Information about dnsrps, fastRPZ and similar modules

2024-06-13 Thread Jesus Cea
Investigating about non trivial RPZ configurations, I noticed a huge block on bind 9.12 to provide DNSRPS, an API for external RPZ providers. Nevertheless, the code is complicated and there is no documentation. Checking around I only found a RPZ module provided by the same people people that

Re: Reuse RPZ zones between views

2024-06-12 Thread Jesus Cea
On 12/6/24 21:46, Mark Andrews wrote: Have you read the fine documentation on BIND where it is stated this is not (currently) possible? If you want to extend named to support this we would be happy to review a change request. It is complicated however which is why it has not been done. Oh,

Reuse RPZ zones between views

2024-06-12 Thread Jesus Cea
My RPZ zones are quite big, and I would like to be able to reuse them in several views sharing the memory instead of independent data structures. I thought that zone "in-view" would work, but it doesn't. I am doing something like: """ view honeypot { match-clients { honeypot; };

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

2023-06-06 Thread Jesus Cea
On 2/6/23 4:25, Mark Andrews wrote: Yep, some people just don’t take care with delegations. Complain to Huawei. Complain to the other companies you list in your followup email. Huawei is already notified, days ago. No reply and no changes so far. The list is quite long, in a few minutes I

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

2023-06-02 Thread Jesus Cea
On 2/6/23 7:59, Nick Tait via bind-users wrote: On 2/06/23 15:02, Jesus Cea wrote: What I get from your reply is that BIND is not expected to do anything about this. It is a bit disappointed but I agree that BIND is doing the right thing. Too bad big players don't care. But I need to "

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

2023-06-02 Thread Jesus Cea
On 2/6/23 10:38, Cathy Almond wrote: Has this just started - as in, it worked before ... when? No idea. We have been biten by this because a new client. The issue could be for ages, no idea. It sounds like 'they changed something', possibly by accident (maybe adding more servers or

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

2023-06-01 Thread Jesus Cea
On 2/6/23 4:25, Mark Andrews wrote: Yep, some people just don’t take care with delegations. Complain to Huawei. Complain to the other companies you list in your followup email. All it takes to fix this is to change the name of the zone on the child servers (ns3.dnsv5.com,

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

2023-06-01 Thread Jesus Cea
On 1/6/23 17:00, Ondřej Surý wrote: From top of my head - try disabling QNAME minimization. I don't see the relevance but I tried "qname-minimization off" in my configuration. No changes, I still see the SERVFAIL. I insist this is not a bug in BIND. The original domain is misconfigured.

Re: Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

2023-06-01 Thread Jesus Cea
On 1/6/23 17:00, Ondřej Surý wrote: From top of my head - try disabling QNAME minimization. I don't see the relevance but I tried "qname-minimization off" in my configuration. No changes, I still see the SERVFAIL. I insist this is not a bug in BIND. The original domain is misconfigured.

Issue: Name huawei.com (SOA) not subdomain of zone cloud.huawei.com -- invalid response

2023-06-01 Thread Jesus Cea
I am getting errors "Name huawei.com (SOA) not subdomain of zone cloud.huawei.com". The problem raises when requesting on oauth-login.cloud.huawei.com . The problem was described in the mailing list: https://lists.isc.org/pipermail/bind-users/2021-January/104064.html BIND is replying

Patch provided, please review!: Re: DNSTAP doesn't purge old dnstap files

2023-03-22 Thread Jesus Cea
On 21/3/23 23:38, Jesus Cea wrote: Hi everybody. Bind 9.16 here. I have this configuration for DNSTAP: """   dnstap {auth; client; resolver; forwarder;};   dnstap-output file "/var/cache/bind/dnstap.tap" size 100M versions 100 suffix timestamp; ""&qu

DNSTAP doesn't purge old dnstap files

2023-03-21 Thread Jesus Cea
Hi everybody. Bind 9.16 here. I have this configuration for DNSTAP: """ dnstap {auth; client; resolver; forwarder;}; dnstap-output file "/var/cache/bind/dnstap.tap" size 100M versions 100 suffix timestamp; """ The "dnstap.tap" is correctly moved to "dnstap.tap.TIMESTAMP" a new

Incremental transfers generate complete zone reloading

2023-01-15 Thread Jesus Cea
I have a huge zone receiving a constant flow of small dns updates. My secondaries receive notifications and transfer the zone incrementally. Cool, everything works as expected. Nevertheless, I see this lines in my logs, constantly (every time a change arrives incrementally): """ 15-Jan-2023

Re: Use UDP for (small) incremental zone transfers?

2023-01-12 Thread Jesus Cea
On 13/1/23 7:12, Greg Choules via bind-users wrote: Hi Jesus. No. Zone Transfer always uses TCP. Is it really that much of an overhead for you? Not now, but it could be in the future, with many secondaries and many (tiny) updates per minute. Per your answer, I understand that zone

Use UDP for (small) incremental zone transfers?

2023-01-12 Thread Jesus Cea
I have a dns zone with many dns updates per minute. The updates are tiny, like 2-3 records, <500 bytes in total. Currently my secondaries receive a NOTIFY and they do a TCP connection to request a incremental zone transfer. We know that TCP is "heavy" and the data I need to transfer is tiny

Records "not" too long fails with "ran out of space"

2022-12-27 Thread Jesus Cea
Configuring my RPZ installation, the zone fails to load because some register are "too long". The error in the logs is something like: """ dns_master_load: ../primarios/db.rpz.local:137146: ran out of space """ I did some tests and the zone load fails if records are longer than 243

Providing AD flag for authoritative domains

2022-12-22 Thread Jesus Cea
I have a validating DNSSEC bind server. I get AD (Authenticated Data) flag when requesting details from a DNSSEC protected domain. Good. The point is that when the requested DNS name belongs to a domain with this server is authoritative and that domain is DNSSEC enabled, no AD flag is

Re: How to *require* TSIG for NOTIFY

2022-11-15 Thread Jesus Cea
On 15/11/22 5:40, Ondřej Surý wrote: It’s `also-notify ;` and `notify explicit;` The online documentation is here: https://bind9.readthedocs.io/en/v9_16_34/reference.html That configuration affects to the primary, I don't see how it

Re: How to *require* TSIG for NOTIFY

2022-11-14 Thread Jesus Cea
On 15/11/22 3:30, Mark Andrews wrote: NOTIFY is a hint for the secondary to perform a SOA refresh query sooner than the SOA query triggered by REFRESH and RETRY. Those queries are rate limited. Additionally multiple notify messages often coalesce into one action as the server is waiting to

How to *require* TSIG for NOTIFY

2022-11-14 Thread Jesus Cea
Hi everybody, I can configure my bind master to send TSIG in the NOTIFY messages, but I am not able to configure secondaries to *ONLY* allow NOTIFY with a valid TSIG. In the slave zone config I have something like: """ zone "XXX" { type slave; ... allow-notify { key "KEY_TSIG"; };