rndc-key has expired

2011-03-22 Thread fakessh @ 
hi bind guru


It appears after the log that my signature rndc-key has expired. how to
update it
-- 
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7


signature.asc
Description: Ceci est une partie de message	numériquement signée
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-signzone: fatal: cannot sign zone with non-private dnskey

2011-03-22 Thread Ivo 
Hello,

I am trying to sign a zone(domain.nx) using Bind-9.7.3 with
PCKS11/OpenSC, I am able to generate key on smartcard using
(pkcs11-keygen) and export a meta-description info with
dnssec-keyfromlabel, however dnssec-signzone seem to have problem
finding a private key.

#./dnssec-signzone -E pkcs11  -N unixtime  -r /dev/urandom  -v 5   -o 
domain.nx  -a -A  -H 2 -3 12345678 -t  -k Kdomain.nx.+008+61097
domain.nx Kdomain.nx.+008+61096

dnssec-signzone: fatal: cannot sign zone with non-private dnskey
Kdomain.nx.+008+61096

---

This is how I exported key information from smarcard, slot 1 : keyID

# ./dnssec-keyfromlabel -l 1:2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c -a
RSASHA256 -f KSK domain.nx
Kdomain.nx.+008+61097
#./dnssec-keyfromlabel -l 1:2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c -a
RSASHA256  domain.nx
Kdomain.nx.+008+61096

#pkcs15-tool -D

Private RSA Key [test]
Object Flags   : [0x3], private, modifiable
Usage  : [0xC], sign, signRecover
Access Flags   : [0x0]
ModLength  : 1024
Key ref: 1
Native : yes
Path   : 3f005015
Auth ID: 01
ID : 2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c

Public RSA Key [test]
Object Flags   : [0x2], modifiable
Usage  : [0xC0], verify, verifyRecover
Access Flags   : [0x0]
ModLength  : 1024
Key ref: 0
Native : no
Path   : 3f0050153000
ID : 2fbe3c50f0b7fd76f86b9efe6a6bb933547ce58c


Base64 encoded Label seem to match slot:keyID of the key on smartcard -

# more Kdomain.nx.+008+61096.private
Private-key-format: v1.3
Algorithm: 8 (RSASHA256)
Modulus:
rQTT+TTT+UZ5bHDgSXD9NYC7uuVm1VY8S1ssDgWnoM72xD1SHaKDcaF3YtDZ7FyvNGPwUC4nxIzCwJvhNEKbTqFvhTl1bovzMPdSZ/BfcQjYDJpDe8aF94woIIo
q5ryDPGx9ymo6qQ9hhOzN0IWMbUp9q0JgTC8QnJ9Vc+Rlsf0=
PublicExponent: AQAB
Engine: cGtjczExAA==
Label: MToyZmJlM2M1MGYwYjdmZDc2Zjg2YjllZmU2YTZiYjkzMzU0N2NlNThjAA==
Created: 20110322140421
Publish: 20110322140421
Activate: 20110322140421

#more Kdomain.nx.+008+61096.key
; This is a zone-signing key, keyid 61096, for domain.nx.
; Created: 20110322140421 (Tue Mar 22 16:04:21 2011)
; Publish: 20110322140421 (Tue Mar 22 16:04:21 2011)
; Activate: 20110322140421 (Tue Mar 22 16:04:21 2011)
domain.nx. IN DNSKEY 256 3 8
AwEAAa0E0/k00/lGeWxw4Elw/TWAu7rlZtVWPEtbLA4Fp6DO9sQ9Uh2i
g3Ghd2LQ2excrzRj8FAuJ8SMwsCb4TRCm06hb4U5dW6L8zD3UmfwX3EI
2AyaQ3vGhfeMKCCKKua8gzxsfcpqOqkPYYTszdCFjG1KfatCYEwvEJyf VXPkZbH9

Has anyone else had a similar problem with the signing tool?

Thanks,

Ivo

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc-key has expired

2011-03-22 Thread fakessh @ 
I changed options

update-policy {
grant fakessh.eu. name fakessh.eu. A TXT;
};

since
update-policy {
grant * self * A TXT;
};


Le mardi 22 mars 2011 à 14:59 +0100, fakessh @ a écrit :
 hi bind guru
 
 
 It appears after the log that my signature rndc-key has expired. how to
 update it
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7


signature.asc
Description: Ceci est une partie de message	numériquement signée
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master ns on internal lan

2011-03-22 Thread Joseph S D Yao 
What the heck is this???  To: x_bind-user...@nospam.pz.podzone.net

On Sun, Mar 20, 2011 at 10:13:29AM +, x_bind-user...@nospam.pz.podzone.net 
wrote:
 Hi,
 
 I'm trying to figure out how to configure my nameservers so that the
 master can reside on an internal LAN *only* address.
 
 I already have it configured such that the master is (almost) hidden
 while residing on a public IP.  So I should present that first:
 
 ns0.mydomain.net - Gateway/firewall, public IP (ADSL) + internal LAN.
 
 ns1.mydomain.net - Public nameserver.
 
 ns2.mydomain.net - Public nameserver.
 
 Host ns0 serves DNS for the internal LAN, as well as acting master for
 ns1/ns2.
 
 I have glue records at the registry for ns1  ns2.  The zone file
 configured on ns0 looks something like this:
 
 @ IN SOA ns0 hostmaster (
 ...
 )
 @   IN NS   ns1
 @   IN NS   ns2
 ns0 IN Aaaa.aaa.aaa.aaa ;; ns0 (hidden)
 ns1 IN Abbb.bbb.bbb.bbb ;; ns1
 ns2 IN Accc.ccc.ccc.ccc ;; ns2
 ...
 
 On the master (ns0) named.conf is as follows:
 
 options {
 listen-on   { any; };
 allow-recursion { 127.0.0.1; lan; };
 allow-query { 127.0.0.1; lan; };
 allow-transfer  { 127.0.0.1; ns1; ns2; };
   ...
 };
 zone mydomain.net {
 type master;
 file /etc/bind/db.mydomain.net;
 allow-query { any; };
 };
 
 On the slaves (ns1/ns2) named.conf is as follows:
 
 zone mydomain.net {
 type slave;
 file /var/cache/bind/db.mydomain.net;
 masters { aaa.aaa.aaa.aaa; };
 allow-query { any; };
 };
 
 As you can see, ns0 isn't quite totally hidden - it shows up in the
 SOA record.  I tried using ns1 in the SOA but then ns1/ns2 failed to
 update correctly when the zone file was updated on ns0.  I never
 figured that out and don't see it as a big deal from a privacy POV but
 I accept that probably it's not optimally configured.
 
 Now on to my question. ;-)
 
 Ideally I would like to manage the zones on a main internal server,
 which would serve the internal LAN (including an internal-only zone)
 as well as somehow keeping the public slaves up to date.  Part reason
 for this is a policy to shift all internal services onto the LAN and
 away from the DMZ.
 
 This is the plan:
 
 main.mydomain.net - Internal LAN only.
 
 ns0.mydomain.net - Gateway/firewall, public IP (ADSL) + internal LAN.
 
 ns1.mydomain.net - Public nameserver.
 
 ns2.mydomain.net - Public nameserver.
 
 main acts as master for ns0 slave. (and serves dns for the lan)
 
 ns0 acts as master for ns1/ns2 slaves. (and serves dns for the dmz)
 
 This is the problem, I cannot see how to configure the SOA and conf
 files such that zone updates will be notified main - ns0 - ns1/ns2.
 
 Any advice or pointers on how to acheive that would be greatly
 appreciated.  Thanks in advance. - Charlie.


Have a separate internal subdomain.  Put ns0 and main in that internal
subdomain, where they're not visible to the outside.  In each domain,
list only the name servers that you want to be used by the widest
network - e.g., the public Internet, or your company, or your group.  I
mention below what to do for the smaller groups.

Take ns0 and main out of the SOA record.  I know that it's not strictly
per RFC, but where I don't have dynamic DNS (e.g. ALL external domains)
I use a non-existent no-ddns.my.domain. in the SOA record, to say
none of your business.

If the name servers to be NOTIFY'd are not explicitly named in the
domain - and even if they are - put them in an also-notify {}; clause in
the domain or view.  Remember that if it's in the domain then any
servers listed in the view are not seen; and if its in the view, then
any servers listed in options {}; are not seen.

If you're in an internal group, say, the internal LAN where ns0 is
visible and ns1 and ns2 are not directly reachable, then you must make
then findable by your recursively resolving name servers.  Ideally, you
will have two or more name servers whose entire job is resolving, that
are not authoritative name servers for any domain.  On those name
servers, you forward queries for the domain under discussion to the
unlisted internal name server that nonetheless IS authoritative for the
domain.  In less ideal circumstances, the internal recursively resolving
name server is in fact the internal authoritative name server, and no
forwarding needs to be done.  I believe that is what you have described.

Apologies if my brain at this late hour has not hit everything I had
intended to.


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users