Re: DNSKEY NODATA responses not cached

[Alexander Gall]

On Tue, 11 Jan 2011 18:46:39 +0100, Kalman Feher 
kalman.fe...@melbourneit.com.au said:

 I'm curious whether the domain in question had a DS in the parent zone?

No, it didn't. The effect is there even if the parent zone does not
support DNSSEC.  I stumbled over this while I was checking whether my
tools could properly handle turning on DNSSEC for an existing zone,
which involves having to wait for cached DNSKEY NODATA to expire from
caches before adding the DS.

 On 11/01/11 4:52 PM, Chris Thompson c...@cam.ac.uk wrote:

 On Jan 11 2011, Alexander Gall wrote:
 
 It appears that NODATA responses for qtype=DNSKEY are not cached if
 DNSSEC validation is enabled (tested with 9.7.2-P3).  What is the
 rationale behind this?
 
 I confirm the effect (same release). Or rather, the NODATA does get cached,
 as shown by a !DNSKEY count in the statistics display, but a new request
 goes back to the authoritative servers again anyway, as shown by the outgoing
 queries count and by the SOA in the authority section of the NODATA response
 having its original value.

I'm tending towards calling this a bug :)

-- 
Alex
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC Keys - and trying to not leaving them around

[Mark Elkins]

There are some parts of Key management with DNSSEC that I don't quite
get - so I'm hoping for some feedback. I'm using BIND 9.7.2-P3 and
running dnssec-signzone  -3 abcd -o example.com -p -t -A example.com

I believe that:-
1 - The KSK is used to sign the ZSK.
2 - The ZSK is used to sign the rest of the data in the zone.

(I'm a little unclear which parts of the KSK are needed to sign the ZSK
and which parts of the ZSK need to be around to sign the rest of the
zone)

On a virgin zone - you'd need the private parts of the ZSK and KSK's
available (either in the local directory or as the arg to a -d).
Technically - the public parts (*.key) could be in the zone to be signed
- so don't need to be available any more. (ie - there was a cat K*.key
 zone)

Doesn't seem to work like that - as I'm getting the error (for each key)
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file co.za/NSEC3RSASHA1/64250: file not found

(64250 is the ZSK)
If I also have the *.key parts in the same directory - all works OK.

So the error message is lying to me!!! ??? - Bug?

   ---

So now I want to resign the zone. Its already signed. How can I do that
without having to have the Private KSK still around. I'd have thought
that I'd just perhaps need the Private ZSK around to re-sign new zone
data.

(here I removed the KSK Private file - 9983)
I think this works - but I get the message:
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file example.com/NSEC3RSASHA1/9983: file not found

So why is dnssec-signzone worried about the private part of a KSK that
it (I believe) should not need? Bug?

   

My zone changes quite a bit - so what I was thinking to do is Sign a
very basic copy of the zone (SOA, NS records - not much else) - then
move the Private KSK's off the disk completely - then add in my
dynamic data and re-sign as often as I need (whenever my dynamic
data changes) with just my Private ZSK available.

After about 6 month (whatever) - I can then create a new KSK - bring
back my original 'off-disk' Private KSK - sign a new basic copy of my
zone - take the two Private KSK's offline and go through the whole KSK
roll-over process. ie - I only have the private part of the KSK on the
disk for a very short time - usually its off-site. I should be able to
generate my very basic zone on a completely different server - perhaps
not connected to the Internet at all - and just (via USB stick) copy
over the basic signed zone every six months?

I'm just worried about the earlier error messages

Can someone please explain? (What is needed when)
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind 9 multiple masters setup

[dev null]

Hello,

I have most of this worked out but I intend to setup bind in a
multiple master manner.

This makes me question a few things:

1. What can I use for the SOA MNAME? In the off chance a box may die,
I am thinking of using a VIP which contains the multiple masters
within it. However I am not sure how this would affect NOTIFY. So can
I use a VIP or do I just use one of the master DNS boxes in the SOA
MNAME field?
2. With that said, I intend to use rndc to push out DNS changes,
should I worry about using a VIP still? I may need to use both and
NOTIFY seems like it is more built-in so I want to keep rndc and
NOTIFY going.

Hope someone has gone through this trauma.

Thank you!,

Zahid Bukhari
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC's sorted zone

[Paul Wouters]

On Wed, 12 Jan 2011, Mark Elkins wrote:


dnssec-signzone  -3 abcd -o example.com -p -t -A -d keyset -g -a -N
increment -s 2011061553 -e 20110210161553 -f example.com.sign-1
example.com.signed

A minute later - I run the same command - but output to a different
file...   -f example.com.sign-2

A 'diff' of the two output files gives lots of differences - apart from
the zone creation time.

If I include the -n ncpus as -n 1 - then the files are the same
(except for the creation time).

I believe that the data is fundamentally the same - but it is partially
re-ordered if there are multiple threads. This is not what I would have
expected - having had it been drummed into me that dnssec-signzone will
first sort the zone then generate all the RRSIG records - etc...
I find this disturbing. It appears to only be doing this on CNAME
records.


I'd recommend preprocessing the zone with ldns-read-zone, which also sorts
and canonicalises the zone. Later on, you can then also use this command
to seperate unsigned data from dnssec, and merge in data (eg updates)
from multiple zone versions while re-using previous RRSIGs

Paul
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9 multiple masters setup

[Emil Natan]

On Wed, Jan 12, 2011 at 5:13 PM, dev null devn...@cimmerii.org wrote:

 Hello,

 I have most of this worked out but I intend to setup bind in a
 multiple master manner.

 This makes me question a few things:

 1. What can I use for the SOA MNAME? In the off chance a box may die,
 I am thinking of using a VIP which contains the multiple masters
 within it. However I am not sure how this would affect NOTIFY. So can
 I use a VIP or do I just use one of the master DNS boxes in the SOA
 MNAME field?


You can use any authoritative for the zone name server. One of the masters
is good enough.


 2. With that said, I intend to use rndc to push out DNS changes,
 should I worry about using a VIP still? I may need to use both and
 NOTIFY seems like it is more built-in so I want to keep rndc and
 NOTIFY going.

 How do you plan to replicate the zone data between the masters? At the
slaves you can just set few masters for each zone. For example:

zone example.com {
   type slave;
   file /var/named/example.com.zone;
   masters { master_ip_address; master_ip_address; ... };
}

When named receives NOTIFY for a zone it will check one by one the servers
from the masters list.

Hope someone has gone through this trauma.

 Thank you!,

 Zahid Bukhari
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


ena
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9 multiple masters setup

[Torinthiel]

On 01/12/11 16:13, dev null wrote:
 Hello,
 
 I have most of this worked out but I intend to setup bind in a
 multiple master manner.
 
 This makes me question a few things:
 
 1. What can I use for the SOA MNAME? In the off chance a box may die,
 I am thinking of using a VIP which contains the multiple masters
 within it. However I am not sure how this would affect NOTIFY. So can
 I use a VIP or do I just use one of the master DNS boxes in the SOA
 MNAME field?

It's mostly ignored. All resolvers go for the NS records at the zone
apex, not for MNAME. Even if the server named in MNAME dies, it won't
affect resolving. You just rebuild that machine, or even build another
one and change slaves to get data from new master.


 2. With that said, I intend to use rndc to push out DNS changes,
 should I worry about using a VIP still? I may need to use both and
 NOTIFY seems like it is more built-in so I want to keep rndc and
 NOTIFY going.

Isn't it simplier to just let BIND do it's job? When master loads a
changed zone, it sends NOTIFY messages to slaves, and slaves seeing that
they have outdated zone files download the zone from master.
rndc can only tell BIND (either master or slave) to initiate that
connection, it can't change zones by itself.
You could of course copy zone files to slaves by some means (rsync?
scp?) and then rndc reload the slave, but
a) why?
b) it really isn't a slave anymore, at least not in DNS terms.
Torinthiel
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

how to proper include DS record on key dnssec

[fakessh @]

hello bind network 
hello dnssec network admin. 


I correctly configure my server centos dnssec on with as a
representative of encryptions dlv isc. my question is relevant and was
already asked but I have not found the complete answer on google. my
question is how to include the DS record in the Keys. my keys are in a
separate folder. the DS record is already generated in

I also wonder the utility of this good record given that my signatures
are marked as good on dlv

I read that a single include file in the keys was the right approach but
I would like to have more precision on the proper conduct of this
operation

what file in the include directive must be accomplished and realize how
well inclusion of the DS record (what should be the proper syntax on how
to declare dlv isc) how to re-sign after the keys

this is it the response on google for implement DS record with dnssec
http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.dns.bind/2010-08/msg00054.html


thanks for many returns who are welcome

this is a relevant on my config of keys
~]# cat  /var/named/dsset-fakessh.eu. 
fakessh.eu. IN DS 47103 3 1
CFEA04C5B91**7F2DF5225E357
fakessh.eu. IN DS 47103 3 2
68096942650C1DD89D5**09F4F1CD348 4D8ED07B


~]# ls -al /var/named/keys
total 8
drwxrwxr-x 2 root named 4096 jan  1 15:41 .
drwxrwx--- 7 root named 4096 jan  1 15:34 ..
lrwxrwxrwx 1 root named   28 jan  1 15:41 dsset-fakessh.eu.
- /var/named/dsset-fakessh.eu.
lrwxrwxrwx 1 root named   34 jan  1 15:41 dsset-nicolaspichot.fr.
- /var/named/dsset-nicolaspichot.fr.
lrwxrwxrwx 1 root named   33 jan  1 15:41 dsset-renelacroute.fr.
- /var/named/dsset-renelacroute.fr.
lrwxrwxrwx 1 root named   29 jan  1 15:41 keyset-fakessh.eu.
- /var/named/keyset-fakessh.eu.
lrwxrwxrwx 1 root named   35 jan  1 15:41 keyset-nicolaspichot.fr.
- /var/named/keyset-nicolaspichot.fr.
lrwxrwxrwx 1 root named   34 jan  1 15:41 keyset-renelacroute.fr.
- /var/named/keyset-renelacroute.fr.
lrwxrwxrwx 1 root named   37 jan  1 15:41 Kfakessh.eu.+003+47103.key
- /var/named/Kfakessh.eu.+003+47103.key
lrwxrwxrwx 1 root named   41 jan  1 15:41 Kfakessh.eu.+003+47103.private
- /var/named/Kfakessh.eu.+003+47103.private
lrwxrwxrwx 1 root named   37 jan  1 15:41 Kfakessh.eu.+003+59773.key
- /var/named/Kfakessh.eu.+003+59773.key
lrwxrwxrwx 1 root named   41 jan  1 15:41 Kfakessh.eu.+003+59773.private
- /var/named/Kfakessh.eu.+003+59773.private
lrwxrwxrwx 1 root named   43 jan  1 15:41 Knicolaspichot.fr.+003
+02473.key - /var/named/Knicolaspichot.fr.+003+02473.key
lrwxrwxrwx 1 root named   47 jan  1 15:41 Knicolaspichot.fr.+003
+02473.private - /var/named/Knicolaspichot.fr.+003+02473.private
lrwxrwxrwx 1 root named   43 jan  1 15:41 Knicolaspichot.fr.+003
+07246.key - /var/named/Knicolaspichot.fr.+003+07246.key
lrwxrwxrwx 1 root named   47 jan  1 15:41 Knicolaspichot.fr.+003
+07246.private - /var/named/Knicolaspichot.fr.+003+07246.private
lrwxrwxrwx 1 root named   42 jan  1 15:41 Krenelacroute.fr.+003
+01827.key - /var/named/Krenelacroute.fr.+003+01827.key
lrwxrwxrwx 1 root named   46 jan  1 15:41 Krenelacroute.fr.+003
+01827.private - /var/named/Krenelacroute.fr.+003+01827.private
lrwxrwxrwx 1 root named   42 jan  1 15:41 Krenelacroute.fr.+003
+57237.key - /var/named/Krenelacroute.fr.+003+57237.key
lrwxrwxrwx 1 root named   46 jan  1 15:41 Krenelacroute.fr.+003
+57237.private - /var/named/Krenelacroute.fr.+003+57237.private

-- 
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7


signature.asc
Description: Ceci est une partie de message	numériquement signée
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9 multiple masters setup

[Gordon A. Lang]

If a zone is not dynamic, then the MNAME does nothing except to possibly 
inhibit notifies to the declared master iff you specify the option notify 
yes or if you do not specify any notify option (as notify yes is the 
default).


If a zone is dynamic, then the MNAME plays a very critical role of telling 
all clients where to send dynamic DNS updates.


I hear that support for multi-master with dynamic zones is expected in 
version 10.  I have my own questions about how that will be done.


--
Gordon A. Lang  /  313-819-7978

- Original Message - 
From: dev null devn...@cimmerii.org

To: bind-users@lists.isc.org
Sent: Wednesday, January 12, 2011 10:13 AM
Subject: bind 9 multiple masters setup



Hello,

I have most of this worked out but I intend to setup bind in a
multiple master manner.

This makes me question a few things:

1. What can I use for the SOA MNAME? In the off chance a box may die,
I am thinking of using a VIP which contains the multiple masters
within it. However I am not sure how this would affect NOTIFY. So can
I use a VIP or do I just use one of the master DNS boxes in the SOA
MNAME field?
2. With that said, I intend to use rndc to push out DNS changes,
should I worry about using a VIP still? I may need to use both and
NOTIFY seems like it is more built-in so I want to keep rndc and
NOTIFY going.

Hope someone has gone through this trauma.

Thank you!,

Zahid Bukhari
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

MNAME and BIND 10 question

[Gordon A. Lang]

Does anybody happen to know.

With BIND 9, if the MNAME resolves to multiple A records and notify yes is 
specified, do notifies get withheld from all specified NS destinations that 
resolve to any of the addresses associated with the MNAME?  Or do notifies only 
get withheld from NS destinations whose fqdn's mnemonically match the MNAME 
field?

Has it been decided yet for BIND 10 how the multiple masters will be specified?

Will BIND 10 follow Microsoft's lead where the MNAME in each zone is set to 
match the server name on which the zone resides?  Or might the MNAME be allowed 
to have multiple A records to give dynamic DNS clients more than one choice?

Does anyone know how existing Microsoft DNS client code reacts to having the 
MNAME resolve to multiple A records?  What about non-Microsoft DNS client codes?

Does Microsoft DNS client code ever use any other DDNS target identifier other 
than the MNAME?  I know some old codes used the NS records and/or the client's 
resolver list, but it is my understanding that both of those techniques have 
been completely abandoned -- does anyone believe otherwise?  And are there any 
other techniques used by Microsoft that perhaps I've never heard of -- anyone 
know?

Does anyone have any other interesting information about BIND 10 with respect 
to multi-master dynamic zone functionality?

Thanks.

--
Gordon A. Lang  /  313-819-7978___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MNAME and BIND 10 question

[Chris Buxton]

On Jan 12, 2011, at 11:09 PM, Gordon A. Lang wrote:
 Does Microsoft DNS client code ever use any other DDNS target identifier 
 other than the MNAME?  I know some old codes used the NS records and/or the 
 client's resolver list, but it is my understanding that both of those 
 techniques have been completely abandoned -- does anyone believe otherwise?  
 And are there any other techniques used by Microsoft that perhaps I've never 
 heard of -- anyone know?

I believe Microsoft clients tend to try all three behaviors you've mentioned.

The last standard I read for this said that the SOA MName is to be used if and 
only if it corresponds to an NS record of the same name. Otherwise, a random NS 
record is to be chosen. Of course, many actual DDNS updaters ignore this, 
trying the MName host regardless of whether it has an NS record; this includes 
the nsupdate command itself.

However, ISC's dhcpd, at least version 3.1, follows the standard set forth 
above unless configured to do otherwise.

Regards,
Chris Buxton
BlueCat Networks

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users