Root zone mirroring - confusing ACLs
I have an RFC 7706-style configuration on my test server (config below) - I have separate auth and rec views, and the root zone is in the auth view and validated by the rec view.
I thought I should try out mirror mode, to validate earlier.
I added mirror yes to the root zone config and restarted the server.
I tried dig soa . and I got a SERVFAIL - the auth view REFUSED the query. I tried adding ::1 to the allow-recursion ACL (which I thought should also affect the allow-query-cache ACL) but queries were still REFUSED.
I removed mirror yes and ran rndc reconfig, but I still got SERVFAIL errors, so I had to restart the server.
It isn't clear to me why this didn't work or which ACL was the problem.
acl "cudn" {
128.232.0.0/16;
129.169.0.0/16;
131.111.0.0/16;
192.18.195.0/24;
192.84.5.0/24;
192.153.213.0/24;
193.60.80.0/20;
193.63.252.0/23;
2001:630:210::/44;
2a00:1098:5::/48;
2a05:b400::/32;
!172.31.0.0/16;
172.16.0.0/12;
10.128.0.0/9;
127.0.0.1/32;
::1/128;
};
logging {
channel "log" {
file "/log/named.log" versions 10 size 104857600;
severity dynamic;
print-time iso8601;
print-severity yes;
print-category yes;
};
category "default" {
"log";
};
};
masters "ucam" {
2001:630:212:8::d:a0;
131.111.8.37;
2001:630:212:12::d:a1;
131.111.12.37;
};
masters "ucam-rec" {
2001:630:212:8::d:0;
131.111.8.42;
2001:630:212:12::d:1;
131.111.12.20;
};
options {
blackhole {
131.111.12.49/32;
2001:630:212:12:250:56ff:fe90:7ed7/128;
};
directory "/var/opt/bind/run";
dnstap-output file"dnstap";
querylog yes;
server-id hostname;
deny-answer-addresses {
0.0.0.0/8;
10.0.0.0/8;
100.64.0.0/10;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.0.0/24;
192.0.2.0/24;
192.88.99.0/24;
192.168.0.0/16;
198.18.0.0/15;
198.51.100.0/24;
203.0.113.0/24;
224.0.0.0/3;
::/3;
2001::/32;
2001:2::/48;
2001:10::/28;
2001:db8::/32;
2002::/16;
3000::/4;
4000::/2;
8000::/1;
} except-from {
"private.cam.ac.uk";
};
deny-answer-aliases {
"private.cam.ac.uk";
} except-from {
"private.cam.ac.uk";
};
dnssec-validation auto;
dnstap {
all;
};
empty-contact "root.localhost";
empty-server "localhost";
max-stale-ttl 3600;
no-case-compress {
"any";
};
rate-limit {
exempt-clients {
"cudn";
};
responses-per-second 2;
};
request-nsid yes;
rrset-order {
order random;
};
stale-answer-enable yes;
allow-query {
"cudn";
};
allow-transfer {
"cudn";
};
dnssec-dnskey-kskonly yes;
notify master-only;
zone-statistics full;
};
statistics-channels {
inet 0.0.0.0 port 8053 allow {
"cudn";
};
inet :: port 8053 allow {
"cudn";
};
};
view "rec" {
match-clients {
"cudn";
};
match-recursive-only yes;
zone "block.arpa.cam.ac.uk" {
type slave;
file "/zs/block.arpa.cam.ac.uk";
masters {
"ucam-rec";
};
};
zone "passthru.arpa.cam.ac.uk" {
type slave;
file "/zs/passthru.arpa.cam.ac.uk";
masters {
"ucam-rec";
};
};
zone "test.rpz.dotat.at" {
type master;
file "../zd/test.rpz.dotat.at/master";
journal "../zd/test.rpz.dotat.at/journal";
update-policy local;
allow-query {
"any";
};
allow-transfer {
"any";
};
masterfile-format raw;
};
zone "cb4.eu" {
type static-stub;
server-addresses {
::1;
};
};
zone "dotat.at" {
type static-stub;
server-addresses {
::1;
};
};
zone "ed25519.dotat.at" {
type static-stub;
server-addresses {
::1;
};
};
zone "no-dnssec.dotat.at" {
type static-stub;
server-addresses {
::1;
};
};
zone "fanf2.ucam.org" {
type static-stub;
server-addresses {
::1;
};
};
zone "dev.dns.cam.ac.uk" {
type static-stub;
server-addresses {
::1;
};
};
zone "catz.arpa.cam.ac.uk" {
type static-stub;
server-addresses {
::1;
};
};
zone "10.in-addr.arpa" {
type static-stub;
server-addresses {
::1;
};
};
zone "." {
type static-stub;
server-addresses {
::1;
};
};
zone "83.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "18.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "84.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "253.63.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "0.0.4.b.5.0.a.2.ip6.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "cst.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "93.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "24.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "195.18.192.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "statslab.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "eng.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "88.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "in-addr.arpa.private.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "2.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "16.111.131.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "private.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "maths.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "26.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "169.129.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "23.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "5.84.192.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "dpmms.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "87.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "90.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "5.0.0.0.8.9.0.1.0.0.a.2.ip6.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "29.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "24.111.131.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "85.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "19.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "232.128.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "145.111.131.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "18.111.131.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "25.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "80.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "damtp.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "94.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "21.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "92.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "16.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "cl.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "89.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "1.2.0.0.3.6.0.1.0.0.2.ip6.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "in-addr.arpa.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "111.131.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "86.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "252.63.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "91.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "27.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "95.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "81.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "20.111.131.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "newton.cam.ac.uk." {
type static-stub;
server-addresses {
::1;
};
};
zone "213.153.192.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "20.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "22.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "17.111.131.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "28.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "17.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "30.172.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
zone "82.60.193.in-addr.arpa." {
type static-stub;
server-addresses {
::1;
};
};
minimal-responses no-auth-recursive;
response-policy {
zone "test.rpz.dotat.at";
zone "passthru.arpa.cam.ac.uk" policy passthru;
zone "block.arpa.cam.ac.uk" policy cname "ipreg.rpz.dotat.at";
} break-dnssec yes max-policy-ttl 300 qname-wait-recurse no;
};
view "auth" {
key "_acme-challenge.dotat.at" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
key "dev.dns.cam.ac.uk" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
key "tsig-fanf" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
zone "cb4.eu" {
type master;
file "../zd/cb4.eu/master";
journal "../zd/cb4.eu/journal";
update-policy local;
allow-query {
"any";
};
allow-transfer {
"any";
};
also-notify {
91.221.196.11;
};
auto-dnssec maintain;
key-directory "../zd/cb4.eu";
masterfile-format raw;
sig-validity-interval 10 8;
};
zone "dotat.at" {
type master;
file "../zd/dotat.at/master";
journal "../zd/dotat.at/journal";
update-policy {
grant "local-ddns" zonesub "any";
grant "_acme-challenge.dotat.at" self "_acme-challenge.dotat.at" "TXT";
};
allow-query {
"any";
};
allow-transfer {
"any";
};
also-notify {
91.221.196.11;
};
auto-dnssec maintain;
key-directory "../zd/dotat.at";
masterfile-format raw;
sig-validity-interval 10 8;
};
zone "ed25519.dotat.at" {
type master;
file "../zd/ed25519.dotat.at/master";
journal "../zd/ed25519.dotat.at/journal";
update-policy local;
allow-query {
"any";
};
allow-transfer {
"any";
};
auto-dnssec maintain;
key-directory "../zd/ed25519.dotat.at";
masterfile-format raw;
sig-validity-interval 10 8;
};
zone "no-dnssec.dotat.at" {
type master;
file "../zd/no-dnssec.dotat.at/master";
journal "../zd/no-dnssec.dotat.at/journal";
update-policy local;
allow-query {
"any";
};
allow-transfer {
"any";
};
auto-dnssec maintain;
dnssec-secure-to-insecure yes;
key-directory "../zd/no-dnssec.dotat.at";
masterfile-format raw;
};
zone "fanf2.ucam.org" {
type master;
file "../zd/fanf2.ucam.org/master";
journal "../zd/fanf2.ucam.org/journal";
update-policy local;
allow-query {
"any";
};
allow-transfer {
"any";
};
auto-dnssec maintain;
dnssec-loadkeys-interval 10;
dnssec-secure-to-insecure yes;
key-directory "../zd/fanf2.ucam.org";
masterfile-format raw;
sig-signing-nodes 10;
sig-signing-signatures 2;
sig-validity-interval 1 23;
};
zone "dev.dns.cam.ac.uk" {
type master;
file "../zd/dev.dns.cam.ac.uk/master";
journal "../zd/dev.dns.cam.ac.uk/journal";
allow-query {
"any";
};
allow-transfer {
"localhost";
key "tsig-fanf";
};
allow-update {
key "local-ddns";
key "dev.dns.cam.ac.uk";
};
auto-dnssec maintain;
key-directory "../zd/dev.dns.cam.ac.uk";
masterfile-format raw;
sig-validity-interval 10 8;
};
zone "catz.arpa.cam.ac.uk" {
type slave;
file "../zs/catz.arpa.cam.ac.uk";
masters {
"ucam";
};
allow-query {
"cudn";
};
};
zone "10.in-addr.arpa" {
type slave;
file "../zs/10.in-addr.arpa";
masters {
"ucam";
};
allow-query {
"cudn";
};
};
zone "." {
type slave;
file "../zs/root";
masters {
2001:7fd::1;
193.0.14.129;
};
also-notify {
127.0.0.1 port 5300;
};
max-refresh-time 512;
max-retry-time 512;
notify explicit;
};
allow-recursion {
"none";
};
catalog-zones {
zone "catz.arpa.cam.ac.uk" zone-directory "../zs";
};
max-udp-size 1400;
minimal-any yes;
minimal-responses yes;
recursion no;
};
server 0.0.0.0/8 {
bogus yes;
};
server 10.0.0.0/8 {
bogus yes;
};
server 100.64.0.0/10 {
bogus yes;
};
server 127.0.0.0/8 {
bogus yes;
};
server 169.254.0.0/16 {
bogus yes;
};
server 172.16.0.0/12 {
bogus yes;
};
server 192.0.0.0/24 {
bogus yes;
};
server 192.0.2.0/24 {
bogus yes;
};
server 192.88.99.0/24 {
bogus yes;
};
server 192.168.0.0/16 {
bogus yes;
};
server 198.18.0.0/15 {
bogus yes;
};
server 198.51.100.0/24 {
bogus yes;
};
server 203.0.113.0/24 {
bogus yes;
};
server 224.0.0.0/3 {
bogus yes;
};
server ::/3 {
bogus yes;
};
server 2001::/32 {
bogus yes;
};
server 2001:2::/48 {
bogus yes;
};
server 2001:10::/28 {
bogus yes;
};
server 2001:db8::/32 {
bogus yes;
};
server 2002::/16 {
bogus yes;
};
server 3000::/4 {
bogus yes;
};
server 4000::/2 {
bogus yes;
};
server 8000::/1 {
bogus yes;
};
server ::1/128 {
bogus no;
};
server 172.16.3.0/24 {
bogus no;
};
server 113.209.232.218/32 {
send-cookie no;
};
server 157.83.102.245/32 {
send-cookie no;
};
server 157.83.102.246/32 {
send-cookie no;
};
server 157.83.126.245/32 {
send-cookie no;
};
server 157.83.126.246/32 {
send-cookie no;
};
server 2001:428::7/128 {
send-cookie no;
};
server 2001:428::8/128 {
send-cookie no;
};
server 208.44.130.121/32 {
send-cookie no;
};
server 43.242.49.158/32 {
send-cookie no;
};
server 63.150.72.5/32 {
send-cookie no;
};