I have a VM that runs Debian Linux as a guest. Within that VM I have a Bind 9.7.2 installed, built from source, configured as a recursive, validating server. I don't have pcap dumps here (I'll try to get them tomorrow), but what happens is just this: If I configure the VM for bridged networking, validation works fine (dig @localhost +dnssec...). If I configure the VM for NAT networking, validation breaks.<div>
<br></div><div>I will try to get more information.<br><br><div class="gmail_quote">On Mon, Nov 8, 2010 at 5:29 PM, Matt Thompson <span dir="ltr"><<a href="mailto:mthompson@hexwave.com">mthompson@hexwave.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#ffffff" text="#000000">
Hi Carlos,<br>
<br>
I am running VirtualBox on Snow Leopard with an XP guest. I have
it configured with vbox NAT, and I have a recursive DNS server on
a separate LAN through a router.<br>
<br>
Using dig +dnssec @<dnssec recursive server> <a href="http://isc.org" target="_blank">isc.org</a>, I am
able to get a response with AD set and a 1458 byte response, so it
appears to be handling EDNS and >512 byte responses properly
through NAT.<br>
<br>
Can you describe your configuration a bit more? Are you performing
recursion/validation within the VM, or are you sending a recursion
desired message to an external recursive server?<br>
<br>
A pcap dump of vbox communication would also be useful.<br>
<br>
Cheers,<br>
<br>
Matt Thompson<br>
HexWave Software Systems<br>
<br>
<blockquote type="cite"><div><div></div><div class="h5">Hi all,
<div><br>
</div>
<div>I am building a set of virtual machines for a a DNSSEC
training course I will be teaching early next year. These VMs
are right now running under VirtualBox on a MacOSX (Snow
Leopard) host.</div>
<div>
<br>
</div>
<div>I've noticed that if I configure the VMs network to be
"bridged", DNSSEC validation works just fine, but if I move it
behind VirtualBox's NAT, I start getting "broken trust chain"
messages and most queries fail.</div>
<div><br>
</div>
<div>Any comments will be greatly appreciated!</div>
<div><br>
</div>
<div>regards</div>
<div><br>
</div>
<div>Carlos<br clear="all">
<br>
-- <br>
--<br>
=========================<br>
Carlos M. Martinez-Cagnazzo<br>
<a href="http://cagnazzo.name" target="_blank">http://cagnazzo.name</a><br>
=========================<br>
</div>
</div></div><pre><fieldset></fieldset>
_______________________________________________
dns-operations mailing list
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>--<br>=========================<br>Carlos M. Martinez-Cagnazzo<br><a href="http://cagnazzo.name">http://cagnazzo.name</a><br>=========================<br>
</div>