[Dnsmasq-discuss] AAAA requests: long delay or SERVFAIL
martin f krafft
madduck at madduck.net
Tue Dec 23 19:59:15 GMT 2014
also sprach Simon Kelley <simon at thekelleys.org.uk> [2014-12-23 18:14 +0100]:
> My guess is that the SERVFAIL is coming from a server upstream of
> dnsmasq. Unless told to, dnsmasq "overlays" the DNS information is
> has locally onto the global DNS a record-at-a-time, not
> a domain-name at a time.
Yeah, that could be. tcpdump seems to think you're right. Thank you!
> or even better, modify the domain definition to something like
> domain=virt,192.168.122.0/24, local
Unfortunately, I am seeing absolutely no difference with this
% sudo grep domain /var/lib/libvirt/dnsmasq/default.conf
% dig @192.168.122.1 mx red.virt
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29678
And according to tcpdump, this SERVFAIL comes from upstream (see
This (disabling any forwarding of *.virt) would be a really useful
setting for my case because I would also like to delegate the
resolution of *.virt to dnsmasq from my loopback resolver. At the
moment, this is the cause of the frequent timeouts: dnsmasq sends
a query upstream, which is configured to send queries for *.virt
Am I doing something wrong still?
Btw, I managed to fix SERVFAIL upstream, using these instructions:
tl;dr: DNSSEC is preventing me from using the zone *.virt unless
I declare it private and insecure.
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
"den stil verbessern, das heißt den gedanken verbessern."
- friedrich nietzsche
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1107 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
More information about the Dnsmasq-discuss