Building 9.6.1-P2 on Solaris 10?
Does anybody have a magic configure description of what is needed to build Bind-9.6.1-P2 on Solaris 10 using native compilers and supporting the dlz-ldap features. When I run under our environment I get the following errors from the build. ../../contrib/dlz/drivers/dlz_ldap_driver.c, line 191: undefined struct/union member: lud_exts ../../contrib/dlz/drivers/dlz_ldap_driver.c, line 191: undefined struct/union member: lud_crit_exts ../../contrib/dlz/drivers/dlz_ldap_driver.c, line 995: undefined symbol: LDAP_AUTH_KRBV41 ../../contrib/dlz/drivers/dlz_ldap_driver.c, line 997: undefined symbol: LDAP_AUTH_KRBV42 Does anybody recognise the source of this and what I need to do to fix it? Regards, Howard. Coherent Technology Limited, 23 Northampton Square, Finsbury, London EC1V 0HL, United Kingdom Telephone: +44 20 7690 7075 Mobile: +44 7980 639379 Company Email: coher...@cohtech.com Website: http://www.cohtech.com http://www.cohtech.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 slave
On Dec 7 2009, Kevin Darcy wrote: [...snip...] Or, you can run a script on the slaves which consults some centralized zone slaving database to determine what zones to slave, or to stop slaving. This zone slaving database can take many forms. One idea is to represent this list as a special zone within DNS itself, containing just one entry per zone to be slaved. I prefer using PTR records for this, over, say, TXT records, since PTR records can benefit from label compression. Not to mention that they guarantee correct domain name syntax, and the absence of duplicates (due to case-insensitivity). Ever since I first saw you recommend this, I have wondered why did I ever think TXT records were the right way to do it? ... -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind slave to Windows 2008 AD/DNS
On Dec 7, 2009, at 2:47 PM, Jukka Pakkanen wrote: I have out Bind servers running as slaves to Windows 2008 DNS server, and it's working fine as far as I can see (except that the slaves after a period of times lose the data and never update it unless restart the Bind process, but that's another matter) but browsing the web I noticed there should be 6 zones I need to slave to have it correctly: What zones are you slaving on your BIND server? There should be six: DomainDNSZones.example.com ForestDNSZones.example.com _msdcs.example.com _sites.example.com _tcp.example.com _udp.example.com If you have these six zones slaved on your BIND server, and these zones are being transferred successfully, then there should be no problems. What exactly does this mean? I only have this: zone company.local { type slave; file company.local.cache; masters { 62.x.x.x; }; }; Should I instead have these six zones in the named.conf That depends on whether they're declared as delegated subzones or included in the company.local zone. By default, the AD wizard will create just company.local and _msdcs.company.local as zones - the other subdomains are not separated into their own individual zones. Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Signing with the KSK and ZSK
On Dec 8, 2009, at 2:03 AM, xu dong wrote: Hi folks, i have a question about signing zone files with the ksk and the zsk, as i know,when signing the zone files i have to use the ksk and zsk both,just as following: dnssec-signzone -o domain-name -t -k KSK zone-name ZSK but i want to sign the ZSK with KSK first,and then sign the zone files with zsk,so how can i do? Why do you want to sign with one key at a time? The default behavior is to sign just the dnskey RRSet with the KSK, and to sign the whole zone with the ZSK, all in one go. Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Signing with the KSK and ZSK
In message 2ac8e9ad0912072303u6327b50eoc06cbfe232632...@mail.gmail.com, xu dong writes: Hi folks, i have a question about signing zone files with the ksk and the zsk, as i know,when signing the zone files i have to use the ksk and zsk both,just as following: *dnssec-signzone -o domain-name -t -k KSK zone-name ZSK* but i want to sign the ZSK with KSK first,and then sign the zone files with zsk,so how can i do? Firstly you don't sign keys or files, you sign RRsets or zones. '-x' will tell the signer to the DNSKEY RRset only using KSK's. Secondly don't over specify the command line. 'dnssec-signzone -x -o domain-name master-file' is enough in most cases. dnssec-signzone will look at the DNSKEY records in the master-file and workout what is needed. The options are there for when you want dnssec-signzone to do something non-standard. Mark Thanks. --=20 - Xudong email=a3=baxudon...@gmail.com Beijing,China -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Building 9.6.1-P2 on Solaris 10?
Hello Howard, hello Solaris Users, It's there : http://sunfreeware.com Many thank's to Steven M. Christensen Greetings Martin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Bogus NXDOMAIN survives authenticating RR
Niobos wrote: When requesting a lookup of removed, I get a SERVFAIL as well. However, every subsequent request for removed gets an NXDOMAIN. (dig outputs below) Flushing the caches on the RR with rndc flush causes the first request to be a SERVFAIL again. I cannot reproduce this behaviour with BIND 9.7.0b3. I get a SERVFAIL for all lookups to changed/removed records. Maybe you can try these with 9.6.1-P1: dig +dnssec normal.fnord.dnstest.hauke-lampe.de should return 127.0.0.1 and the AD flag (if you use DLV with either dlv.isc.org or dnssec.iks-jena.de). dig +dnssec changed.fnord.dnstest.hauke-lampe.de should return SERVFAIL and log error (no valid RRSIG) for the A record. dig +dnssec removed.fnord.dnstest.hauke-lampe.de should return SERVFAIL and log validation failures for the SOA as well as the A record (because removing the record disrupted the NSEC3 chain). Hauke. signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
On Fri, 4 Dec 2009, Chris Thompson wrote: [It's never been entirely clear to me why these functions have to be combined, especially given that server [ipaddr/len] {bogus yes;}; can be used to block outgoing queries.] The CIDR syntax for server clauses is relatively new. Before it was added the only option for blocking large chunks of address space was to use the blackhole feature. (We used it on our MX's name servers to stop DNS queries triggered by incoming email from probing our internal private address space.) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind slave to Windows 2008 AD/DNS
Chris Buxton kirjoitti: On Dec 7, 2009, at 2:47 PM, Jukka Pakkanen wrote: I have out Bind servers running as slaves to Windows 2008 DNS server, and it's working fine as far as I can see (except that the slaves after a period of times lose the data and never update it unless restart the Bind process, but that's another matter) but browsing the web I noticed there should be 6 zones I need to slave to have it correctly: What zones are you slaving on your BIND server? There should be six: DomainDNSZones.example.com ForestDNSZones.example.com _msdcs.example.com _sites.example.com _tcp.example.com _udp.example.com If you have these six zones slaved on your BIND server, and these zones are being transferred successfully, then there should be no problems. What exactly does this mean? I only have this: zone company.local { type slave; file company.local.cache; masters { 62.x.x.x; }; }; Should I instead have these six zones in the named.conf That depends on whether they're declared as delegated subzones or included in the company.local zone. By default, the AD wizard will create just company.local and _msdcs.company.local as zones - the other subdomains are not separated into their own individual zones. Thanks. Those 6 zones are subdomains to company.local so I guess they are covered. What about the _msdcs.company.local, is that needed in slaves? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 slave
Chris Thompson wrote: On Dec 7 2009, Kevin Darcy wrote: [...snip...] Or, you can run a script on the slaves which consults some centralized zone slaving database to determine what zones to slave, or to stop slaving. This zone slaving database can take many forms. One idea is to represent this list as a special zone within DNS itself, containing just one entry per zone to be slaved. I prefer using PTR records for this, over, say, TXT records, since PTR records can benefit from label compression. Not to mention that they guarantee correct domain name syntax, and the absence of duplicates (due to case-insensitivity). Ever since I first saw you recommend this, I have wondered why did I ever think TXT records were the right way to do it? ... Flexibility is both the greatest strength and greatest weakness of TXT records. We don't use TXT records for *anything* in production, although we have an LDAP database maintained in parallel with DNS that gets populated with various forms of textual data. Keeping that stuff in LDAP makes it a lot more searchable. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Workaround for 'rndc stop' ?
Hi all, Can anyone please tell me is there any other command by which i can stop the name-server without loosing the recent updates. I know that I can do this by issuing 'rndc stop' but for some reason I am not able to . What are the different ways by which I can have the same benefits as that of 'rndc stop'. Thanks in advance, Kalpesh. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Bogus NXDOMAIN survives authenticating RR
Niobos wrote: As soon as I activate DLV (besides the manual SEP I entered), the removed behaviour changes: * First lookup still returns SERVFAIL * Subsequent lookups now return NXDOMAIN with the AD flag *set*! (log confirms that my domain is not in the DLV and hence is insecure) That is weird. I haven't seen that before and have no good explanation at hand. Could you try this lookup? dig +dnssec removed.dnssec.dest-unreach.be I see now what you mean. Even though I have added your DNSKEY as trusted key, I get SERVFAIL on the first query and NXDOMAIN on the second, without BIND doing any additional outgoing queries. One of your name servers returns unsigned NXDOMAIN responses with a higher serial number than the master server: | $ dig +dnssec removed.dnssec.dest-unreach.be @sdns1.ovh.net. | | ;; Got answer: | ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 32510 | ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 | ;; WARNING: recursion requested but not available | | ;; OPT PSEUDOSECTION: | ; EDNS: version: 0, flags: do; udp: 4096 | ;; QUESTION SECTION: | ;removed.dnssec.dest-unreach.be. IN A | | ;; AUTHORITY SECTION: | dest-unreach.be. 3600IN SOA serv02.imset.org. hostmaster.dest-unreach.be. 2009111619 3600 3600 604800 3600 serv02.imset.org returns a signed NXDOMAIN response with serial 2009081781. That corresponds to BIND's error message: | error (insecurity proof failed) resolving 'removed.dnssec.dest-unreach.be/A/IN': 213.251.188.140#53 Could the problem be that the authenticating RR somehow considers this domain to be insecure when looking up removed? That might well be the case, although I would expect BIND not to return unsigned queries for names below a manually configured trust anchor. Maybe others have an idea what's happening here and why BIND returns NXDOMAIN responses. Hauke. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users