP du routeur (xxxbox)
    forward only;
    forwarders { 192.168.3.254; 192.168.2.254; };

    auth-nxdomain yes;    # conform to RFC1035

    // Ecouter sur les interfaces locales uniquement (IPV4)
    listen-on-v6 { none; };
    listen-on { 127.0.0.1; };
listen-on { 192.168.1.1; };

    // Ne pas transférer les informations de zones aux DNS secondaires
    allow-transfer { none; };

    // Accepter les requêtes pour le réseau interne uniquement
    //allow-query { internals; };

    // Autoriser les requêtes récursives pour les hôtes locaux
    //allow-recursion { internals; };

    // Ne pas rendre publique la version de BIND
    version none;

//listen-on-v6 { any; };

};
[/code]
name.conf.local

[code]//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include “/etc/bind/zones.rfc1918”;

// Gérer les fichiers de logs
include “/etc/bind/named.conf.log”;

// Gestion du domaine example.com
// ------------------------------
// - Le serveur est défini comme maître sur ce domaine
// - Il n’y a aucun forwarder pour ce domaine car nous avons la main mise dessus.
// Pour tous les autres domaines, nous utiliserons le forwarder mentionné dans named.conf.options
// - Les entrees sur le domaine peuvent être ajoutées dynamiquement avec le clef ns-example-com_rndc-key
zone “local.fr” {
type master;
notify no;
file “/etc/bind/db.local.fr”;
forwarders {};
allow-update { key ns-local-fr_rndc-key; };
};
zone “1.168.192.in-addr.arpa” {
type master;
notify no;
file “/etc/bind/db.local.fr.inv”;
forwarders {};
allow-update { key ns-local-fr_rndc-key; };
};

// Consider adding the 1918 zones here, if they are not used in your
// organization
include “/etc/bind/zones.rfc1918”;[/code]
dhcp.conf

[code]

Option générale par défaut

RÉSEAU

server-name “serveur1.local.fr”;
authoritative;
option subnet-mask 255.255.255.0;

Refuser les adresses mac en double

deny duplicates;

Refuser les messages DHCPDECLINE indiquant un conflit réseau.

ignore declines;

Enregistrer uniquement le nom d’hôte si le FQDN n’est pas géré par le

serveur

ignore client-updates;

Informer les clients de la présence d’un serveur de temps local

option ntp-servers 192.168.1.1;

DOMAINE

option domain-name “local.fr”;

Lister des serveurs DNS pour le réseau

option domain-name-servers 192.168.1.1, 192.168.3.254, 192.168.2.254;
ddns-update-style interim;
ddns-updates on;

Charger la signature (TSIG) pour pouvoir autoriser les transactions

avec BIND

include “/etc/bind/ns-local-fr_rndc-key”;

TEMPS DE RENOUVÈLEMENT DES ADRESSES

default-lease-time 3600;
max-lease-time 7200;

Sécurité

allow unknown-clients;
log-facility local7;

PXE

allow bootp;
allow booting;

RÉSEAUX

subnet 192.168.1.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option domain-name “local.fr”;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
range 192.168.1.100 192.168.1.120;
ping-check = 1;
}

Définir les zones DNS que DHCP doit mettre à jour

zone local.fr. {
primary 127.0.0.1;
key ns-cvn-nikolov-fr_rndc-key;
}
zone 1.168.192.in-addr.arpa.
{
primary 127.0.0.1;
key ns-local-fr_rndc-key;
}[/code]

BelZeButh · Février 21, 2016, 9:26pm

Salut,

Vite fait, hein … ^¿^

As tu lancé quelques [mono]$ ping xxx.xxx.xxx.xxx[/mono] et [mono]$ whois xxx.xxx.xxx.xxx[/mono] ?

vandman · Février 21, 2016, 9:26pm

Bonjour,
Oui, j’ai lancer un ping sur une adresse locale. Il n’y a pas eu de resolution de nom.
J’ai lancer un DIG, je vois bien que c’est mon DNS qui repond.
Sur des adresses local, il ne resou rien
Pour des adresses internet, il resoud bien les adresses.

Je vous donne aussi cet info:
La commande arp -a me donne des informations etranges.
L’ipad apparait avec un nom en:
Ipad.local au lieu de ipad.local.fr ???
Le reste des appareil apparait avec avec un “?” en guise de nom ???

Je dois avouer que je ne comprend pas bien ces élements?

Je precise tout de meme que je defini des ip fixe en fonction des adresses mac de mes appareils

Cordialement,
Vandman

vandman · Février 21, 2016, 9:27pm

Bonjour,

y-a-t-il quelqu’un pour m’aider?

Cordialement,
vandman

BelZeButh · Février 21, 2016, 9:27pm

Salut,

Tu dis oui oui, mais des retours console seraient plus parlant pour certains d’entre nous.

vandman · Février 21, 2016, 9:27pm

Bonjour,

voici les retours console:

Configuration DHCP pour mon téléphone, adresse statique.

host pnote3 { hardware ethernet XX:22:XX:e4:XX:d1; fixed-address 192.168.100.10; }

retour de la commande arp - a:

arp -a ? (192.168.100.99) at XX:07:XX:e1:XX:85 [ether] on eth1 ? (192.168.100.21) at XX:de:XX:12:XX:13 [ether] on eth1 rtrcvn.local.fr (192.168.100.254) at XX:5a:XX:a4:XX:c6 [ether] on eth1 ? (192.168.100.20) at XX:57:XX:b2:XX:c2 [ether] on eth1 ? (192.168.100.10) at XX:22:XX:e4:XX:d1 [ether] on eth1

retour du ping:

[code]ping pnote3
ping: unknown host pnote3

ping pnote3.local.fr
ping: unknown host pnote3.local.fr
[/code]

retour dig google.fr

[code]dig www.google.fr

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> www.google.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60288
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.fr. IN A

;; ANSWER SECTION:
www.google.fr. 595 IN A 74.125.24.94

;; Query time: 0 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Sun Mar 15 13:55:49 2015
;; MSG SIZE rcvd: 47
[/code]

retour dig pnote3

[code]dig pnote3

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> pnote3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57859
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;pnote3. IN A

;; AUTHORITY SECTION:
. 10196 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015031500 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Sun Mar 15 13:57:12 2015
;; MSG SIZE rcvd: 99
[/code]

mes logs de la journée

15-Mar-2015 11:28:08.262 general: info: zone 0.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.263 general: info: zone 10.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.263 general: info: zone 127.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.264 general: info: zone 16.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.264 general: info: zone 17.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.264 general: info: zone 18.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.264 general: info: zone 19.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.264 general: info: zone 20.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.264 general: info: zone 21.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.265 general: info: zone 22.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.265 general: info: zone 23.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.265 general: info: zone 24.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.265 general: info: zone 25.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.265 general: info: zone 26.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.265 general: info: zone 27.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.266 general: info: zone 28.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.266 general: info: zone 29.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.266 general: info: zone 30.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.266 general: info: zone 31.172.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.266 general: info: zone 168.192.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.267 general: info: zone 100.168.192.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.267 general: info: zone 255.in-addr.arpa/IN: loaded serial 1 15-Mar-2015 11:28:08.269 general: info: zone local.fr/IN: loaded serial 1 15-Mar-2015 11:28:08.269 general: info: zone localhost/IN: loaded serial 2 15-Mar-2015 11:28:08.270 general: info: managed-keys-zone ./IN: loaded serial 41 15-Mar-2015 11:28:08.271 general: notice: running 15-Mar-2015 11:28:37.462 general: info: received control channel command 'reconfig' 15-Mar-2015 11:28:37.462 general: info: loading configuration from '/etc/bind/named.conf' 15-Mar-2015 11:28:37.463 general: info: reading built-in trusted keys from file '/etc/bind/bind.keys' 15-Mar-2015 11:28:37.464 general: info: using default UDP/IPv4 port range: [1024, 65535] 15-Mar-2015 11:28:37.464 general: info: using default UDP/IPv6 port range: [1024, 65535] 15-Mar-2015 11:28:37.466 network: info: listening on IPv4 interface eth1, 192.168.100.1#53 15-Mar-2015 11:28:37.469 general: info: sizing zone task pool based on 25 zones 15-Mar-2015 11:28:37.474 general: notice: command channel listening on 192.168.100.0#953 15-Mar-2015 11:28:37.475 general: info: reloading configuration succeeded 15-Mar-2015 11:28:37.475 general: info: any newly configured zones are now loaded 15-Mar-2015 11:28:41.800 dnssec: info: validating @0x7fd86c888860: . DNSKEY: got insecure response; parent indicates it should be secure 15-Mar-2015 11:28:41.821 dnssec: info: validating @0x7fd86c6be5d0: fr SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 11:28:41.827 edns-disabled: info: success resolving 'smtp.local.fr/AAAA' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets 15-Mar-2015 11:28:41.827 edns-disabled: info: success resolving 'mafreebox.freebox.fr/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets 15-Mar-2015 11:28:41.827 edns-disabled: info: success resolving 'mafreebox.freebox.fr/AAAA' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets 15-Mar-2015 11:28:42.042 edns-disabled: info: success resolving 'smtp.local.fr/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets 15-Mar-2015 11:28:42.152 edns-disabled: info: success resolving '251.0.0.224.in-addr.arpa/PTR' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets 15-Mar-2015 11:28:42.398 dnssec: info: validating @0x7fd86c6b08c0: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 11:28:42.399 dnssec: info: validating @0x7fd86c6b38f0: 9.c.2.2.8.0.e.f.f.f.b.2.0.d.6.7.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa PTR: bad cache hit (8.e.f.ip6.arpa/DS) 15-Mar-2015 11:28:48.135 dnssec: info: validating @0x7fd85c00a5b0: 8.e.f.ip6.arpa SOA: bad cache hit (8.e.f.ip6.arpa/DS) 15-Mar-2015 11:29:10.156 general: info: received control channel command 'reconfig' 15-Mar-2015 11:29:10.156 general: info: loading configuration from '/etc/bind/named.conf' 15-Mar-2015 11:29:10.157 general: info: reading built-in trusted keys from file '/etc/bind/bind.keys' 15-Mar-2015 11:29:10.158 general: info: using default UDP/IPv4 port range: [1024, 65535] 15-Mar-2015 11:29:10.158 general: info: using default UDP/IPv6 port range: [1024, 65535] 15-Mar-2015 11:29:10.160 general: info: sizing zone task pool based on 25 zones 15-Mar-2015 11:29:10.166 general: info: reloading configuration succeeded 15-Mar-2015 11:29:10.167 general: info: any newly configured zones are now loaded 15-Mar-2015 11:29:10.336 general: info: received control channel command 'reconfig' 15-Mar-2015 11:29:10.336 general: info: loading configuration from '/etc/bind/named.conf' 15-Mar-2015 11:29:10.338 general: info: reading built-in trusted keys from file '/etc/bind/bind.keys' 15-Mar-2015 11:29:10.338 general: info: using default UDP/IPv4 port range: [1024, 65535] 15-Mar-2015 11:29:10.339 general: info: using default UDP/IPv6 port range: [1024, 65535] 15-Mar-2015 11:29:10.340 general: info: sizing zone task pool based on 25 zones 15-Mar-2015 11:29:10.345 general: info: reloading configuration succeeded 15-Mar-2015 11:29:10.346 general: info: any newly configured zones are now loaded 15-Mar-2015 11:32:36.502 dnssec: info: validating @0x7fd85c04f010: 239.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 11:32:36.573 dnssec: info: validating @0x7fd86c89d750: 239.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 11:34:06.387 dnssec: info: validating @0x7fd85c091030: 239.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 11:34:06.400 dnssec: info: validating @0x7fd85c091cc0: 239.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 11:38:49.935 dnssec: info: validating @0x7fd86c89d750: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 11:38:49.962 dnssec: info: validating @0x7fd86c887850: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 11:38:50.094 dnssec: info: validating @0x7fd85c00ac20: ip6.arpa DNSKEY: got insecure response; parent indicates it should be secure 15-Mar-2015 11:38:50.265 dnssec: info: validating @0x7fd86c887850: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 11:38:51.185 dnssec: info: validating @0x7fd85c1999d0: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:10:38.143 dnssec: info: validating @0x7fd86c7e7f80: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:10:38.143 dnssec: info: validating @0x7fd85c00ac20: 0.c.6.9.6.3.e.f.f.f.6.f.9.6.e.7.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa PTR: bad cache hit (8.e.f.ip6.arpa/DS) 15-Mar-2015 12:11:26.463 dnssec: info: validating @0x7fd86c7e7f80: 8.e.f.ip6.arpa SOA: bad cache hit (8.e.f.ip6.arpa/DS) 15-Mar-2015 12:11:30.226 dnssec: info: validating @0x7fd85c325a90: kr DNSKEY: got insecure response; parent indicates it should be secure 15-Mar-2015 12:11:30.383 dnssec: info: validating @0x7fd86c7e7f80: co.kr DNSKEY: got insecure response; parent indicates it should be secure 15-Mar-2015 12:11:33.732 dnssec: info: validating @0x7fd86c887850: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:11:33.864 dnssec: info: validating @0x7fd85c326720: net SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:11:33.876 dnssec: info: validating @0x7fd86c89d750: pagead.l.doubleclick.net A: bad cache hit (doubleclick.net/DS) 15-Mar-2015 12:11:36.083 dnssec: info: validating @0x7fd85c325a90: 8.e.f.ip6.arpa SOA: bad cache hit (8.e.f.ip6.arpa/DS) 15-Mar-2015 12:12:16.650 dnssec: info: validating @0x7fd86c7e7f80: googleads.g.doubleclick.net A: bad cache hit (doubleclick.net/DS) 15-Mar-2015 12:12:16.833 dnssec: info: validating @0x7fd85c3eaaf0: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:12:16.847 dnssec: info: validating @0x7fd86c7e7f80: pagead2.googlesyndication.com A: bad cache hit (googlesyndication.com/DS) 15-Mar-2015 12:19:53.015 dnssec: info: validating @0x7fd86c89d750: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:19:53.048 dnssec: info: validating @0x7fd86c7e7f80: service.centraltag.com A: bad cache hit (centraltag.com/DS) 15-Mar-2015 12:19:55.203 dnssec: info: validating @0x7fd86c89d750: 4141432.fls.doubleclick.net A: bad cache hit (doubleclick.net/DS) 15-Mar-2015 12:24:47.996 dnssec: info: validating @0x7fd85c3ecb00: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:28:26.758 dnssec: info: validating @0x7fd86c89d750: 224.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:28:26.782 dnssec: info: validating @0x7fd85c3a7ac0: 224.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:28:26.835 dnssec: info: validating @0x7fd85c00ac20: 224.in-addr.arpa DNSKEY: got insecure response; parent indicates it should be secure 15-Mar-2015 12:28:26.878 dnssec: info: validating @0x7fd86c887850: 224.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:28:27.077 dnssec: info: validating @0x7fd85c366aa0: 224.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:28:55.979 dnssec: info: validating @0x7fd86c887850: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:28:56.196 dnssec: info: validating @0x7fd86c887850: net SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:28:56.200 dnssec: info: validating @0x7fd86c89d750: net SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:36:43.486 dnssec: info: validating @0x7fd86c89d750: 77.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:36:45.332 dnssec: info: validating @0x7fd86c8ca5b0: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:36:45.433 dnssec: info: validating @0x7fd85c366aa0: 173.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:37:05.002 dnssec: info: validating @0x7fd85c366aa0: 206.in-addr.arpa DNSKEY: got insecure response; parent indicates it should be secure 15-Mar-2015 12:37:05.005 dnssec: info: validating @0x7fd85c00ac20: 140.19.12.206.in-addr.arpa PTR: no valid signature found 15-Mar-2015 12:37:06.174 dnssec: info: validating @0x7fd85c3ecb00: www.debian.org DNSKEY: got insecure response; parent indicates it should be secure 15-Mar-2015 12:41:53.446 dnssec: info: validating @0x7fd86c887850: mozilla.net SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:42:08.550 dnssec: info: validating @0x7fd86c7e7f80: www.debian.org A: got insecure response; parent indicates it should be secure 15-Mar-2015 12:42:08.569 dnssec: info: validating @0x7fd86c7e7f80: www.debian.org AAAA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:42:39.963 dnssec: info: validating @0x7fd85c3ecb00: org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:43:31.604 dnssec: info: validating @0x7fd86c887850: 216.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:43:33.501 dnssec: info: validating @0x7fd85c3ecb00: org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:43:33.705 dnssec: info: validating @0x7fd86c887850: 104.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:43:34.528 dnssec: info: validating @0x7fd85c00ac20: 104.in-addr.arpa DNSKEY: got insecure response; parent indicates it should be secure 15-Mar-2015 12:56:53.500 dnssec: info: validating @0x7fd85c3ecb00: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:56:53.553 dnssec: info: validating @0x7fd86c887850: net SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:57:37.618 dnssec: info: validating @0x7fd86c89d750: debian.org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:57:37.753 dnssec: info: validating @0x7fd85c00ac20: www.debian.org A: got insecure response; parent indicates it should be secure 15-Mar-2015 12:57:37.772 dnssec: info: validating @0x7fd85c00ac20: www.debian.org AAAA: got insecure response; parent indicates it should be secure 15-Mar-2015 12:59:19.900 dnssec: info: validating @0x7fd86c7e7f80: org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:02:47.506 dnssec: info: validating @0x7fd85c3ef430: org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:02:47.719 dnssec: info: validating @0x7fd86c8ad4e0: org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:02:48.012 dnssec: info: validating @0x7fd85c3edb10: org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:12:18.824 dnssec: info: validating @0x7fd85c3ef7b0: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:12:18.855 dnssec: info: validating @0x7fd85c3ef430: net SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:12:18.897 dnssec: info: validating @0x7fd85c3ef430: net SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:12:18.957 dnssec: info: validating @0x7fd86c89d750: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:18:20.639 dnssec: info: validating @0x7fd86c887850: org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:18:20.843 dnssec: info: validating @0x7fd85c366aa0: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:29:16.599 dnssec: info: validating @0x7fd86c887850: fr SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:29:16.664 dnssec: info: validating @0x7fd86c8ad4e0: net SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:32:38.941 dnssec: info: validating @0x7fd85c00ac20: www.debian.org A: got insecure response; parent indicates it should be secure 15-Mar-2015 13:32:38.964 dnssec: info: validating @0x7fd85c00ac20: www.debian.org AAAA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:32:54.216 dnssec: info: validating @0x7fd86c89d750: org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:37:50.764 dnssec: info: validating @0x7fd86c7e7f80: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:37:50.872 dnssec: info: validating @0x7fd86c7e8d30: ip6.arpa DNSKEY: got insecure response; parent indicates it should be secure 15-Mar-2015 13:37:50.985 dnssec: info: validating @0x7fd86c887850: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:37:51.115 dnssec: info: validating @0x7fd86c887850: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:37:51.252 dnssec: info: validating @0x7fd85c3ecb00: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:37:51.411 dnssec: info: validating @0x7fd85c3ecb00: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:37:51.537 dnssec: info: validating @0x7fd85c3ecb00: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:37:51.728 dnssec: info: validating @0x7fd86c887850: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:37:51.856 dnssec: info: validating @0x7fd86c887850: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:43:05.956 dnssec: info: validating @0x7fd85c3ecb00: mozilla.org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:43:06.029 dnssec: info: validating @0x7fd86c887850: mozilla.org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:43:51.383 dnssec: info: validating @0x7fd86c89d750: 173.in-addr.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:43:56.780 dnssec: info: validating @0x7fd85c3ecb00: mozilla.org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:43:56.824 dnssec: info: validating @0x7fd85c3ed790: mozilla.org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:44:11.984 dnssec: info: validating @0x7fd85c3a7ac0: mozilla.org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:44:12.076 dnssec: info: validating @0x7fd86c887850: mozilla.org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:46:37.601 dnssec: info: validating @0x7fd85c3ee420: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:46:37.883 dnssec: info: validating @0x7fd86c89d750: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:46:37.916 dnssec: info: validating @0x7fd85c3ecb00: ip6.arpa SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:46:37.916 dnssec: info: validating @0x7fd85c00ac20: 1.d.7.3.4.e.e.f.f.f.e.b.2.2.2.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa PTR: bad cache hit (8.e.f.ip6.arpa/DS) 15-Mar-2015 13:46:59.765 dnssec: info: validating @0x7fd85c3ecb00: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:46:59.911 dnssec: info: validating @0x7fd85c3ed790: com SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:54:05.402 dnssec: info: validating @0x7fd85c3ecb00: org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:54:20.947 dnssec: info: validating @0x7fd85c3ecb00: mozilla.org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:54:21.031 dnssec: info: validating @0x7fd85c3ed790: mozilla.org SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:55:06.398 dnssec: info: validating @0x7fd85c3ee420: net SOA: got insecure response; parent indicates it should be secure 15-Mar-2015 13:55:36.509 dnssec: info: validating @0x7fd85c3ecb00: org SOA: got insecure response; parent indicates it should be secure
cordialement
Vandman

vandman · Février 21, 2016, 9:27pm

Bonjour,

c’est pas suffisant?

BelZeButh · Février 21, 2016, 9:27pm

Il te faut gratter de ce côté.

vandman · Février 21, 2016, 9:31pm

Bonjour,

Je n’ai pas beaucoup avancé depuis la dernière réponse.

ce que je peux indiquer est le résultat des commandes suivantes:

[code]# nsupdate

server dns.locale.fr
key ns-locale-fr_rndc-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
zone locale.fr
update add pnote3.locale.fr. 600 IN A 192.168.100.10
send
update failed: SERVFAIL
[/code]

J’ai aussi modifié mon fichier named.conf.option.
J’ai dé-commenté et mis yes à dnssec-enable.

Cordialement,
vandman

BelZeButh · Février 21, 2016, 9:31pm

Salut,

C’est vrai.

[08:28:11]:~$ domain=pnote3.local.fr; for i in $(host -t ns $domain| awk '{print $4}') ; do host -t a $domain $i ; done host: couldn't get address for 'NS': not found [08:28:15]:~$

[code][08:19:10]:~$ whois pnote3.local.fr
%%
%% This is the AFNIC Whois server.
%%
%% complete date format : DD/MM/YYYY
%% short date format : DD/MM
%% version : FRNIC-2.5
%%
%% Rights restricted by copyright.
%% See http://www.afnic.fr/afnic/web/mentions-legales-whois_en
%%
%% Use ‘-h’ option to obtain more information about this service.
%%
%% [90.7.161.193 REQUEST] >> -V Md5.1 pnote3.local.fr
%%
%% RL Net [##########] - RL IP [#########.]
%%

%% No entries found in the AFNIC Database.

[code][08:22:09]:~$ dig ns pnote3.local.fr

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> ns pnote3.local.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59195
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;pnote3.local.fr. IN NS

;; AUTHORITY SECTION:
local.fr. 1799 IN SOA dns12.ovh.net. tech.ovh.net. 2015021601 86400 3600 3600000 86400

;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 5 08:22:18 2015
;; MSG SIZE rcvd: 87

[code][08:41:01]:~$ dig pnote3.local.fr +trace

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> pnote3.local.fr +trace
;; global options: +cmd
. 13101 IN NS a.root-servers.net.
. 13101 IN NS b.root-servers.net.
. 13101 IN NS c.root-servers.net.
. 13101 IN NS d.root-servers.net.
. 13101 IN NS e.root-servers.net.
. 13101 IN NS f.root-servers.net.
. 13101 IN NS g.root-servers.net.
. 13101 IN NS h.root-servers.net.
. 13101 IN NS i.root-servers.net.
. 13101 IN NS j.root-servers.net.
. 13101 IN NS k.root-servers.net.
. 13101 IN NS l.root-servers.net.
. 13101 IN NS m.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 228 ms

fr. 172800 IN NS d.nic.fr.
fr. 172800 IN NS f.ext.nic.fr.
fr. 172800 IN NS e.ext.nic.fr.
fr. 172800 IN NS d.ext.nic.fr.
fr. 172800 IN NS g.ext.nic.fr.
;; Received 341 bytes from 199.7.91.13#53(199.7.91.13) in 200 ms

local.fr. 172800 IN NS ns12.ovh.net.
local.fr. 172800 IN NS dns12.ovh.net.
;; Received 79 bytes from 193.176.144.22#53(193.176.144.22) in 70 ms

pnote3.local.fr. 86400 IN A 37.59.231.245
;; Received 49 bytes from 213.251.188.131#53(213.251.188.131) in 17 ms

[/code]

PascalHambourg · Février 21, 2016, 9:31pm

BelZéButh, je sens que ta réponse va vachement l’aider.

vandman · Février 21, 2016, 9:32pm

Bonjour,

BelZéButh, je n’ai pas tout compris à ce que tu as écrit. Si ta question est de savoir si je détiens le “local.fr”, pas du tout. j’ai mis ca pour remplacer mon nom de domaine local. Sachant que mon DNS n’a pas vocation à répondre aux demandes extérieures, j’ai utilisé un sous-domaine d’un domaine en “fr” m’appartenant.

Je suis toujours bloqué sur la mise à jour dynamique de mon dns par mon serveur DHCP. comment dois-je procéder?

Cordialement,
vandman