Join Log in
Score:0
Charriesun avatar Server

My local BIND configuration about the A record of authoritative nameserver does not take effect

my flag
Charriesun

I bought a domain name "hhexperi.xyz", and want to use my own server "ns1.hhexperi.xyz" as the authoritative nameserver of the domain. But after I configured the local BIND file, the "dig +trace hhexperi.xyz" shows that the address of "ns1.hhexperi.xyz" cannot be found. The output is as below:

;; Received 696 bytes from 198.41.0.4#53(a.root-servers.net) in 55 ms
hhexperi.xyz.           3600    IN      NS      ns1.hhexperi.xyz.
hhexperi.xyz.           3600    IN      NS      ns2.hhexperi.xyz.
2tjms8vm0h8n7j9e748d19gpnujm0emj.xyz. 3600 IN NSEC3 1 1 0 - 2TJVVSOC6CRR8B060M9FH0MPV66FBD17 NS SOA RRSIG DNSKEY NSEC3PARAM
hqfj17fdeld0lb29sm2e1ij8lbdntqp3.xyz. 3600 IN NSEC3 1 1 0 - HQGQ4SSBOMP2L32F95QT37NKH1NVPA7J NS DS RRSIG
2tjms8vm0h8n7j9e748d19gpnujm0emj.xyz. 3600 IN RRSIG NSEC3 8 2 3600 20230318051933 20230216095257 53358 xyz. eHtFElpobdwApRGmrGBWl+g8JJOeZtlWFFd0MHkuZmAqgCQ6/Q1dIIFh bz67PGFq0UTKXV9LPh7N8MdEKeazXoP8Wd4HsgT6P+/ZDsXLBxd43HCT cNPdZS6pnbxEcR15RYMzmj4b74Cmih81jMT+T1CL8rzCWTbSLy/zZFPu KhA=
hqfj17fdeld0lb29sm2e1ij8lbdntqp3.xyz. 3600 IN RRSIG NSEC3 8 2 3600 20230401160524 20230303013145 53358 xyz. FiiP1snf8S8qi8DujR7mn7a5WfJMWlFfxT8yCxwvHSsJA6NsGdP47V0H nR/kEmCrms/8tnNTnqT19G/GRCwHN5tkbcoalGmDCBRKoS/y1XcI8W4H MUNxXWJcxAJ2oERKU49U7hSJ3jYrozmtuJ3mv5cwA06X/OV+Bw20NAZF d34=
couldn't get address for 'ns1.hhexperi.xyz': failure
couldn't get address for 'ns2.hhexperi.xyz': failure
dig: couldn't get address for 'ns1.hhexperi.xyz': no more

My local configuration contains three files:

  1. named.conf.local:
zone "hhexperi.xyz" {
        type master;
        file "/etc/bind/db.hhexperi.xyz";
};

zone "73.108.39.in-addr.arpa" {
        type master;
        file "/etc/bind/db.73.108.39";
};
  1. /etc/bind/db.hhexperi.xyz
;
; BIND data file for example.com
;
$TTL    604800
@       IN      SOA     ns1.hhexperi.xyz. root.hhexperi.xyz. (
                     2023031305         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

@       IN      NS      ns1.hhexperi.xyz.
@       IN      A       39.108.73.235
ns1      IN      A      39.108.73.235
  1. /etc/bind/db.73.108.39
; BIND reverse data file for local loopback interface
;
$TTL    604800
@ IN SOA ns1.hhexperi.xyz. root.hhexperi.xyz. (
                     2023031302         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns1.hhexperi.xyz.
235     IN      PTR     ns1.hhexperi.xyz.

When I restart bind using "systemctl restart bind9.service", the syslog file has the following output:

Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ named[39916]: configuring command channel from '/etc/bind/rndc.key'
Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ named[39916]: command channel listening on 127.0.0.1#953
Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ named[39916]: managed-keys-zone: loaded serial 11
Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ named[39916]: zone hhexperi.xyz/IN: loaded serial 2023031305
Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ named[39916]: zone 73.108.39.in-addr.arpa/IN: loaded serial 2023031302
Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ named[39916]: all zones loaded
Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ systemd[1]: Started BIND Domain Name Server.
Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ named[39916]: running
Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ named[39916]: zone 73.108.39.in-addr.arpa/IN: sending notifies (serial 2023031302)
Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ systemd[1]: Started Session 778 of User root.
Mar 13 20:51:58 iZwz989nsluo4bjz79ctbpZ systemd[1]: session-778.scope: Deactivated successfully.
Mar 13 20:51:59 iZwz989nsluo4bjz79ctbpZ named[39916]: timed out resolving './DNSKEY/IN': 39.108.73.235#53
Mar 13 20:51:59 iZwz989nsluo4bjz79ctbpZ named[39916]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
Mar 13 20:51:59 iZwz989nsluo4bjz79ctbpZ systemd[1]: Started Session 779 of User root.
Mar 13 20:51:59 iZwz989nsluo4bjz79ctbpZ named[39916]: timed out resolving './DNSKEY/IN': 39.108.73.235#53
Mar 13 20:51:59 iZwz989nsluo4bjz79ctbpZ named[39916]: broken trust chain resolving './NS/IN': 198.97.190.53#53
Mar 13 20:51:59 iZwz989nsluo4bjz79ctbpZ named[39916]: resolver priming query complete: broken trust chain
Mar 13 20:51:59 iZwz989nsluo4bjz79ctbpZ systemd[1]: session-779.scope: Deactivated successfully.
Mar 13 20:52:00 iZwz989nsluo4bjz79ctbpZ systemd[1]: Started Session 780 of User root.
Mar 13 20:52:00 iZwz989nsluo4bjz79ctbpZ systemd[1]: session-780.scope: Deactivated successfully.

Could anyone tell me where did I make the mistakes?

108
1 + 5
PersianGulf avatar
cn flag
PersianGulf
Do your other domain work fine?
0
Reply
Charriesun avatar
my flag
Charriesun
I only tried one domain yet.
0
Reply
HBruijn avatar
in flag
HBruijn
Just successfully configuring and running a Bind name server for a particular domain does not automatically make your server authoritative and the rest of the internet won't automatically start using your name server. That requires that your registrar first updates the name servers entries for your domain, and when you intend to use in-zone NS records, they'll also need to add the required [GLUE records](https://serverfault.com/q/309622/37681) . - When you also want to (dis-)enable DNSSEC that also requires (de-)activation with your registrar.
1
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
You may seem to have local connectivity problems too, with "timed out resolving './DNSKEY/IN': 39.108.73.235#53". If you can't contact root servers, that is not a good sign. Technically authoritative nameservers shouldn't need that, but in practice it could show other problems. Also, and specifically if you are new in DNS world: 1) Don't start with DNSSEC, first understand everything then add it and 2) bind might be too complicated to start with, maybe try another server like `nsd`. +100 to what @HBruijn said, and also use your registrar as support resource. Plus DNSViz online troubleshooting.
1
Reply
fr flag
Tomek
As far as I can tell the nameserver is accessible (answers to pings) but is blocking both TCP and UDP port 53. Glue is also there as of now. Fix the firewall...
1
Reply
Score:0
Charriesun avatar Server
my flag
Charriesun

Problems solved. My DNS server is on a cloud, and the security configuration on the cloud didn't allow 53 port. I add this port and everything goes fine.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.