Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 566
    • Issues 566
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 93
    • Merge requests 93
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #375
Closed
Open
Issue created Jul 02, 2018 by Tony Finch@fanfOwner

Root zone mirroring - confusing ACLs

I have an RFC 7706-style configuration on my test server (config below) - I have separate auth and rec views, and the root zone is in the auth view and validated by the rec view.

I thought I should try out mirror mode, to validate earlier.

I added mirror yes to the root zone config and restarted the server.

I tried dig soa . and I got a SERVFAIL - the auth view REFUSED the query. I tried adding ::1 to the allow-recursion ACL (which I thought should also affect the allow-query-cache ACL) but queries were still REFUSED.

I removed mirror yes and ran rndc reconfig, but I still got SERVFAIL errors, so I had to restart the server.

It isn't clear to me why this didn't work or which ACL was the problem.

acl "cudn" {
	128.232.0.0/16;
	129.169.0.0/16;
	131.111.0.0/16;
	192.18.195.0/24;
	192.84.5.0/24;
	192.153.213.0/24;
	193.60.80.0/20;
	193.63.252.0/23;
	2001:630:210::/44;
	2a00:1098:5::/48;
	2a05:b400::/32;
	!172.31.0.0/16;
	172.16.0.0/12;
	10.128.0.0/9;
	127.0.0.1/32;
	::1/128;
};
logging {
	channel "log" {
		file "/log/named.log" versions 10 size 104857600;
		severity dynamic;
		print-time iso8601;
		print-severity yes;
		print-category yes;
	};
	category "default" {
		"log";
	};
};
masters "ucam" {
	2001:630:212:8::d:a0;
	131.111.8.37;
	2001:630:212:12::d:a1;
	131.111.12.37;
};
masters "ucam-rec" {
	2001:630:212:8::d:0;
	131.111.8.42;
	2001:630:212:12::d:1;
	131.111.12.20;
};
options {
	blackhole {
		131.111.12.49/32;
		2001:630:212:12:250:56ff:fe90:7ed7/128;
	};
	directory "/var/opt/bind/run";
	dnstap-output file"dnstap";
	querylog yes;
	server-id hostname;
	deny-answer-addresses {
		0.0.0.0/8;
		10.0.0.0/8;
		100.64.0.0/10;
		127.0.0.0/8;
		169.254.0.0/16;
		172.16.0.0/12;
		192.0.0.0/24;
		192.0.2.0/24;
		192.88.99.0/24;
		192.168.0.0/16;
		198.18.0.0/15;
		198.51.100.0/24;
		203.0.113.0/24;
		224.0.0.0/3;
		::/3;
		2001::/32;
		2001:2::/48;
		2001:10::/28;
		2001:db8::/32;
		2002::/16;
		3000::/4;
		4000::/2;
		8000::/1;
	} except-from {
		"private.cam.ac.uk";
	};
	deny-answer-aliases {
		"private.cam.ac.uk";
	} except-from {
		"private.cam.ac.uk";
	};
	dnssec-validation auto;
	dnstap {
		all;
	};
	empty-contact "root.localhost";
	empty-server "localhost";
	max-stale-ttl 3600;
	no-case-compress {
		"any";
	};
	rate-limit {
		exempt-clients {
			"cudn";
		};
		responses-per-second 2;
	};
	request-nsid yes;
	rrset-order {
		order random;
	};
	stale-answer-enable yes;
	allow-query {
		"cudn";
	};
	allow-transfer {
		"cudn";
	};
	dnssec-dnskey-kskonly yes;
	notify master-only;
	zone-statistics full;
};
statistics-channels {
	inet 0.0.0.0 port 8053 allow {
		"cudn";
	};
	inet :: port 8053 allow {
		"cudn";
	};
};
view "rec" {
	match-clients {
		"cudn";
	};
	match-recursive-only yes;
	zone "block.arpa.cam.ac.uk" {
		type slave;
		file "/zs/block.arpa.cam.ac.uk";
		masters {
			"ucam-rec";
		};
	};
	zone "passthru.arpa.cam.ac.uk" {
		type slave;
		file "/zs/passthru.arpa.cam.ac.uk";
		masters {
			"ucam-rec";
		};
	};
	zone "test.rpz.dotat.at" {
		type master;
		file "../zd/test.rpz.dotat.at/master";
		journal "../zd/test.rpz.dotat.at/journal";
		update-policy local;
		allow-query {
			"any";
		};
		allow-transfer {
			"any";
		};
		masterfile-format raw;
	};
	zone "cb4.eu" {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "dotat.at" {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "ed25519.dotat.at" {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "no-dnssec.dotat.at" {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "fanf2.ucam.org" {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "dev.dns.cam.ac.uk" {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "catz.arpa.cam.ac.uk" {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "10.in-addr.arpa" {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "83.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "18.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "84.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "253.63.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "0.0.4.b.5.0.a.2.ip6.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "cst.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "93.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "24.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "195.18.192.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "statslab.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "eng.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "88.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "in-addr.arpa.private.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "2.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "16.111.131.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "private.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "maths.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "26.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "169.129.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "23.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "5.84.192.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "dpmms.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "87.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "90.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "5.0.0.0.8.9.0.1.0.0.a.2.ip6.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "29.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "24.111.131.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "85.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "19.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "232.128.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "145.111.131.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "18.111.131.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "25.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "80.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "damtp.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "94.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "21.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "92.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "16.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "cl.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "89.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "1.2.0.0.3.6.0.1.0.0.2.ip6.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "in-addr.arpa.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "111.131.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "86.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "252.63.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "91.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "27.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "95.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "81.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "20.111.131.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "newton.cam.ac.uk." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "213.153.192.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "20.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "22.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "17.111.131.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "28.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "17.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "30.172.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	zone "82.60.193.in-addr.arpa." {
		type static-stub;
		server-addresses {
			::1;
		};
	};
	minimal-responses no-auth-recursive;
	response-policy {
		zone "test.rpz.dotat.at";
		zone "passthru.arpa.cam.ac.uk" policy passthru;
		zone "block.arpa.cam.ac.uk" policy cname "ipreg.rpz.dotat.at";
	} break-dnssec yes max-policy-ttl 300 qname-wait-recurse no;
};
view "auth" {
	key "_acme-challenge.dotat.at" {
		algorithm "hmac-sha256";
		secret "????????????????????????????????????????????";
	};
	key "dev.dns.cam.ac.uk" {
		algorithm "hmac-sha256";
		secret "????????????????????????????????????????????";
	};
	key "tsig-fanf" {
		algorithm "hmac-sha256";
		secret "????????????????????????????????????????????";
	};
	zone "cb4.eu" {
		type master;
		file "../zd/cb4.eu/master";
		journal "../zd/cb4.eu/journal";
		update-policy local;
		allow-query {
			"any";
		};
		allow-transfer {
			"any";
		};
		also-notify {
			91.221.196.11;
		};
		auto-dnssec maintain;
		key-directory "../zd/cb4.eu";
		masterfile-format raw;
		sig-validity-interval 10 8;
	};
	zone "dotat.at" {
		type master;
		file "../zd/dotat.at/master";
		journal "../zd/dotat.at/journal";
		update-policy {
			grant "local-ddns" zonesub "any";
			grant "_acme-challenge.dotat.at" self "_acme-challenge.dotat.at" "TXT";
		};
		allow-query {
			"any";
		};
		allow-transfer {
			"any";
		};
		also-notify {
			91.221.196.11;
		};
		auto-dnssec maintain;
		key-directory "../zd/dotat.at";
		masterfile-format raw;
		sig-validity-interval 10 8;
	};
	zone "ed25519.dotat.at" {
		type master;
		file "../zd/ed25519.dotat.at/master";
		journal "../zd/ed25519.dotat.at/journal";
		update-policy local;
		allow-query {
			"any";
		};
		allow-transfer {
			"any";
		};
		auto-dnssec maintain;
		key-directory "../zd/ed25519.dotat.at";
		masterfile-format raw;
		sig-validity-interval 10 8;
	};
	zone "no-dnssec.dotat.at" {
		type master;
		file "../zd/no-dnssec.dotat.at/master";
		journal "../zd/no-dnssec.dotat.at/journal";
		update-policy local;
		allow-query {
			"any";
		};
		allow-transfer {
			"any";
		};
		auto-dnssec maintain;
		dnssec-secure-to-insecure yes;
		key-directory "../zd/no-dnssec.dotat.at";
		masterfile-format raw;
	};
	zone "fanf2.ucam.org" {
		type master;
		file "../zd/fanf2.ucam.org/master";
		journal "../zd/fanf2.ucam.org/journal";
		update-policy local;
		allow-query {
			"any";
		};
		allow-transfer {
			"any";
		};
		auto-dnssec maintain;
		dnssec-loadkeys-interval 10;
		dnssec-secure-to-insecure yes;
		key-directory "../zd/fanf2.ucam.org";
		masterfile-format raw;
		sig-signing-nodes 10;
		sig-signing-signatures 2;
		sig-validity-interval 1 23;
	};
	zone "dev.dns.cam.ac.uk" {
		type master;
		file "../zd/dev.dns.cam.ac.uk/master";
		journal "../zd/dev.dns.cam.ac.uk/journal";
		allow-query {
			"any";
		};
		allow-transfer {
			"localhost";
			key "tsig-fanf";
		};
		allow-update {
			key "local-ddns";
			key "dev.dns.cam.ac.uk";
		};
		auto-dnssec maintain;
		key-directory "../zd/dev.dns.cam.ac.uk";
		masterfile-format raw;
		sig-validity-interval 10 8;
	};
	zone "catz.arpa.cam.ac.uk" {
		type slave;
		file "../zs/catz.arpa.cam.ac.uk";
		masters {
			"ucam";
		};
		allow-query {
			"cudn";
		};
	};
	zone "10.in-addr.arpa" {
		type slave;
		file "../zs/10.in-addr.arpa";
		masters {
			"ucam";
		};
		allow-query {
			"cudn";
		};
	};
	zone "." {
		type slave;
		file "../zs/root";
		masters {
			2001:7fd::1;
			193.0.14.129;
		};
		also-notify {
			127.0.0.1 port 5300;
		};
		max-refresh-time 512;
		max-retry-time 512;
		notify explicit;
	};
	allow-recursion {
		"none";
	};
	catalog-zones {
		zone "catz.arpa.cam.ac.uk" zone-directory "../zs";
	};
	max-udp-size 1400;
	minimal-any yes;
	minimal-responses yes;
	recursion no;
};
server 0.0.0.0/8 {
	bogus yes;
};
server 10.0.0.0/8 {
	bogus yes;
};
server 100.64.0.0/10 {
	bogus yes;
};
server 127.0.0.0/8 {
	bogus yes;
};
server 169.254.0.0/16 {
	bogus yes;
};
server 172.16.0.0/12 {
	bogus yes;
};
server 192.0.0.0/24 {
	bogus yes;
};
server 192.0.2.0/24 {
	bogus yes;
};
server 192.88.99.0/24 {
	bogus yes;
};
server 192.168.0.0/16 {
	bogus yes;
};
server 198.18.0.0/15 {
	bogus yes;
};
server 198.51.100.0/24 {
	bogus yes;
};
server 203.0.113.0/24 {
	bogus yes;
};
server 224.0.0.0/3 {
	bogus yes;
};
server ::/3 {
	bogus yes;
};
server 2001::/32 {
	bogus yes;
};
server 2001:2::/48 {
	bogus yes;
};
server 2001:10::/28 {
	bogus yes;
};
server 2001:db8::/32 {
	bogus yes;
};
server 2002::/16 {
	bogus yes;
};
server 3000::/4 {
	bogus yes;
};
server 4000::/2 {
	bogus yes;
};
server 8000::/1 {
	bogus yes;
};
server ::1/128 {
	bogus no;
};
server 172.16.3.0/24 {
	bogus no;
};
server 113.209.232.218/32 {
	send-cookie no;
};
server 157.83.102.245/32 {
	send-cookie no;
};
server 157.83.102.246/32 {
	send-cookie no;
};
server 157.83.126.245/32 {
	send-cookie no;
};
server 157.83.126.246/32 {
	send-cookie no;
};
server 2001:428::7/128 {
	send-cookie no;
};
server 2001:428::8/128 {
	send-cookie no;
};
server 208.44.130.121/32 {
	send-cookie no;
};
server 43.242.49.158/32 {
	send-cookie no;
};
server 63.150.72.5/32 {
	send-cookie no;
};
Assignee
Assign to
Time tracking