[dns-operations] VirtualBox NAT breaking DNSSEC validation ?

Carlos Martinez-Cagnazzo carlosm3011 at gmail.com
Tue Nov 9 05:36:41 UTC 2010


I have a VM that runs Debian Linux as a guest. Within that VM I have a Bind
9.7.2 installed, built from source, configured as a recursive, validating
server. I don't have pcap dumps here (I'll try to get them tomorrow), but
what happens is just this: If I configure the VM for bridged networking,
validation works fine (dig @localhost +dnssec...). If I configure the VM for
NAT networking, validation breaks.

I will try to get more information.

On Mon, Nov 8, 2010 at 5:29 PM, Matt Thompson <mthompson at hexwave.com> wrote:

>  Hi Carlos,
>
> I am running VirtualBox on Snow Leopard with an XP guest. I have it
> configured with vbox NAT, and I have a recursive DNS server on a separate
> LAN through a router.
>
> Using dig +dnssec @<dnssec recursive server> isc.org, I am able to get a
> response with AD set and a 1458 byte response, so it appears to be handling
> EDNS and >512 byte responses properly through NAT.
>
> Can you describe your configuration a bit more? Are you performing
> recursion/validation within the VM, or are you sending a recursion desired
> message to an external recursive server?
>
> A pcap dump of vbox communication would also be useful.
>
> Cheers,
>
> Matt Thompson
> HexWave Software Systems
>
> Hi all,
>
>  I am building a set of virtual machines for a a DNSSEC training course I
> will be teaching early next year. These VMs are right now running under
> VirtualBox on a MacOSX (Snow Leopard) host.
>
>  I've noticed that if I configure the VMs network to be "bridged", DNSSEC
> validation works just fine, but if I move it behind VirtualBox's NAT, I
> start getting "broken trust chain" messages and most queries fail.
>
>  Any comments will be greatly appreciated!
>
>  regards
>
>  Carlos
>
> --
> --
> =========================
> Carlos M. Martinez-Cagnazzo
> http://cagnazzo.name
> =========================
>
>
> _______________________________________________
> dns-operations mailing listdns-operations at lists.dns-oarc.nethttps://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>


-- 
--
=========================
Carlos M. Martinez-Cagnazzo
http://cagnazzo.name
=========================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20101109/a0748b27/attachment.html>


More information about the dns-operations mailing list