Spurious TYPE65534 at the end of a NSEC3, why?
Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and
the AEP keyper HSM), with DNSSEC enabled, dynamically signing
records. Most of the time, the typical NSEC3 looks like ('dig +dnssec
@a.nic.fr A www.toto.fr' if you want to see it):
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A
O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY NSEC3PARAM
The list of NS records is sound. But from time to time, we see BIND
producing strange NSEC3 records like:
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A
O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY NSEC3PARAM
TYPE65534
Note the TYPE65534, which I cannot explain. Greping bind-users
archives, or googling, reveal that other persons saw them but I did
not find a final explanation.
When this happens, the signature:
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN RRSIG NSEC3 8 2 5400
20110408081500 20110207081500 2331 fr.
OFDRwZAgzDT1y8fTJ1XCfHlajEAHzqk2dsJaCR1TSednnBSEkctIUP6AsZuD+EOZtEPCM2Oe3cI/fG2GfA1nAUDaS1INN3I6YRpB3n2/oCfKBvs68fvCexBOIgz+oc74VrPvjDtPkVyGbJ5ImSlwu8Uc8rTXKh47CdS0AdJLmso=
is flagged as invalid by a BIND ('meqimi6fje5ni47pjahv5qigu1lv3jlj.fr
NSEC3: no valid signature found') or an Unbound resolver ('debug:
verify: signature mismatch'). I fancy that the spurious TYPE65534 may have
been added after the signing.
The problem occurred twice
http://operations.afnic.fr/en/2011/02/12/dnssec-validating-resolving-issue.html
and, at least in the second case, it was when updating a DNSKEY record
(an old ZSK was retired).
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Spurious TYPE65534 at the end of a NSEC3, why?
On Sun, Feb 13, 2011 at 11:07:31AM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 35 lines which said: Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and the AEP keyper HSM), with DNSSEC enabled, dynamically signing records. ... at least in the second case, it was when updating a DNSKEY record (an old ZSK was retired). I was not very clear, sorry: all provisioning is done (DNSKEY included) with dynamic updates. BIND is therefore responsible for keeping the NSEC3 chain (we use opt-out, by the way), and for signing, although the actual crypto is done by an AEP Keyper HSM. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Spurious TYPE65534 at the end of a NSEC3, why?
On 02/13/2011 10:07 AM, Stephane Bortzmeyer wrote:
Note the TYPE65534, which I cannot explain. Greping bind-users
archives, or googling, reveal that other persons saw them but I did
not find a final explanation.
This is documented in the Bind ARM (at least, the one that comes with
the 9.8 beta). See Chapter 4, Private-type records. Basically they
store signing process state.
i.e. the *presence* of the record is normal.
When this happens, the signature:
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN RRSIG NSEC3 8 2 5400
20110408081500 20110207081500 2331 fr.
OFDRwZAgzDT1y8fTJ1XCfHlajEAHzqk2dsJaCR1TSednnBSEkctIUP6AsZuD+EOZtEPCM2Oe3cI/fG2GfA1nAUDaS1INN3I6YRpB3n2/oCfKBvs68fvCexBOIgz+oc74VrPvjDtPkVyGbJ5ImSlwu8Uc8rTXKh47CdS0AdJLmso=
is flagged as invalid by a BIND ('meqimi6fje5ni47pjahv5qigu1lv3jlj.fr
NSEC3: no valid signature found') or an Unbound resolver ('debug:
verify: signature mismatch'). I fancy that the spurious TYPE65534 may have
been added after the signing.
That is, presumably, not normal.
I'm not very familiar with NSEC3 so can't say why it's happening.
Suffice to say we have these records in our NSEC zone and they don't
cause a problem.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Spurious TYPE65534 at the end of a NSEC3, why?
On 02/13/2011 10:40 AM, Stephane Bortzmeyer wrote: On Sun, Feb 13, 2011 at 11:07:31AM +0100, Stephane Bortzmeyerbortzme...@nic.fr wrote a message of 35 lines which said: Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and the AEP keyper HSM), with DNSSEC enabled, dynamically signing records. ... at least in the second case, it was when updating a DNSKEY record (an old ZSK was retired). I was not very clear, sorry: all provisioning is done (DNSKEY included) with dynamic updates. BIND is therefore responsible for keeping the NSEC3 chain (we use opt-out, by the way), and for signing, although the actual crypto is done by an AEP Keyper HSM. The zone at the moment seems to be signed with NSEC; are you trying to perform an online transition from NSEC to NSEC3 via dynamic update? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Spurious TYPE65534 at the end of a NSEC3, why?
On 02/13/2011 11:30 AM, Stephane Bortzmeyer wrote: On Sun, Feb 13, 2011 at 11:01:48AM +, Phil Mayersp.may...@imperial.ac.uk wrote a message of 23 lines which said: The zone at the moment seems to be signed with NSEC; Hmmm, no, .FR has been signed by NSEC3 from the beginning. Could you post this strange dig output? Ignore me; I'm being an idiot and mis-reading the dig output. It is, of course, NSEC3. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Spurious TYPE65534 at the end of a NSEC3, why?
On Sun, Feb 13, 2011 at 11:01:48AM +, Phil Mayers p.may...@imperial.ac.uk wrote a message of 23 lines which said: The zone at the moment seems to be signed with NSEC; Hmmm, no, .FR has been signed by NSEC3 from the beginning. Could you post this strange dig output? are you trying to perform an online transition from NSEC to NSEC3 via dynamic update? I wouldn't dare :-) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Spurious TYPE65534 at the end of a NSEC3, why?
On Sun, Feb 13, 2011 at 10:51:30AM +,
Phil Mayers p.may...@imperial.ac.uk wrote
a message of 31 lines which said:
This is documented in the Bind ARM
OK, thanks, I missed this section.
i.e. the *presence* of the record is normal.
I'm not convinced (and the ARM is far from clear about it).
Most of the time, we have *no* such record ('dig @a.nic.fr ANY fr.' if
you want to check). When they appear, it seems to be always connected
with the problem.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind on vps
Hello,
I read bind howto, several tutorials, mailing lists. After
two months trying to get this working without success I must
bother you.
I am running a Slackware in a vps server, it provides me two
IPs (I can ask for more if needed).
I have the domains registered at go daddy.
It will be a web hosting sever. I wrote my own web client
panel and my own bash scripts to automate the upload of new
client's virtual domains. That's why I want to run my own dns
server; I want to be able to update the registers in my own
machine.
I am running my name server in the same machine I run my
domains. I've read a post in this mailing list where a newbie
like me explains the same problem. But the last answer
mention only about glue records and I think I've included
them correctly(?). nslookup returns me the expected when I
run from inside the vps but not when I run it from the
outside.
I've defined two zones. The first to my main domain, I need
to run a ssl site and I prefer dedicate the first ip to it.
And a template zone to the rest of virtual domains.
I've opened port 53 in my firewall.
Stuff
-
mydomain.com
virtualdomain.com (more late I want to be able to add
virtualdomain2.com, virtualdomain3.com, etc.
pointing to the template zone).
11.22.33.44 (first ip provided for vps)
11.22.33.45 (second ip provided for vps)
/etc/hosts.com
---
127.0.0.1 localhost.localdomain localhost
11.22.33.44 server1.mydomain.com
/etc/resolv.conf
---
search mydomain.com
nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 208.67.220.220
/etc/named.conf
---
options {
directory /var/named;
query-source address * port 53;
forward first;
forwarders {
208.67.222.222;
208.67.220.220;
};
};
// I keep the localhost zone configuration untoched. This point to Slackware
// default config files.
zone . IN {
type hint;
file caching-example/named.root;
};
zone localhost IN {
type master;
file caching-example/localhost.zone;
allow-update { none; };
};
zone 0.0.127.in-addr.arpa IN {
type master;
file caching-example/named.local;
allow-update { none; };
};
// Zones I added
zone mydomain.com {
type master;
file mydomain.com.zone;
};
zone virtualdomain.com {
type master;
file template.zone;
};
zone 33.22.11.in-addr.arpa {
type master;
file 11.22.33;
};
Main zone
; mydomain.com.zone
$TTL86400
@ IN SOA ns1.mydomain.com. root.mydomain.com. (
2011011902 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
@ IN NS ns1.mydomain.com.
@ IN NS ns2.mydomain.com.
@ IN A 11.22.33.44
www IN A 11.22.33.44
ns1 IN A 11.22.33.44
ns2 IN A 11.22.33.45
Template zone
-
; template.zone (second ip)
$TTL86400
@ IN SOA ns1.mydomain.com. root.mydomain.com. (
2011011902 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
@ IN NS ns1.mydomain.com.
@ IN NS ns2.mydomain.com.
@ IN A 11.22.33.45
www IN A 11.22.33.45
Reverse zone
; 11.22.33
$TTL86400
@ IN SOA ns1.mydomain.com. root.mydomain.com. (
2011011901 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
@ IN NS ns1.mydomain.com.
@ IN NS ns2.mydomain.com.
44 IN PTR mydomain.com.
44 IN PTR www.mydomain.com.
45 IN PTR virtualdomain.com.
45 IN PTR www.virtualdomain.com.
44 IN PTR ns1.mydomain.com.
45 IN PTR ns2.mydomain.com.
--- end config files -
In case my configuration is OK,
what must I ask to my vps provider?
what must
Re: bind on vps
On 02/13/11 12:52, Walter Alejandro Iglesias wrote:
Hello,
I read bind howto, several tutorials, mailing lists. After
two months trying to get this working without success I must
bother you.
I am running a Slackware in a vps server, it provides me two
IPs (I can ask for more if needed).
I have the domains registered at go daddy.
It will be a web hosting sever. I wrote my own web client
panel and my own bash scripts to automate the upload of new
client's virtual domains. That's why I want to run my own dns
server; I want to be able to update the registers in my own
machine.
you do know that you should have two SERVERS for your dns?
Giving two different IPs for your box will work. but is a very bad idea.
Even if everything else is on that machine, for some uses (eg. mail)
having no DNS data is worse than having a failed server.
I am running my name server in the same machine I run my
domains. I've read a post in this mailing list where a newbie
like me explains the same problem. But the last answer
mention only about glue records and I think I've included
them correctly(?). nslookup returns me the expected when I
run from inside the vps but not when I run it from the
outside.
That's probably because you haven't updated NS records at registrar. So
your server is configured correctly. But nobody asks it for information.
How to change it - most probably you have to login to the web panel for
the service, where you've ordered and paid for domain (that would be
godaddy I presume), and find your way there. Somewhere there should be
space for providing names of your nameservers, and IP addresses of them.
You'll need to do this for all your domains, but for rest of them names
will be enough.
I've defined two zones. The first to my main domain, I need
to run a ssl site and I prefer dedicate the first ip to it.
And a template zone to the rest of virtual domains.
Well, if only this site is SSL-enabled, all others are only HTTP, than
all can coexist on a single IP.
I've opened port 53 in my firewall.
for TCP, UDP or both?
Stuff
-
mydomain.com
virtualdomain.com (more late I want to be able to add
virtualdomain2.com, virtualdomain3.com, etc.
pointing to the template zone).
11.22.33.44 (first ip provided for vps)
11.22.33.45 (second ip provided for vps)
/etc/named.conf
---
[cut]
// Zones I added
zone mydomain.com {
type master;
file mydomain.com.zone;
};
zone virtualdomain.com {
type master;
file template.zone;
};
zone 33.22.11.in-addr.arpa {
type master;
file 11.22.33;
};
This will work only if you are designated nameserver for all 11.22.33/24
block, which I think is false. Otherwise you'll have to tell the one
that is (maybe your ISP, maybe even higher) to make changes.
Main zone
; mydomain.com.zone
$TTL 86400
@ IN SOA ns1.mydomain.com. root.mydomain.com. (
2011011902 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
@ IN NS ns1.mydomain.com.
@ IN NS ns2.mydomain.com.
@ IN A 11.22.33.44
www IN A 11.22.33.44
ns1 IN A 11.22.33.44
ns2 IN A 11.22.33.45
looks OK
Template zone
-
; template.zone (second ip)
$TTL 86400
@ IN SOA ns1.mydomain.com. root.mydomain.com. (
2011011902 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
@ IN NS ns1.mydomain.com.
@ IN NS ns2.mydomain.com.
@ IN A 11.22.33.45
www IN A 11.22.33.45
also looks OK.
Reverse zone
; 11.22.33
$TTL 86400
@ IN SOA ns1.mydomain.com. root.mydomain.com. (
2011011901 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
@ IN NS ns1.mydomain.com.
@ IN NS ns2.mydomain.com.
44IN PTR mydomain.com.
44IN PTR www.mydomain.com.
45IN PTR virtualdomain.com.
45IN PTR
Re: Spurious TYPE65534 at the end of a NSEC3, why?
On Sun, Feb 13, 2011 at 11:07:31AM +0100,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 35 lines which said:
is flagged as invalid by a BIND ('meqimi6fje5ni47pjahv5qigu1lv3jlj.fr
NSEC3: no valid signature found') or an Unbound resolver ('debug:
verify: signature mismatch'). I fancy that the spurious TYPE65534 may have
been added after the signing.
I managed, by a lot of copy-and-paste from kept dig answers, to
reproduce the problem. Tests have been done with
http://www.verisignlabs.com/dnssec-tools/. When I use the NSEC3 with
TYPE65534, I get:
WARNING: Signature failed to verify RRset:
rr: meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400IN NSEC3
1 1 1 BADFE11A O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR
RRSIG DNSKEY NSEC3PARAM TYPE65534
sig: meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400IN RRSIG
NSEC3 8 2 5400 20110408081500 20110207081500 2331
fr.
OFDRwZAgzDT1y8fTJ1XCfHlajEAHzqk2dsJaCR1TSednnBSEkctIUP6AsZuD+EOZtEPCM2Oe3cI/fG2GfA1nAUDaS1INN3I6YRpB3n2/oCfKBvs68fvCexBOIgz+oc74VrPvjDtPkVyGbJ5ImSlwu8Uc8rTXKh47CdS0AdJLmso=
Reason: Signature failed to verify cryptographically
If I remove by hand the TYPE65534, leaving the signature intact, the
problem disappeared.
% diff fr-with-type65534 fr-with-type65534-removed
4d3
fr. 0 IN TYPE65534 \# 0
25c24
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A
O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY
NSEC3PARAM TYPE65534
---
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A
O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY
NSEC3PARAM
I also checked again that TYPE65534 is *not* served by BIND in the
normal situation, even when I dynamically update the zone and BIND
modifies the NSEC3 chain and the signatures.
So, it really seems there is a BIND bug here. I guess that the
TYPE65534 was wrongly added to the NSEC3 after it has been signed.
Many thanks to Gilles Massen for his help and ideas and solutions.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: additional empty zones
On 13.02.11 09:25, Mark Andrews wrote:
In message 20110212220459.ga23...@fantomas.sk, Matus UHLAR - fantomas
writes:
2011/2/12 Matus UHLAR - fantomas uh...@fantomas.sk:
Is it possible to add additional zones as empty?
On 12.02.11 11:15, Terry. wrote:
depends on what is empty.
exactly the same what is used by disable-empty-zones option.
I'd like to have opposite option.
zone xxx {
type master;
database _builtin empty nameserver contact;
};
should do it.
Nice, but is that documented enough so the behaviour won't change or get
removed in later releases?
... and it would be nice without the nameserver and contact parts, since
they are usually defined by empty-server and empty-contact options
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: additional empty zones
On 02/12/2011 02:04 PM, Matus UHLAR - fantomas wrote: 2011/2/12 Matus UHLAR - fantomasuh...@fantomas.sk: Is it possible to add additional zones as empty? On 12.02.11 14:25, Doug Barton wrote: What it sounds like you're trying to do is to define additional zones in a manner similar to what the current internally defined empty zones do. There is no simple named.conf option for that, but there is no reason that you can't define your own zones to accomplish the same thing. Well, I can and I do, but I am searching for a solution that requires least possible files and configuration. I was thinking that option like enable-empty-zone zone would be best possible solution. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master with mysql backend
I do not know why you really don't liket this mysql solution. OK I am talking of a DNS for HA purposes for grid computing services for exampe, so DNS resolution must be always working at any cost. The David solution can be OK, but I want to be sure not to have issues with serial numbers on the two servers and the mysql solution looks safer to me. You do not have to rsync anything, just have mysql properly configured. Riccardo On 2/12/11 11:33 PM, Doug Barton wrote: On 02/11/2011 01:51 PM, fddi wrote: I understand you, but the advantage of having mysql backend is that if one of the two servers dies, the other keeps running with up to date informations, and can also be updated wit new informations. When the other server comes up again it will automatically sync itself using mysql replica mechanism. if I use file backend I have to manually sync it, and how to keep tracks of modifications ? for this I choose mysql backend Two questions, how often do you anticipate one of the masters failing, and how much data are you talking about? Generally the number of times a server fails is going to be pretty small, if it's not, you've got bigger problems. If you're not talking about a huge amount of data here (and from what you've described in previous posts, you're not) then you are fairly dramatically over-architecting your solution here. Personally I think David had a great idea in regards to using nsupdate to update both masters at the same time. If you really think that one of them is going to fail often enough to justify an automated solution than scripting something that utilizes rsync shouldn't be too hard. hth, Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind on vps
On Sun, Feb 13, 2011 at 02:13:48PM +0100, Torinthiel wrote: On 02/13/11 12:52, Walter Alejandro Iglesias wrote: It will be a web hosting sever. I wrote my own web client panel and my own bash scripts to automate the upload of new client's virtual domains. That's why I want to run my own dns server; I want to be able to update the registers in my own machine. you do know that you should have two SERVERS for your dns? Giving two different IPs for your box will work. but is a very bad idea. Even if everything else is on that machine, for some uses (eg. mail) having no DNS data is worse than having a failed server. I read in forums about people that could run their own DNS server at the same server they had their sites, that's why I tried. But I know (and I understand why) that the good practice is to have two external DNS servers in different locations. Reverse zone ; 11.22.33 $TTL86400 @ IN SOA ns1.mydomain.com. root.mydomain.com. ( 2011011901 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL @ IN NS ns1.mydomain.com. @ IN NS ns2.mydomain.com. 44 IN PTR mydomain.com. 44 IN PTR www.mydomain.com. 45 IN PTR virtualdomain.com. 45 IN PTR www.virtualdomain.com. 44 IN PTR ns1.mydomain.com. 45 IN PTR ns2.mydomain.com. First, as stated before, I doubt if anyone will ask your server for that info. Stop here, this is my obscure point: how do you get that your dns be asked? What do you need? What must I ask to my isp (my vps provider in this case) for? What do you mean by to be designated nameserver for the IPs? Second - what is the name of 11.22.33.44? Is it mydomain.com? www.mydomain.com? ns1.mydomain.com? AFAIK there can be only one PTR record. Yes, I release of my mistake. Just one domain for ip. In case my configuration is OK, what must I ask to my vps provider? Probably nothing. If you can dig/nslookup on your host from external hosts, then it looks they don't need to do anything. This is exactly what a cannot do: to dig/nslookup from external hosts. Well, my goal (tell me if it is a fantasy:)) is to be able to update automatically my registers. I ignore the features and flexibility of bind, perhaps I should change the strategy. Could you give me some clue? Can I use bind just as slave of the external name server (being it godaddy's dns or my vps provider's one)? Regards, Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Thanks for answer me! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Spurious TYPE65534 at the end of a NSEC3, why?
On 02/13/2011 11:35 AM, Stephane Bortzmeyer wrote: On Sun, Feb 13, 2011 at 10:51:30AM +, Phil Mayersp.may...@imperial.ac.uk wrote a message of 31 lines which said: This is documented in the Bind ARM OK, thanks, I missed this section. i.e. the *presence* of the record is normal. I'm not convinced (and the ARM is far from clear about it). Well, you're correct that they are absent most of the time. OTOH I have a zone (NSEC not NSEC3) which is managed by dynamic updates currently has a TYPE65534 at the apex, and the NSEC record names the TYPE65534 and it's RRSIG is valid - try: dig +dnssec bar.ic.ac.uk (assuming the TYPE65534 doesn't vanish... in the meantime) IOW, it sounds like a bug in the code for NSEC3, because I think it works for NSEC. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind on vps
You may consider using your own bind as a hidden master that will then update a number of external DNS servers via notify. That way you fill in what is to be in DNS and you have all needed diversity. This does not remove the need to register all those nameservers for EACH name with the registrar that has sold the name. Probably your ISP is not involved with the forward DNS, for .com, maybe Godaddy, for .dk it would be dk-hostmaster.dk, for .sk it would be somebody else. All depending on who registered the domain in question. Reverse mapping will be your ISP, if they are willing. Most really don't accept to do it, that usually depends on the price you pay. On 13/02/11 17:16, Walter Alejandro Iglesias wrote: On Sun, Feb 13, 2011 at 02:13:48PM +0100, Torinthiel wrote: On 02/13/11 12:52, Walter Alejandro Iglesias wrote: It will be a web hosting sever. I wrote my own web client panel and my own bash scripts to automate the upload of new client's virtual domains. That's why I want to run my own dns server; I want to be able to update the registers in my own machine. you do know that you should have two SERVERS for your dns? Giving two different IPs for your box will work. but is a very bad idea. Even if everything else is on that machine, for some uses (eg. mail) having no DNS data is worse than having a failed server. I read in forums about people that could run their own DNS server at the same server they had their sites, that's why I tried. But I know (and I understand why) that the good practice is to have two external DNS servers in different locations. Reverse zone ; 11.22.33 $TTL86400 @ IN SOA ns1.mydomain.com. root.mydomain.com. ( 2011011901 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL @ IN NS ns1.mydomain.com. @ IN NS ns2.mydomain.com. 44 IN PTR mydomain.com. 44 IN PTR www.mydomain.com. 45 IN PTR virtualdomain.com. 45 IN PTR www.virtualdomain.com. 44 IN PTR ns1.mydomain.com. 45 IN PTR ns2.mydomain.com. First, as stated before, I doubt if anyone will ask your server for that info. Stop here, this is my obscure point: how do you get that your dns be asked? What do you need? What must I ask to my isp (my vps provider in this case) for? What do you mean by to be designated nameserver for the IPs? Second - what is the name of 11.22.33.44? Is it mydomain.com? www.mydomain.com? ns1.mydomain.com? AFAIK there can be only one PTR record. Yes, I release of my mistake. Just one domain for ip. In case my configuration is OK, what must I ask to my vps provider? Probably nothing. If you can dig/nslookup on your host from external hosts, then it looks they don't need to do anything. This is exactly what a cannot do: to dig/nslookup from external hosts. Well, my goal (tell me if it is a fantasy:)) is to be able to update automatically my registers. I ignore the features and flexibility of bind, perhaps I should change the strategy. Could you give me some clue? Can I use bind just as slave of the external name server (being it godaddy's dns or my vps provider's one)? Regards, Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Thanks for answer me! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind on vps
On 02/13/11 17:16, Walter Alejandro Iglesias wrote: On Sun, Feb 13, 2011 at 02:13:48PM +0100, Torinthiel wrote: On 02/13/11 12:52, Walter Alejandro Iglesias wrote: It will be a web hosting sever. I wrote my own web client panel and my own bash scripts to automate the upload of new client's virtual domains. That's why I want to run my own dns server; I want to be able to update the registers in my own machine. you do know that you should have two SERVERS for your dns? Giving two different IPs for your box will work. but is a very bad idea. Even if everything else is on that machine, for some uses (eg. mail) having no DNS data is worse than having a failed server. I read in forums about people that could run their own DNS server at the same server they had their sites, that's why I tried. But I know (and I understand why) that the good practice is to have two external DNS servers in different locations. It's not only good practice, it's a requirement per RFC103[45]. You'll go by with two IPs for one machine, and if it's only HTTP there won't be enough difference if this machine fails. However you could also consider looking for some other DNS services. Some ISPs provide secondary for free, there might also be a free DNS service somewhere. Or you could find someone in similar situation as you and be secondary for each other. Reverse zone ; 11.22.33 $TTL86400 @ IN SOA ns1.mydomain.com. root.mydomain.com. ( 2011011901 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL @ IN NS ns1.mydomain.com. @ IN NS ns2.mydomain.com. 44 IN PTR mydomain.com. 44 IN PTR www.mydomain.com. 45 IN PTR virtualdomain.com. 45 IN PTR www.virtualdomain.com. 44 IN PTR ns1.mydomain.com. 45 IN PTR ns2.mydomain.com. First, as stated before, I doubt if anyone will ask your server for that info. Stop here, this is my obscure point: how do you get that your dns be asked? What do you need? What must I ask to my isp (my vps provider in this case) for? What do you mean by to be designated nameserver for the IPs? Generally (not only for reverse DNS) you need one thing: delegation. That is, the parent zone (this being .com for mydomain.com and 22.11.in-addr.arpa here) needs to answer 'I don't know about mydomain.com, ask ns.mydomain.com'. And that's the part your server has nothing to say yet, as it happens before query reaches your server. Usually (that being the three places I know personally ;) the place where you register your domain has some kind of web panel where you can either setup the zone (if you use their nameservers) and/or enter the nameservers you want to handle queries. And that's the part you want to do. Now, specific about this part: first, disclaimer: I've never administrated any reverse zones. But still, probably your ISP/VPS provider would be the place to ask. Try doing dig -x 11.22.33.44, and if it returns anything, then you have reverse set up. Maybe some web panel from your ISP allows you to change that to anything else, and maybe you even need it. But if you are doing only HTTP and DNS than anything would be fine, as long as it resolves to anything, and resolves back to you (so if you do dig -x 11.22.33.44 and then dig what-you-got-from-previous you end with 11.22.33.44). IMHO you don't need to handle any in-addr.arpa zone at all, your ISP does it for you. You could change what it resolves to, via a web interface and/or email directly to them,but chances are you don't need it. Second - what is the name of 11.22.33.44? Is it mydomain.com? www.mydomain.com? ns1.mydomain.com? AFAIK there can be only one PTR record. Yes, I release of my mistake. Just one domain for ip. In case my configuration is OK, what must I ask to my vps provider? Probably nothing. If you can dig/nslookup on your host from external hosts, then it looks they don't need to do anything. This is exactly what a cannot do: to dig/nslookup from external hosts. Not exactly. You've stated that you CAN ask your server from external hosts, but only if you specify to ask it. What you want to achieve is having valid resolution without asking your specific server. And that's the delegation step. Well, my goal (tell me if it is a fantasy:)) is to be able to update automatically my registers. I ignore the features and flexibility of bind, perhaps I should change the strategy. Could you give me some clue? Can I use bind just as slave of the external name server (being it godaddy's dns or my vps provider's one)? Being a slave server won't do you any good, slave (as the name suggests) has nothing
Re: additional empty zones
In message 20110213155712.ga1...@fantomas.sk, Matus UHLAR - fantomas writes:
On 13.02.11 09:25, Mark Andrews wrote:
In message 20110212220459.ga23...@fantomas.sk, Matus UHLAR - fantomas writ
es:
2011/2/12 Matus UHLAR - fantomas uh...@fantomas.sk:
Is it possible to add additional zones as empty?
On 12.02.11 11:15, Terry. wrote:
depends on what is empty.
exactly the same what is used by disable-empty-zones option.
I'd like to have opposite option.
zone xxx {
type master;
database _builtin empty nameserver contact;
};
should do it.
Nice, but is that documented enough so the behaviour won't change or get
removed in later releases?
It's unlikely to change.
... and it would be nice without the nameserver and contact parts, since
they are usually defined by empty-server and empty-contact options
For the zones named creates. Named isn't creating these zones. You are.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master with mysql backend
On 2/13/2011 8:06 AM, fddi wrote: I do not know why you really don't liket this mysql solution. It isn't a matter of not liking it. Given that you have steadfastly refused to answer any of the questions from people who are trying to help you, my feeling is that you have decided that you want to use mysql no matter what, and you're not really interested in discussing A) What you're actually trying to accomplish, and B) What might be the best tool for doing that job. OK I am talking of a DNS for HA purposes for grid computing services for exampe, so DNS resolution must be always working at any cost. I'm very familiar with providing mission critical DNS. The David solution can be OK, but I want to be sure not to have issues with serial numbers on the two servers If you nsupdate both servers at the same time, you won't. and the mysql solution looks safer to me. You do not have to rsync anything, just have mysql properly configured. You're talking about rsync as if it's a huge problem, so my guess is that you're familiar with mysql, but not familiar with rsync. This reinforces my belief that you've settled on mysql as the solution no matter what. But let's take an actual look at your scenario for a second. Which do you _think_ would be faster, rsyncing your data (very little of which is likely to have changed during the outage) or the db synchronizing, which requires it to connect to the other master, play all the transaction logs that it missed, and verify that it's once again in a consistent state? Having thought about it, what results do you get after you actually test it? Good luck, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind on vps
On Sun, Feb 13, 2011 at 10:12:34PM +0100, Torinthiel wrote: On 02/13/11 17:16, Walter Alejandro Iglesias wrote: On Sun, Feb 13, 2011 at 02:13:48PM +0100, Torinthiel wrote: It's not only good practice, it's a requirement per RFC103[45]. You'll go by with two IPs for one machine, and if it's only HTTP there won't be enough difference if this machine fails. However you could also consider looking for some other DNS services. Some ISPs provide secondary for free, there might also be a free DNS service somewhere. Or you could find someone in similar situation as you and be secondary for each other. I did it with zoneedit. Now I have it running. Stop here, this is my obscure point: how do you get that your dns be asked? What do you need? What must I ask to my isp (my vps provider in this case) for? What do you mean by to be designated nameserver for the IPs? Generally (not only for reverse DNS) you need one thing: delegation. That is, the parent zone (this being .com for mydomain.com and 22.11.in-addr.arpa here) needs to answer 'I don't know about mydomain.com, ask ns.mydomain.com'. And that's the part your server has nothing to say yet, as it happens before query reaches your server. Usually (that being the three places I know personally ;) the place where you register your domain has some kind of web panel where you can either setup the zone (if you use their nameservers) and/or enter the nameservers you want to handle queries. And that's the part you want to do. This is I've explained I did at godaddy. At godaddy you have two forms at each domain, one to set the ns servers for the domain and other called Host Summary where you associate ns to the ip. If this is what I think it is for :), then it should publish your ns1 and ns2 (at least this I've read in some forum): Now, specific about this part: first, disclaimer: I've never administrated any reverse zones. But still, probably your ISP/VPS provider would be the place to ask. Try doing dig -x 11.22.33.44 , and if it returns anything, then you have reverse set up. Maybe some web panel from your ISP allows you to change that to anything else, and maybe you even need it. But if you are doing only HTTP and DNS than anything would be fine, as long as it resolves to anything, and resolves back to you (so if you do dig -x 11.22.33.44 and then dig what-you-got-from-previous you end with 11.22.33.44). IMHO you don't need to handle any in-addr.arpa zone at all, your ISP does it for you. You could change what it resolves to, via a web interface and/or email directly to them,but chances are you don't need it. I've told you in my first message, dig [-x], nslookup just works from inside the vps (because I set localhost at resolv.conf). Second - what is the name of 11.22.33.44? Is it mydomain.com? www.mydomain.com? ns1.mydomain.com? AFAIK there can be only one PTR record. Yes, I release of my mistake. Just one domain for ip. In case my configuration is OK, what must I ask to my vps provider? Probably nothing. If you can dig/nslookup on your host from external hosts, then it looks they don't need to do anything. This is exactly what a cannot do: to dig/nslookup from external hosts. Not exactly. You've stated that you CAN ask your server from external hosts, I which way? Where did I state this? but only if you specify to ask it. What you want to achieve is having valid resolution without asking your specific server. And that's the delegation step. The only way I could access to my server is using the ip address. Sorry if I did not explained myself correctly. Well, my goal (tell me if it is a fantasy:)) is to be able to update automatically my registers. I ignore the features and flexibility of bind, perhaps I should change the strategy. Could you give me some clue? Can I use bind just as slave of the external name server (being it godaddy's dns or my vps provider's one)? Being a slave server won't do you any good, slave (as the name suggests) has nothing to say about contents of the zone. The main problem here is that you want to update delegations, which don't depend on your server. I don't think a fully automated setup is possible, at least if your registry doesn't provide some non-webpage interface to alter delegations. There would be at least one non-automated step: buying the domain and telling (it should be possible in the process) that it should be handled by your servers. It's a once per zone operation, but has to be done. Rest (adding zone for your bind, changing the IP it resolves to) could be automated. I will not resell domain names. I will setup a KISS web server :). But anyway, I will go with zoneedit that it is the good practice. The question pending is how to setup a dns server from scratch. If further on I have more clients I will rent a small vps and I will see how to get it working. Well, Torinthiel, I am grateful
Re: bind on vps
2011/2/13 Walter Alejandro Iglesias e...@roquesor.com: Hello, I read bind howto, several tutorials, mailing lists. After two months trying to get this working without success I must bother you. I am running a Slackware in a vps server, it provides me two IPs (I can ask for more if needed). I have the domains registered at go daddy. It will be a web hosting sever. I wrote my own web client panel and my own bash scripts to automate the upload of new client's virtual domains. That's why I want to run my own dns server; I want to be able to update the registers in my own machine. I am running my name server in the same machine I run my domains. I've read a post in this mailing list where a newbie like me explains the same problem. But the last answer mention only about glue records and I think I've included them correctly(?). nslookup returns me the expected when I run from inside the vps but not when I run it from the outside. I have been also running the named on my VPS, with two IPs too. The site is under developing, after done will also provide the smartdns hosting to my customers,:) -- Free SmartDNS Hosting: http://DNSbed.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Spurious TYPE65534 at the end of a NSEC3, why?
In message 4d5806ef.7000...@imperial.ac.uk, Phil Mayers writes: On 02/13/2011 11:35 AM, Stephane Bortzmeyer wrote: On Sun, Feb 13, 2011 at 10:51:30AM +, Phil Mayersp.may...@imperial.ac.uk wrote a message of 31 lines which said: This is documented in the Bind ARM OK, thanks, I missed this section. i.e. the *presence* of the record is normal. I'm not convinced (and the ARM is far from clear about it). Well, you're correct that they are absent most of the time. OTOH I have a zone (NSEC not NSEC3) which is managed by dynamic updates currently has a TYPE65534 at the apex, and the NSEC record names the TYPE65534 and it's RRSIG is valid - try: dig +dnssec bar.ic.ac.uk (assuming the TYPE65534 doesn't vanish... in the meantime) IOW, it sounds like a bug in the code for NSEC3, because I think it works for NSEC. I could reproduce it in 9.7.1-P1 by just adding a DNSKEY record at the apex but not in 9.7.2. There were a number of NSEC3 fixes between 9.7.1 and 9.7.2. Upgrade. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master with mysql backend
On Mon, Feb 14, 2011 at 6:24 AM, Doug Barton do...@dougbarton.us wrote: On 2/13/2011 8:06 AM, fddi wrote: I do not know why you really don't liket this mysql solution. It isn't a matter of not liking it. Given that you have steadfastly refused to answer any of the questions from people who are trying to help you, my feeling is that you have decided that you want to use mysql no matter what, and you're not really interested in discussing A) What you're actually trying to accomplish, and B) What might be the best tool for doing that job. All things considered, it might be the best tool for that specific need is not bind at all, but something like mydns. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
help with views design
Hello gurus,
Thanks firstly since I have got many helps from the list before.
Now I'm designing a open DNS service, say I have three views as below:
view uni {
match-clients {
key unikey;
UNI;
};
allow-update {key unikey;};
zone test.nsbeta.info {
type master;
file test.nsbeta.info.uni.db;
};
};
view edu {
match-clients {
key edukey;
EDU;
};
allow-update {key edukey;};
zone test.nsbeta.info {
type master;
file test.nsbeta.info.edu.db;
};
};
view any {
match-clients {
key defaultkey;
any;
};
allow-update {key defaultkey;};
zone test.nsbeta.info {
type master;
file test.nsbeta.info.any.db;
};
};
Some customer's domain names have all three views, so I define the
zones in each view, they work fine.
But some customers have only two views, say it's view uni and view any.
Thus I setup zones in view uni and view any, but view edu will be lost.
If the clients from edu network query for the zones, they will get
NXDOMAIN result.
For my DNS service, the customers submit their records from web
interface, the records are inserted into database.
Then a daemon will load the new updated records from database and call
nsupdate to update them to BIND.
I know I can use complicated SQL to resolve it, for example, if the
customer doesn't have edu view, I could copy all the records from any
view to edu view in database with SQL statement. If the customer later
add a record to edu view, before insert it to database, I have to drop
all the before records copied from any view, etc.
But rather than using SQL doing it, is there a good BIND way handling this case?
Thanks in advance.
Regards.
--
Free SmartDNS Hosting:
http://DNSbed.com/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
