Re: Entired NS crashed

2011-01-02 Thread Michelle Konzack 
Hello Torinthiel,

thanks for your explanation.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Entired NS crashed

2011-01-02 Thread Torinthiel 
Michelle Konzack pisze:
> As far as I can see, 'dig +dnssec www.tamay-dogan.net' give a nice output
> but how can I know, the expiration date?
>
> Is this the timestamp here:
>
> tamay-dogan.net.3600IN  RRSIG   SOA 5 2 3600 20110131191903
>   
Nope

> [ command 'dig +dnssec tamay-dogan.net' ]---
> tamay-dogan.net.3600IN  SOA dns1.tamay-dogan.net. 
> hostmaster.tamay-dogan.net. 1292829280 10800 3600 604800 86400
> tamay-dogan.net.3600IN  RRSIG   SOA 5 2 3600 20110131191903 
> 20110101191903 12795 tamay-dogan.net. 
> lti7l2JlLeIATApQfWp3BdPTH4MiP75crl4921bC1qdOXfWJH4La+L58 
> t0hVMmzNaNbLDH36cQwrYdQvaBJHPkQEwi2Mr8WP0jCSp+bpc2lEP6sz 
> f+kRGWYITjuxAwFsSdhVR+EQd4pIupa16ylJ65OWcBGlIHbC5eA5KSN4 lTk=
>   
The RRSIG here has two numbers 20110131191903 20110101191903. Look at it
carefully: 2011-01-31 19:19:03
Looks like a date? The first one is when this signature ends to be
valid, the second when it starts, both in UTC time. So in this case your
signature on the SOA record is valid almost all of January.
There's nothing stopping you from having different vaility periods on
different signatures, it's all per-signature.
> tamay-dogan.net.86400   IN  NSECadmin.tamay-dogan.net. NS SOA 
> MX TXT RRSIG NSEC DNSKEY
> tamay-dogan.net.86400   IN  RRSIG   NSEC 5 2 86400 20110131191903 
> 20110101191903 12795 tamay-dogan.net. 
> YS5Y44ywYrsjbSJmtFgF9hk8K80VWLuyLRuDxLeO84kXA/hN9i8mzzDy 
> XYIoiUwWbyeKxEIhqAdA6gekLU2Z+ZuNsSGnPUcCdfZD+GiWEneeWGg/ 
> LcIi9FWTf7J++yGnVMA5Ng6vZ3SgTtiC7r74ZZytm7FkijxCwd8tRyKy a9c=
> 
>
> which I could grep?  And what is NSEC entry?
> Why is the VHost  there?
>   
And the NSEC is used in authenticated denial of existence. It tells that
there are NS, SOA etc recors with name tamay-dogan.net, and that next
name with any content is admin.tamay-dogan.net.
So, if eg you've asked for abyss.tamay-dogan.net the NS could present
you with this RR and it's signature and prove that abyss.tamay-dogan.net
(which falls between tamay-dogan.net and admin.tamay-dogan.net) does not
exist.
As a side effect, it's now possible to enumerate every record your zone.
If you're concerned about this, consider switching to NSEC3, which makes
it much harder.

Regards,
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users