Re: www.ncbi.nlm.nih.gov / pubmed
On 08/18/2010 06:55 PM, Dave Sparro wrote: On 8/18/2010 1:12 PM, Casey Deccio wrote: On Wed, Aug 18, 2010 at 9:48 AM, Dave Sparrodspa...@gmail.com wrote: On 8/18/2010 8:30 AM, Phil Mayers wrote: ...since the ncbi zone is an unsigned child zone, there needs to be an NSEC/NSEC3 record to prove the absence of the DS record, and have a secure delegation to an unsigned child zone. It sounds to me like DNSSEC validation is working as designed. If your DNS server's users are complaining about not being able to resolve something that fails validation, the question you need to ask is do your end-users really want you to do DNSSEC validation for them? If you're asking for a workaround for when validation fails, there's not much point to doing the validation. Insecure delegations are not a work-around, but are rather a provision for delegated child zones that have not implemented DNSSEC. The parent zone (and its authoritative servers) must be properly configured to handle authenticated denial of existence using NSEC or NSEC3. Specifically, they must use these RRs to prove the non-existence of a DS RR for an unsigned child zone, whose existence would otherwise indicate a secure delegation. If the proper NSEC/NSEC3 RRs are not returned, or are not thought to be authentic, then there is a broken chain because the resolver cannot prove that the delegation is insecure. In the following diagram, note the diamond-shaped NSEC3 node, whose presence (when properly authenticated) proves the insecure delegation to ncbi.nlm.nih.gov: http://dnsviz.net/d/www.ncbi.nlm.nih.gov/dnssec/ It seems to me that the OP wanted a work-around to the fact that his end users couldn't use the website due to a validation failure. It still seems to me that working around that situation misses the point of using DNSSEC. I did, and I disagree that it misses the point. I wanted a *short term* workaround for that zone, while the site fixed their DNSSEC. I had satisfied myself that it was a DNSSEC signing mistake, and faced an unpalatable choice - disable validation globally for the duration of a single site repair period (sacrificing the benefits of DNSSEC) or lose connectivity to that site. Had the site been more important to us, it would have been no choice at all - I would have been instructed to disable validation. I think DNSSEC is very important, but I also think mistakes will happen, and that sites will want the ability to be forgiving for a grace period. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind as cache DNS and firewall
Hi Jason and Robert,
Sorry for my lack of details.
My firewall has stateful inspection enabled for all port :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
I permit all outgoing packet. The opened incoming ports are 22 tcp (for all
IP), 53 tcp and udp (filtered for my clients IP - they have public IPs... so...
-).
I enable LOG for iptables but protect it against DoS. Doing this permit me to
do some inspection :) .
I have a BIND 9.4.3-P5 (running on a linux). It's last stable release on my
distribution. query-source is not enabled. My configuration is very simple :
options {
directory /var/bind;
listen-on-v6 { none; };
listen-on { any; };
allow-query {
local;
my-clients;
my-servers;
my-private-network;
};
statistics-file /var/bind/stats/named.stats;
version None of your business;
blackhole { blacklist; };
max-cache-size 0;
recursive-clients 1;
pid-file /var/run/named/named.pid;
};
I have some zone (in-addr.arpa, . , localhost). I have logging and controls
block too.
I can go up to 4000 queries/seconds (a lot of mailservers on my network).
named is running well. But I have some problems with some perharps bogus
authoritative dns (ns51.domaincontrol.com andns52.domaincontrol.com for
example)... so I decided to see if it's not my configuration which has a
problem.
Regards,
David
Le 19 août 2010 à 04:23, Jason Roysdon a écrit :
On 08/18/2010 02:42 PM, Ulrich David wrote:
Hi,
I'm using Bind as a cache (absolutely not authoritative) DNS for a public
network. I have put a firewall in order to refuse incoming packets from
people not on my network.
Today, inspecting logs, I see this :
Aug 18 17:31:44 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=50785 CE PROTO=UDP
SPT=56592 DPT=53 LEN=49
Aug 18 17:31:48 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
DST=MY.CACHE.DNS LEN=59 TOS=00 PREC=0x00 TTL=120 ID=23374 PROTO=UDP
SPT=57527 DPT=53 LEN=39
Aug 18 17:31:51 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=207.38.104.93
DST=MY.CACHE.DNS LEN=47 TOS=00 PREC=0x00 TTL=48 ID=48457 CE PROTO=UDP
SPT=32779 DPT=53 LEN=27
Aug 18 17:31:56 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
DST=MY.CACHE.DNS LEN=72 TOS=00 PREC=0x00 TTL=120 ID=38433 CE PROTO=UDP
SPT=53494 DPT=53 LEN=52
Aug 18 17:32:00 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=109.164.132.64
DST=MY.CACHE.DNS LEN=60 TOS=00 PREC=0x00 TTL=112 ID=24658 PROTO=UDP
SPT=51908 DPT=53 LEN=40
Aug 18 17:32:04 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=40178 CE PROTO=UDP
SPT=48147 DPT=53 LEN=49
Aug 18 17:32:08 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=213.3.5.3
DST=MY.CACHE.DNS LEN=68 TOS=00 PREC=0x00 TTL=53 ID=15544 PROTO=UDP SPT=18967
DPT=53 LEN=48
This traffic came from other DNS server in the world. As it's UDP I think of
UDP queries going from my cache server to other DNS server, and I catch
their UDP responses in the firewall. Is it possible?
So I should open my firewall for UDP on port 53 for all the world?
Regards,
David
David,
First, double-check that you're on a current BIND release. Second,
check that your named.conf doesn't have query-source bound to port 53.
It's bad to always source your queries from port 53, as it allows your
cache to get bogus spoofed replies from systems you aren't asking
queries of.
Provided that you are running a recent version of BIND, and that you are
configuring your named.conf to query from port 53, your DNS server
should be sending out UDP queries from random, high-numbered ephemeral
ports. See the Wikipedia article on this, which discusses Linux port
defaults vs. IANA recommended port range, etc. (as I'm typing this while
offline). Your server should be sourcing from those random,
high-numbered ephemeral ports to remote DNS servers' udp/53. Their
queries should come back from their same udp/53 source to your same
original high-numbered ephemeral port.
As you should be sending UDP queries from high-numbered ports, and your
queries are never going to originate from udp/53, so you should never
get replies destined for your udp/53.
You should absolutely not open your firewall to queries from UDP/53 as
it is not authoritative and is not an open dns resolving server for the
Internet (or if it was, you shouldn't be asking questions on here how to
secure it).
I would configure your firewall to -j DROP and not first -j LOG these
packets. No need filling up your syslog with bogus queries.
My guess is that there are some poorly configured remote firewalls.
Jason Roysdon
http://jason.roysdon.net/
___
bind-users mailing list
Re: Bind as cache DNS and firewall
Hi,
I have some more information. I do a tcpdump of incoming packets of the sources
of request on udp 53 from external IPs :
08:29:32.482475 IP 195.176.219.26.62511 MY.CACHE.DNS.domain: 12614+ PTR?
167.72.97.76.IN-ADDR.ARPA. (43)
08:29:34.333751 IP 195.176.219.26.25840 MY.CACHE.DNS.domain: 1116+ PTR?
37.146.254.169.IN-ADDR.ARPA. (45)
08:29:42.699256 IP 195.176.219.26.31381 MY.CACHE.DNS.domain: 21474+ PTR?
125.110.0.10.IN-ADDR.ARPA. (43)
08:29:53.516726 IP 195.176.219.26.57195 MY.CACHE.DNS.domain: 24503+ PTR?
110.147.178.193.IN-ADDR.ARPA. (46)
08:29:53.915886 IP 195.176.219.26.45779 MY.CACHE.DNS.domain: 2807+ PTR?
207.45.20.201.IN-ADDR.ARPA. (44)
08:29:54.232617 IP 195.176.219.26.38890 MY.CACHE.DNS.domain: 6981+ PTR?
1.180.209.163.IN-ADDR.ARPA. (44)
Regards,
David Ulrich
---
e-mail: david.ulr...@siesa.ch
Phone: +41274511962
Sierre-Énergie SA
Rte de l'Industrie 29
CH-3960 Sierre
Le 19 août 2010 à 08:21, Ulrich David a écrit :
Hi Jason and Robert,
Sorry for my lack of details.
My firewall has stateful inspection enabled for all port :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
I permit all outgoing packet. The opened incoming ports are 22 tcp (for all
IP), 53 tcp and udp (filtered for my clients IP - they have public IPs...
so... -).
I enable LOG for iptables but protect it against DoS. Doing this permit me to
do some inspection :) .
I have a BIND 9.4.3-P5 (running on a linux). It's last stable release on my
distribution. query-source is not enabled. My configuration is very simple :
options {
directory /var/bind;
listen-on-v6 { none; };
listen-on { any; };
allow-query {
local;
my-clients;
my-servers;
my-private-network;
};
statistics-file /var/bind/stats/named.stats;
version None of your business;
blackhole { blacklist; };
max-cache-size 0;
recursive-clients 1;
pid-file /var/run/named/named.pid;
};
I have some zone (in-addr.arpa, . , localhost). I have logging and controls
block too.
I can go up to 4000 queries/seconds (a lot of mailservers on my network).
named is running well. But I have some problems with some perharps bogus
authoritative dns (ns51.domaincontrol.com andns52.domaincontrol.com for
example)... so I decided to see if it's not my configuration which has a
problem.
Regards,
David
Le 19 août 2010 à 04:23, Jason Roysdon a écrit :
On 08/18/2010 02:42 PM, Ulrich David wrote:
Hi,
I'm using Bind as a cache (absolutely not authoritative) DNS for a public
network. I have put a firewall in order to refuse incoming packets from
people not on my network.
Today, inspecting logs, I see this :
Aug 18 17:31:44 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=50785 CE PROTO=UDP
SPT=56592 DPT=53 LEN=49
Aug 18 17:31:48 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
DST=MY.CACHE.DNS LEN=59 TOS=00 PREC=0x00 TTL=120 ID=23374 PROTO=UDP
SPT=57527 DPT=53 LEN=39
Aug 18 17:31:51 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=207.38.104.93
DST=MY.CACHE.DNS LEN=47 TOS=00 PREC=0x00 TTL=48 ID=48457 CE PROTO=UDP
SPT=32779 DPT=53 LEN=27
Aug 18 17:31:56 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
DST=MY.CACHE.DNS LEN=72 TOS=00 PREC=0x00 TTL=120 ID=38433 CE PROTO=UDP
SPT=53494 DPT=53 LEN=52
Aug 18 17:32:00 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=109.164.132.64
DST=MY.CACHE.DNS LEN=60 TOS=00 PREC=0x00 TTL=112 ID=24658 PROTO=UDP
SPT=51908 DPT=53 LEN=40
Aug 18 17:32:04 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26
DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=40178 CE PROTO=UDP
SPT=48147 DPT=53 LEN=49
Aug 18 17:32:08 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=213.3.5.3
DST=MY.CACHE.DNS LEN=68 TOS=00 PREC=0x00 TTL=53 ID=15544 PROTO=UDP
SPT=18967 DPT=53 LEN=48
This traffic came from other DNS server in the world. As it's UDP I think
of UDP queries going from my cache server to other DNS server, and I catch
their UDP responses in the firewall. Is it possible?
So I should open my firewall for UDP on port 53 for all the world?
Regards,
David
David,
First, double-check that you're on a current BIND release. Second,
check that your named.conf doesn't have query-source bound to port 53.
It's bad to always source your queries from port 53, as it allows your
cache to get bogus spoofed replies from systems you aren't asking
queries of.
Provided that you are running a recent version of BIND, and that you are
configuring your named.conf to query from port 53, your DNS server
should be sending out UDP queries from random, high-numbered ephemeral
ports. See the Wikipedia article on this, which discusses Linux port
defaults vs. IANA recommended port range, etc. (as I'm typing this while
Re: Forward map update unsuccessful from windows - IPv6
The named log shows two attempts to add records. The first
succeeds the second fails due to the prerequisite check. Looking at the
reverse address request that succeeds we have an address of:
fd80:1010::de74
While the dhcpd log message has an address of:
fd80:1010::f274
Are you perhaps looking at slightly different instances of tests in the
same log?
But on the face of it, the log looks like you are giving the same name
out multiple times and the id (txt record) check is doing what it is
supposed to do - avoiding overwriting one record with a conflicting one.
It's coded like this because it was part of the spec at the time for
handing IPv6 DDNS updates. (Future versions of ISC DHCP may handle this
differently as the protocol evolves).
If you're sure that the second entry is the correct one then you can try
adding this to your dhcpd.conf:
update-conflict-detection false;
This will disable the id check and dhcpd will just ask to delete the
records.
Hope this helps
Christopher D Haakinson wrote:
Hello, I am having an issue with DDNS, IPv6 and Windows clients. I am
trying to setup DHCPv6 and DDNS for IPv6, and so far I have DHCPv6 working
properly and handing out addresses from the range6. I have reverse IPv6
working. I can get a SuSE linux client to update their forward record using
NSUPDATE with no issues. But I can't get a Windows 2008 client to work.
I am using Bind 9.7.1-P2 and DHCP 4.2.0
Here's a list of the errors I am getting:
From dhcp:
Forward map from chrisipv6.serv6.com to fd80:1010::f274 FAILED: Has
an address record but no DHCID, not mine.
From named
10-Aug-2010 09:37:56.111 update: info: client 127.0.0.1#19475:
updating zone 'serv6.com/IN': adding an RR at 'chrisipv6.serv6.com'
10-Aug-2010 09:37:56.111 update: info: client 127.0.0.1#19475:
updating zone 'serv6.com/IN': adding an RR at 'chrisipv6.serv6.com' TXT
10-Aug-2010 09:37:56.113 update-security: info: client
127.0.0.1#19475: signer rndc-key approved
10-Aug-2010 09:37:56.113 update: info: client 127.0.0.1#19475:
updating zone '0.0.0.0.0.0.0.0.0.1.0.1.0.8.d.f.ip6.arpa/IN': deleting rrset
at
'4.7.e.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.1.0.8.d.f.ip6.arpa'
PTR
10-Aug-2010 09:37:56.113 update: info: client 127.0.0.1#19475:
updating zone '0.0.0.0.0.0.0.0.0.1.0.1.0.8.d.f.ip6.arpa/IN': adding an RR
at
'4.7.e.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.1.0.8.d.f.ip6.arpa'
PTR
10-Aug-2010 09:37:56.116 notify: info: zone
0.0.0.0.0.0.0.0.0.1.0.1.0.8.d.f.ip6.arpa/IN: sending notifies (serial
201009897)
10-Aug-2010 09:38:11.555 update: info: client 127.0.0.1#19475:
updating zone 'serv6.com/IN': update unsuccessful: chrisipv6.serv6.com:
'name not in use' prerequisite not satisfied (YXDOMAIN)
10-Aug-2010 09:38:11.556 update: info: client 127.0.0.1#19475:
updating zone 'serv6.com/IN': update unsuccessful: chrisipv6.serv6.com/TXT:
'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
-dhcpd.conf:
dynamic-bootp-lease-length 600;
use-host-decl-names on;
allow client-updates;
ddns-updates on;
ddns-update-style interim;
ddns-domainname serv6.com;
filename pxelinux.0;
option dhcp-lease-time 3600;
option domain-name serv6.com;
option dhcp6.domain-search serv6.com, serv.com;
option dhcp6.name-servers fd80:1010::2;
default-lease-time 3600;
max-lease-time 3900;
key rndc-key {
algorithm hmac-md5;
secret 123456789;
};
zone 0.0.0.0.0.0.0.0.0.1.0.1.0.8.d.f.ip6.arpa. {
primary 127.0.0.1;
key rndc-key;
}
zone serv6.com. {
primary 127.0.0.1;
key rndc-key;
}
subnet6 fd80:1010::/64 {
range6 fd80:1010:: fd80:1010::;
one-lease-per-client true;
update-static-leases on;
}
named.conf:
acl rndc-users {
127.0.0.1;
fd80:1010::/64;
10.10/16;
};
logging {
channel simple_log {
file /var/log/bind.log versions 3 size 5m;
print-time yes;
print-severity yes;
print-category yes;
};
category default {
simple_log;
};
};
options {
directory /var/named;
dump-file /var/named/data/cache_dump.db;
statistics-file /var/named/data/named_stats.txt;
listen-on-v6 { any; };
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
include /etc/rndc.key;
zone . IN {
type hint;
file named.ca;
};
zone localdomain IN {
type master;
file localdomain.zone;
allow-update { key rndc-key; };
notify yes;
};
zone localhost IN {
type master;
file localhost.zone;
allow-update { key rndc-key; };
notify yes;
};
zone 0.0.0.0.0.0.0.0.0.1.0.1.0.8.d.f.ip6.arpa {
type master;
file reverse-fd80-1010_64.IP6.ARPA;
allow-update { key
Re: www.ncbi.nlm.nih.gov / pubmed
I agree with this idea. Sorta like when a browser is presented with an invalid SSL cert by a website. It could be that you put in example.com when the cert is for www.example.com or in the case of a self-signed cert, as long as I am not giving them sensitive data, I, the user, can accept or deny the invalid cert. And we have the choice(at least in Firefox) to accept that invalid cert forever or just for the current session with that site. I agree that this would be a useful feature. Maybe an add-on 'zone' file where we enumerate the broken domains we want to accept with an expiration date, not to exceed x numbers of days. That way we don't add a domain and mistype the expiration date or forget we created an exception for it. Lyle Giese LCR Computer Services, Inc. I did, and I disagree that it misses the point. I wanted a *short term* workaround for that zone, while the site fixed their DNSSEC. I had satisfied myself that it was a DNSSEC signing mistake, and faced an unpalatable choice - disable validation globally for the duration of a single site repair period (sacrificing the benefits of DNSSEC) or lose connectivity to that site. Had the site been more important to us, it would have been no choice at all - I would have been instructed to disable validation. I think DNSSEC is very important, but I also think mistakes will happen, and that sites will want the ability to be forgiving for a grace period. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How do I stress test my newly setup DNS BIND server?
I'm new to setting up DNS servers, I used Webmin to set it up, and now need to test all different functionalities of it before registering it (basically a stress test). Can someone show me some cool commands to do this? Thanks in advance. Samad Agha ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How do I stress test my newly setup DNS BIND server?
I'm new to setting up DNS servers, I used Webmin to set it up, and now need to test all different functionalities of it before registering it (basically a stress test). Can someone show me some cool commands to do this? Thanks in advance. Samad Agha ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How do I stress test my newly setup DNS BIND server?
Check out the queryperf tool. Thanks, Josh From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Samad Agha Sent: Thursday, August 19, 2010 10:13 AM To: bind-users@lists.isc.org Subject: How do I stress test my newly setup DNS BIND server? I'm new to setting up DNS servers, I used Webmin to set it up, and now need to test all different functionalities of it before registering it (basically a stress test). Can someone show me some cool commands to do this? Thanks in advance. Samad Agha ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Multiple CNAME alternantive?
I would like to resolve dns.ourdomain.com to a list of our DNS server names and possibly their IPs. As we use many DNS servers (and or views) for our different development environments, it would be very helpful for the developers to easily find the name and IP of the proper name server to use. EXAMPLE: A lookup for dns.ourdomain.com would result in: nsdev1.ourdomain.com192.168.100.10 nsdev2.ourdomain.com192.168.100.11 nstest1.ourdomain.com 192.168.100.12 nstest2.ourdomain.com 192.168.100.13 nsprod1.ourdomain.com 192.168.100.14 nsprod2.ourdomain.com 192.168.100.15 etc. I want to avoid using configuration exceptions and multiple CNAMEs. Does anyone have a clean alternative? Thanks, Steve. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple CNAME alternantive?
On 19/08/10 15:52, Steve Arntzen wrote: I would like to resolve dns.ourdomain.com to a list of our DNS server names and possibly their IPs. CNAMEs are singleton; this: dns.ourdomain.com. IN CNAME nsdev1.ourdomain.com. dns.ourdomain.com. IN CNAME nsdev2.ourdomain.com. ...is illegal. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple CNAME alternantive?
On 8/19/2010 10:52 AM, Steve Arntzen wrote: I would like to resolve dns.ourdomain.com to a list of our DNS server names and possibly their IPs. As we use many DNS servers (and or views) for our different development environments, it would be very helpful for the developers to easily find the name and IP of the proper name server to use. EXAMPLE: A lookup for dns.ourdomain.com would result in: nsdev1.ourdomain.com192.168.100.10 nsdev2.ourdomain.com192.168.100.11 nstest1.ourdomain.com 192.168.100.12 nstest2.ourdomain.com 192.168.100.13 nsprod1.ourdomain.com 192.168.100.14 nsprod2.ourdomain.com 192.168.100.15 etc. I want to avoid using configuration exceptions and multiple CNAMEs. Does anyone have a clean alternative? If you really want a list of *names*, then you have a number of record types you could use, which have names in the RDATA part of the record, e.g. PTR, MX, SRV. PTR is probably the purest way to catalog a list of names, since it doesn't have any extraneous RDATA fields that you'd need to fill with dummy info, and also it benefits from label compression in responses. I am *not* a fan of representing hostnames in TXT records, since those don't benefit from label compression, and also, they don't prevent the accidental inclusion of extraneous characters (although those validations can be performed by whatever tool(s) maintain the data in those records). Resolver configs use IP addresses, not names. If you just want a list of *addresses*, then these can be enumerated in a round-robin A record. You can even apply sortlisting to that, if you want. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple CNAME alternantive?
On 19/08/10 16:18, Phil Mayers wrote: On 19/08/10 15:52, Steve Arntzen wrote: I would like to resolve dns.ourdomain.com to a list of our DNS server names and possibly their IPs. CNAMEs are singleton; this: dns.ourdomain.com. IN CNAME nsdev1.ourdomain.com. dns.ourdomain.com. IN CNAME nsdev2.ourdomain.com. ...is illegal. (I did try to reply to Steve's off-list post, but got: st...@arntzen.us SMTP error from remote mail server after MAIL FROM:p.may...@imperial.ac.uk: host hawkeye.arntzen.us [209.102.169.188]: 550 5.0.0 Sorry,no junk mail Huh...) Obviously I mis-read what you were asking; you want something *not* a CNAME to do this. Sorry - I, mis-read what you wanted. As Kevin mentions, perhaps PTR or SRV? The other alternative is maybe a fake sub-zone and permit AXFR. dig dns.ourdomain.com axfr ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple CNAME alternantive?
On 8/19/2010 10:52 AM, Steve Arntzen wrote: I would like to resolve dns.ourdomain.com to a list of our DNS server names and possibly their IPs. As we use many DNS servers (and or views) for our different development environments, it would be very helpful for the developers to easily find the name and IP of the proper name server to use. EXAMPLE: A lookup for dns.ourdomain.com would result in: nsdev1.ourdomain.com192.168.100.10 nsdev2.ourdomain.com192.168.100.11 nstest1.ourdomain.com 192.168.100.12 nstest2.ourdomain.com 192.168.100.13 nsprod1.ourdomain.com 192.168.100.14 nsprod2.ourdomain.com 192.168.100.15 etc. I don't think I'd do that in DNS. I'd point an A record for that name to a server that was running a simple web server that would spit out the list for any HTTP request, and maybe even a modified telnet daemon that would spit out the list upon a connection as well. That way your users would have a simple, relatively universal command line entry like telnet dns.example.com to use. -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I stress test my newly setup DNS BIND server?
Thanks guys; how about something to check for any possible errors that might be generating? Samad On Thu, Aug 19, 2010 at 9:17 AM, Tom Daly t...@dyn.com wrote: Samad, It depends on how you want to test. Are you looking to test DNS query performance (if so, try dnsperf from Nominum), and if you just want to test the box itself for malformed query handling / TCP/UDP stack performance try using tcpreplay + PCAPs captured from the world. Tom I'm new to setting up DNS servers, I used Webmin to set it up, and now need to test all different functionalities of it before registering it (basically a stress test). Can someone show me some cool commands to do this? Thanks in advance. Samad Agha ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Tom Daly CTO, Dynamic Network Services, Inc. http://dyn.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Error Building 9.7.1-P2 on Sparc/Solaris 8
Hello; I am trying to build 9.7.1-P2 on Solaris Sparc in the same way I've done so countless other ways in the past, but now getting the following error: [...] making all in /tmp/bind-9.7.1-P2/bin/named/unix gcc -I/tmp/bind-9.7.1-P2 -I./include -I./unix/include -I. -I/tmp/bind-9.7.1-P2/lib/lwres/include -I../../lib/lwres/unix/include -I../../lib/lwres/include -I/tmp/bind-9.7.1-P2/lib/dns/include -I../../lib/dns/include -I/tmp/bind-9.7.1-P2/lib/bind9/include -I../../lib/bind9/include -I/tmp/bind-9.7.1-P2/lib/isccfg/include -I../../lib/isccfg/include -I/tmp/bind-9.7.1-P2/lib/isccc/include -I../../lib/isccc/include -I/tmp/bind-9.7.1-P2/lib/isc/include -I../../lib/isc -I../../lib/isc/include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/noatomic/include -D_REENTRANT -D_XPG4_2 -D__EXTENSIONS__ -g -O2 -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing \ -DVERSION=\9.7.1-P2\ \ -DNS_LOCALSTATEDIR=\/opt/bind/var\ \ -DNS_SYSCONFDIR=\/opt/bind/etc\ \ -c ./config.c ./config.c:249: error: expected ',' or ';' before 'MANAGED_KEYS' *** Error code 1 make: Fatal error: Command failed for target `config.o' Current working directory /tmp/bind-9.7.1-P2/bin/named *** Error code 1 make: Fatal error: Command failed for target `subdirs' Current working directory /tmp/bind-9.7.1-P2/bin *** Error code 1 make: Fatal error: Command failed for target `subdirs' Am I missing a system setting or variable set somewhere? Any help would be greatly appreciated. .vp ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple CNAME alternantive?
On 8/19/2010 1:27 PM, Dave Sparro wrote: On 8/19/2010 10:52 AM, Steve Arntzen wrote: I would like to resolve dns.ourdomain.com to a list of our DNS server names and possibly their IPs. As we use many DNS servers (and or views) for our different development environments, it would be very helpful for the developers to easily find the name and IP of the proper name server to use. EXAMPLE: A lookup for dns.ourdomain.com would result in: nsdev1.ourdomain.com192.168.100.10 nsdev2.ourdomain.com192.168.100.11 nstest1.ourdomain.com 192.168.100.12 nstest2.ourdomain.com 192.168.100.13 nsprod1.ourdomain.com 192.168.100.14 nsprod2.ourdomain.com 192.168.100.15 etc. I don't think I'd do that in DNS. I'd point an A record for that name to a server that was running a simple web server that would spit out the list for any HTTP request, and maybe even a modified telnet daemon that would spit out the list upon a connection as well. That way your users would have a simple, relatively universal command line entry like telnet dns.example.com to use. It's a matter of personal preference, of course, but Ill point out that DNS is more lightweight than HTTP or telnet, easier to script (using the Net::DNS Perl module or gethostbyname()), and the sortlist mechanism allows for sorting a round-robin list of addresses optimally according to the source IP of the client. It's not clear to me, however, whether the OP really has a requirement to retrieve the *names* of the nameservers, or whether he just wants to fetch an optimized list of addresses to use for building a resolver config dynamically. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How do I stress test my newly setup DNS BIND server?
Infoblox has a nice test that you can run against your primary nameserver. You run the test from their site so you can check to see if you cache is viewable from external DNS queries and things like that. To run the is free and it does not check the performance on the configuration. Gary From: bind-users-bounces+gladney=stsci@lists.isc.org [mailto:bind-users-bounces+gladney=stsci@lists.isc.org] On Behalf Of Samad Agha Sent: Thursday, August 19, 2010 1:35 PM To: Tom Daly Cc: bind-users@lists.isc.org Subject: Re: How do I stress test my newly setup DNS BIND server? Thanks guys; how about something to check for any possible errors that might be generating? Samad On Thu, Aug 19, 2010 at 9:17 AM, Tom Daly t...@dyn.com wrote: Samad, It depends on how you want to test. Are you looking to test DNS query performance (if so, try dnsperf from Nominum), and if you just want to test the box itself for malformed query handling / TCP/UDP stack performance try using tcpreplay + PCAPs captured from the world. Tom I'm new to setting up DNS servers, I used Webmin to set it up, and now need to test all different functionalities of it before registering it (basically a stress test). Can someone show me some cool commands to do this? Thanks in advance. Samad Agha ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Tom Daly CTO, Dynamic Network Services, Inc. http://dyn.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Handling of RSASHA256 and RSASHA512 in 9.6.1-P1 ?
Does 9.6.1-P1 as authoritative nameserver support RSASHA256 and RSASHA512 ? We are running 9.7.1-P2 and would like to use RSASHA256 or RSASHA512 to create the keys, but our secondary is still on 9.6.1-P1, can they handle our singed zone with RSASHA256 or RSASHA512, or they have to upgrade ? I tried 9.6.1-P3 and got these errors: # rndc status version: 9.6.1-P3 (unknown) #dnssec-keygen -a RSASHA256 -b 1024 test.iu.edu dnssec-keygen: unknown algorithm RSASHA256 #dnssec-keygen -a RSASHA512 -b 1024 test.iu.edu dnssec-keygen: unknown algorithm RSASHA512 Also the this is item 2726. of 9.7.0b2 release: 2726. [func] Added support for SHA-2 DNSSEC algorithms, RSASHA256 and RSASHA512. [RT #20023] Thanks, Sue ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
I get No mail exchanger (MX) records available for rimm.com error just for a couple of domains
#nslookup set query=mx rimm.com *** No mail exchanger (MX) records available for rimm.com Obviously Rimm's DNS cannot be down! What gives? Any ideas? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: I get No mail exchanger (MX) records available for rimm.com error just for a couple of domains
If you are trying to reach RIM.com (makers of BlackBerry), we are at rim.com ;; QUESTION SECTION: ;rim.com. IN MX ;; ANSWER SECTION: rim.com. 600 IN MX 10 mx05.rim.net. rim.com. 600 IN MX 10 mx03.rim.net. rim.com. 600 IN MX 10 mx04.rim.net. ;; AUTHORITY SECTION: rim.com. 600 IN NS xns01lhr.rim.net. rim.com. 600 IN NS xns01ykf.rim.net. ;; ADDITIONAL SECTION: xns01lhr.rim.net. 213 IN A 193.109.81.21 xns01ykf.rim.net. 213 IN A 206.51.26.10 If you are really looking for rimm.com, I don't see MX records for them either: dig rimm.com MX ; DiG 9.7.0-P1 rimm.com MX ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7908 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;rimm.com. IN MX ;; AUTHORITY SECTION: rimm.com. 3600IN SOA ns1.netincomehost.com. admin.netincomehost.com. 2010012200 3600 600 1209600 3600 From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Samad Agha Sent: Thursday, August 19, 2010 2:18 PM To: bind-users@lists.isc.org Subject: I get No mail exchanger (MX) records available for rimm.com error just for a couple of domains #nslookup set query=mx rimm.comhttp://rimm.com *** No mail exchanger (MX) records available for rimm.comhttp://rimm.com Obviously Rimm's DNS cannot be down! What gives? Any ideas? - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I get No mail exchanger (MX) records available for rimm.com error just for a couple of domains
On Aug 19, 2010, at 2:17 PM, Samad Agha wrote: #nslookup set query=mx rimm.com *** No mail exchanger (MX) records available for rimm.com Obviously Rimm's DNS cannot be down! What gives? Any ideas? A: Why obviously? B: Who is rimm.com? Methinks that you mean rim.com, the blackberry folk? W ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- American Non-Sequitur Society; we don't make sense, but we do like pizza! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: I get No mail exchanger (MX) records available for rimm.com errorjust for a couple of domains
What is so obvious about it not being down? If folks like ATT and other major corporations could have outages I don't see any reason why this one couldn't. Note that you typed rimm.com (two m's) not rim.com. The former has a red WOT rating so I suspect it is used to spoof the latter but I'll never know since I don't intend to go there. Nslookup is deprecated in favor of dig. dig -t MX rimm.com shows that in fact rimm.com is NOT returning an MX record. From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Samad Agha Sent: Thursday, August 19, 2010 2:18 PM To: bind-users@lists.isc.org Subject: I get No mail exchanger (MX) records available for rimm.com errorjust for a couple of domains #nslookup set query=mx rimm.com *** No mail exchanger (MX) records available for rimm.com Obviously Rimm's DNS cannot be down! What gives? Any ideas? Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I get No mail exchanger (MX) records available for rimm.com error just for a couple of domains
On 8/19/2010 2:33 PM, Samad Agha wrote: 2- When I perform this query from our ns1 server I do get the correct result, but the same query from ns2 server fails can't find rim.com http://rim.com: Non-existent host/domain Any help would be highly appreciated; many thanks in advance. The configuration of you ns2 server is likely incorrect. (maybe you could provide some more information about your ns2 server to give the list something to go on. What does the log say, config files, do other queries work?, etc.) -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of RSASHA256 and RSASHA512 in 9.6.1-P1 ?
In message alpine.lrh.2.00.1008191403330.7...@gaga.uits.indiana.edu, Sue True writes: Does 9.6.1-P1 as authoritative nameserver support RSASHA256 and RSASHA512 ? We are running 9.7.1-P2 and would like to use RSASHA256 or RSASHA512 to create the keys, but our secondary is still on 9.6.1-P1, can they handle our singed zone with RSASHA256 or RSASHA512, or they have to upgrade ? BIND 9.[67].x should be able to serve any zone that is using NSEC or NSEC3 regardless of the DNSSEC algorithm. BIND 9.[345].x should be able to serve any zone that is using NSEC regardless of the DNSSEC algorithm. 9.[345].x cannot correctly serve a zone that is using NSEC3. You need BIND 9.6.2 or BIND 9.7.0 onwards to generate zones which use RSASHA256 or RSASHA512 and to validate such zones. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
