Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Joe Baptista wrote: ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I don't actually think it'd be much of a horserace if compatibility is all you're looking for. I agree they are both DNSSEC compatible but .GOV has only deployed DNSSEC in 20% of it's zones. I'm not sure what the percentage is in .ORG - 5% ? less ? is it even 1% of the zones? The make work project continues. Right now, as far as I am concerned, the main obstacle to more widespread adoption on DNSSEC is the lack of procedure to establish trust between your zone and the TLD. Even if my zone is signed, and it's in .org which is signed too, I have no (googlable) way to get my DS included into the TLD zone. Of course dlv.isc.org exsits, but I think it's publicly perceived as a testbed rather than a production anchor. I'd be happy to be wrong. (And, don't tell me to switch back to Verisign registrar.) Eugene signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update returns FORMERR: ran out of space
On Thu, Feb 25, 2010 at 10:02:45AM +1100, Mark Andrews ma...@isc.org wrote a message of 68 lines which said: Try this patch. It resets the scratch space 'data' used by dns_dnssec_sign(). It works fine. Many thanks. Sending update to ::1#8053 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 20340 ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; ZONE SECTION: ;toto.fr. IN SOA ;; UPDATE SECTION: toto.fr.3600IN DNSKEY 256 3 8 AwEAAbQuvEyzE/+5giH+QBjynhogDchi4AaB0YPZR79BRLlXLB34pjzw ArvI1dwuqaXW1jwvT5nQ1TDMZHH/qZgBU0X5532zxPi+MOj+Ec3EUp0k clsEz5kHwATTG5paqueAd/0N/1iW8SVqNARsIRlcrTU+DENv1z8hhTQq FVoiefGf Reply from update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 20340 ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 25-Feb-2010 09:54:17.287 update: debug 8: client ::1#50327: updating zone 'toto.fr/IN': prerequisites are OK 25-Feb-2010 09:54:17.287 update: debug 8: client ::1#50327: updating zone 'toto.fr/IN': update section prescan OK 25-Feb-2010 09:54:17.287 update: info: client ::1#50327: updating zone 'toto.fr/IN': adding an RR at 'toto.fr' DNSKEY 25-Feb-2010 09:54:17.287 update: debug 8: client ::1#50327: updating zone 'toto.fr/IN': redundant request ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modifying a response
On 2010-02-24 14:09, Peter Andreev wrote: 2010/2/24 Alan Clegg acl...@isc.org mailto:acl...@isc.org Peter Andreev wrote: For example: if user asks for non-existent domain, caching server replies with some address and no-error rcode. _Extremely_ bad idea. Yes, I know, but boss is boss and task is task :). Thank you very much for your answer. You might want to talk to your boss about DNSSEC and how it insures that answer modification is not allowed -- and how it keeps your customers safe and secure and is a good selling point (see the Comcast announcement that was made yesterday). AlanC Oh, DNSSSEC is another headache. These two tasks doesn't influence each other. As far as I can tell, they DO: your modified answers will be marked as BOGUS by DNSSEC and will be thrown away. Niobos ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot use dnssec-settime with old keys
On Tue, Feb 23, 2010 at 05:54:01PM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 18 lines which said: OK, I upgrade: % dnssec-settime -v 3 -f Ktoto.fr.+008+42555 dnssec-settime: toto.fr/RSASHA256/42555 But it changed nothing, ls -l shows that the file did not change and I still get the message incompatible format version 1.2. And strace (Debian/Linux box) shows that key files were opened only in read-only and no file was opened for writing: % strace dnssec-settime -f -v 3 Ktoto.fr.+008+42555 | grep open ... open(./Ktoto.fr.+008+42555.key, O_RDONLY) = 4 open(./Ktoto.fr.+008+42555.private, O_RDONLY) = 4 Did anyone managed to use dnssec-settime -f ? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Stephane Bortzmeyer wrote: Sam Wilson sam.wil...@ed.ac.uk wrote Has anyone found any uz5* servers out there yet? Zero for opendns.com, dnscurve.org, etc. One: dempsky.org. 259200 IN NS uz5p4utwsxu5p3r9xrw0ygddw2hxh7bkhd0vdwtbt92lf058ny1p79.dempsky.org. dempsky.org. 259200 IN NS ns1.everydns.net. dempsky.org. 259200 IN NS ns2.everydns.net. dempsky.org. 259200 IN NS ns3.everydns.net. dempsky.org. 259200 IN NS ns4.everydns.net. From what I know about DNSCurve, an average of one in five lookups for this zone would use encrypted transport. Anyway, bind-users is probably not the right mailing list for this topic, unless a more formal protocol description for DNSCurve appears. There's a similar thread on dnsops, so I suggest everyone interested in DNSCurve subscribe and participate there: https://lists.dns-oarc.net/mailman/listinfo/dns-operations Hauke. signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
* Eugene Crosser: Right now, as far as I am concerned, the main obstacle to more widespread adoption on DNSSEC is the lack of procedure to establish trust between your zone and the TLD. There's no standard procedure for NS and glue management, either, and it still seems to work quite well. 8-) -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
* Sam Wilson: Has anyone found any uz5* servers out there yet? node.pk, dempsky.org has such name servers. I thought there were more. Has the magic prefix changed? -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot use dnssec-settime with old keys
Stephane Bortzmeyer wrote: And strace (Debian/Linux box) shows that key files were opened only in read-only and no file was opened for writing: % strace dnssec-settime -f -v 3 Ktoto.fr.+008+42555 | grep open Did anyone managed to use dnssec-settime -f ? Yes. The key file format is upgraded on write operations only. For example, try: dnssec-settime -P+0 -A+0 -f -v 3 Ktoto.fr.+008+42555 Hauke. signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
In article mailman.633.1267090950.21153.bind-us...@lists.isc.org, Florian Weimer fwei...@bfk.de wrote: * Sam Wilson: Has anyone found any uz5* servers out there yet? node.pk, dempsky.org has such name servers. I thought there were more. Has the magic prefix changed? OK. I found none in 130 MB of cache from 3 servers. Clearly the wave hasn't broken yet. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
check-named vs. acl
Hello, I see that hosts that are not allowed to recurse are often generating check-named errors. I wonder if it wouldn't be better to check ACL's first and check-names just after it? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Random slow queries
On 02/24/10 18:50, Mike Chesney wrote: Running Bind 9.6.1-P3 We run authorative DNS for 60k+ zones. One one network where we two dns servers both running the same hardware on Centos 5.4 We see slow dns responses : example for i in {1..250}; do dig example.com http://example.com @localhost | grep Query time:; done; Centos is a time-sharing system right. I wonder if your time-share is up and your simply being scheduled off CPU - the network communication is an opportunity for the scheduler to do that. Try adding a sleep and see if your results smooth out - more 0 msec and less msec total. for i in {1..250}; do sleep 0.5; dig example.com http://example.com @localhost | grep Query time:; done; Sometimes they'll all come back w/ a 0msec response . But every few runs we see. ; Query time: 501 msec ;; Query time: 111 msec ;; Query time: 0 msec ;; Query time: 0 msec ; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 1461 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 441 msec ;; Query time: 0 msec ;; Query time: 0 msec ;; Query time: 0 msec This is just a snapshot, most other entries are all 0. This doesn't happen on any of our other dns servers. Load is pretty low on this machine around .3 4gb ram. Named consumes about 15% of memory and 4% of cpu. Not sure where to look next. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6.2rc1 make test question
On 02/24/10 20:56, John Center wrote: Hi Stace, Sorry, I didn't think this was necessarily a Solaris problem. I'm running this on Solaris 10 (SPARC 64bit), built with Sun Studio 12.1. Why did it occur on OpenSolaris? Hi John, Interesting, I didn't see the issue on Solaris 10 but then I'm not certain if I tested on 64bit - we only compile it 32bit. We have not discovered the cause on OpenSolaris as yet, its logged here as CR 6909705. Regards, Stace Thanks. -John From: stacey.marsh...@sun.com [stacey.marsh...@sun.com] Sent: Wednesday, February 24, 2010 9:01 AM To: John Center Cc: bind-users@lists.isc.org Subject: Re: BIND 9.6.2rc1 make test question On 02/15/10 20:25, John Center wrote: Hi, I just built BIND 9.6.2rc1 make test passes except for the following: A:the dst module provides the capability to verify data signed with the RSA and DSA algorithms I:testing t2_data_1, t2_dsasig, test., 23616, DST_ALG_DSA, ISC_R_SUCCESS I:testing t2_data_1, t2_rsasig, test., 54622, DST_ALG_RSAMD5, ISC_R_SUCCESS I:testing t2_data_1, t2_dsasig, test., 54622, DST_ALG_RSAMD5, !ISC_R_SUCCESS I:testing t2_data_2, t2_dsasig, test., 23616, DST_ALG_DSA, !ISC_R_SUCCESS mem.c:322: INSIST(dl != 0L) failed. I:the test case caused exception 6 R:UNRESOLVED What does this mean where do I look to resolve this issue? Thanks. -John John, You don't state what your building on? I too have come across the same error on OpenSolaris circa snv_117. Stace ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot use dnssec-settime with old keys
On Thu, Feb 25, 2010 at 10:47:58AM +0100, Hauke Lampe list+bindus...@hauke-lampe.de wrote a message of 55 lines which said: For example, try: dnssec-settime -P+0 -A+0 -f -v 3 Ktoto.fr.+008+42555 OK, it works, thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
check-names vs. acl
On 25.02.10 12:01, Matus UHLAR - fantomas wrote: I see that hosts that are not allowed to recurse are often generating check-named errors. check-names it is. I apparently too often use named so I do this king of mistypes. I wonder if it wouldn't be better to check ACL's first and check-names just after it? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about dig command
Hi, I have question about “dig” command in IPV6. I have bind-9.6.1-P3 compiled with ipv6 enable. So far it’s running great. But when I use the “dig” command from 9.6.1-P3, I get the following error when query record: client ::1#33086: query (cache) 'dnssec12.datamtn.com//IN' denied Then I switched to use the “dig” command from 9.4.1-P1 to query the same record, I got result nicely. Why dig command from 9.6.1-P3 got denied when querying records??? Linh Khuu PGP.sig Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Wed, Feb 24, 2010 at 10:23 PM, Alan Clegg acl...@isc.org wrote: Joe Baptista wrote: dnssec-enable yes; and dnssec-validation yes; are the defaults since BIND 9.5 How do I turn it off. Since you edited out the most important part of my post, I'll repeat it here before I answer your question: Sorry - not my intention. It's just that part of the post did not apply to me. My question was not related to an authoritative server but a recursive only server. Serving signed zones requires signed zone data to serve. Validation requires configuration of trust anchors. To turn it off, Don't sign your zones and don't configure trust anchors. Like I said the server is recursive only - no zones served. Or, if you think you might accidentally sign your zones or configure trust anchors, you can: dnssec-enable no; dnssec-validation no; OK - so if I do the above - will that prevent my recursive server from doing DNSSEC if it gets information from a DNSSEC signed zone? Thanks for your help here joe ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Thu, 25 Feb 2010, Eugene Crosser wrote: Right now, as far as I am concerned, the main obstacle to more widespread adoption on DNSSEC is the lack of procedure to establish trust between your zone and the TLD. Even if my zone is signed, and it's in .org which is signed too, I have no (googlable) way to get my DS included into the TLD zone. Registrars are working on this. It requires them to update EPP etc. I am not sure if .org already accepts DS records via EPP, but I know others (eg opensrs) have started taken steps to implement this in their interface to the users. There are some corner cases that need to be solved, such as what to do when a domain moves from one DNS zone operator to another. Usually private keys cannot be handed over, so this might require multiple DS record support, etc. See further http://dnsseccoalition.org/website/ Of course dlv.isc.org exsits, but I think it's publicly perceived as a testbed rather than a production anchor. It is production, not a testbed. And useful for anyone who wants to put their DS into it. The only thing missing there is easy access to a bulk submission interface. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Or, if you think you might accidentally sign your zones or configure trust anchors, you can: dnssec-enable no; dnssec-validation no; OK - so if I do the above - will that prevent my recursive server from doing DNSSEC if it gets information from a DNSSEC signed zone? Yes, but don't configure any trust anchors gets the job done too. If your configuration doesn't say trusted-keys, managed-keys, or dnssec-lookaside auto; anywhere, then DNSSEC is not in use. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: check-names vs. acl
In message 20100225123134.gb2...@fantomas.sk, Matus UHLAR - fantomas writes: On 25.02.10 12:01, Matus UHLAR - fantomas wrote: I see that hosts that are not allowed to recurse are often generating check-named errors. check-names it is. I apparently too often use named so I do this king of mistypes. I wonder if it wouldn't be better to check ACL's first and check-names just after it? It really depends what's more important for you to see. Whether you got a recursive query that didn't match a acl or a query that failed check-names. Both get REFUSED so the client can't tell the difference. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users