question on minimal file permissions
Hi all , I'm running bind 9.7 on Ubuntu server 10.04LTS , and I was wondering if there is documentation on minimal file permissions needed for bind-config files/zone files. The reason I ask is because I'm setting up a DNS sec server and for easy key rollover and manageability I have created several new directories on a usb stick for example. Key files and zone files now all have 774 permissions , owned by bind:bind , but I was wondering from a security point of view if this is correct ? ( I'm running apparmor as well , but that's only an additional security layer ) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question on minimal file permissions
hostmas...@g-net.be hostmas...@g-net.be wrote: The reason I ask is because I'm setting up a DNS sec server and for easy key rollover and manageability I have created several new directories on a usb stick for example. Key files and zone files now all have 774 permissions , owned by bind:bind , but I was wondering from a security point of view if this is correct ? Zone files that are managed by bind need to be writable by BIND (mode 644 and owned by BIND). BIND does not (yet) create keys itself so the key files only need to be readable by BIND. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5 or 6 later. Rough or very rough. Occasional rain. Moderate or good, occasionally poor. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
max-cache-size rule of thumb?
Hi all, Is there a rule of thumb when setting max-cache-size? e.g. max physical memory * 0.4 Is there even a need to set max-cache-size on a server with plenty of memory (10GB) running only BIND? Regards Dennis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question on minimal file permissions
On Mon, 2011-04-18 at 11:47 +0100, Tony Finch wrote: hostmas...@g-net.be hostmas...@g-net.be wrote: The reason I ask is because I'm setting up a DNS sec server and for easy key rollover and manageability I have created several new directories on a usb stick for example. Key files and zone files now all have 774 permissions , owned by bind:bind , but I was wondering from a security point of view if this is correct ? Zone files that are managed by bind need to be writable by BIND (mode 644 and owned by BIND). BIND does not (yet) create keys itself so the key files only need to be readable by BIND. Tony. Hi, When I set my key directory permissions like this : -- root@nssec:/dnskeys# ls -als 4 dr--r--r-- 2 bind bind 4096 2011-04-18 14:50 . 4 drwxr-xr-x 26 root root 4096 2011-04-01 12:38 .. 4 -r--r--r-- 1 bind bind 462 2011-04-18 14:15 Kzone.be.+008+11754.key 4 -r--r--r-- 1 bind bind 1060 2011-04-18 14:15 Kzone.be.+008 +11754.private 4 -r--r--r-- 1 bind bind 636 2011-04-18 14:16 Kzone.be.+008+25774.key 4 -r--r--r-- 1 bind bind 1824 2011-04-18 14:16 Kzone.be.+008 +25774.private and when I configure my zone like this in named.conf.local : zone zone.be { type master; file /dnszones/db.zone.be.signed; auto-dnssec maintain; key-directory /dnskeys/; sig-validity-interval 1; I get the following message in my logs : Apr 18 15:00:53 nssec named[3508]: /etc/bind/named.conf.local:25: 'auto-dnssec maintain;' requires dynamic DNS to be configured in the zone Apr 18 15:00:53 nssec named[3508]: loading configuration: failure Apr 18 15:00:53 nssec named[3508]: exiting (due to fatal error) ( by the way , I have disabled apparmor globally on my Ubuntu server for now ) Is this due to my mistake ? Or permission related ? Thx ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size rule of thumb?
On Mon, 18 Apr 2011, Dennis Perisa wrote: Hi all, Is there a rule of thumb when setting max-cache-size? e.g. max physical memory * 0.4 Is there even a need to set max-cache-size on a server with plenty of memory (10GB) running only BIND? Regards Dennis Dennis, since getting the answers from cache is usually faster (and therefore more efficient) than recursing, I think the question is really what is the definition of plenty of memory. If bind's performance is hindered because of available memory then a limit on the cache size may be warranted, as also an increase of memory may be. In the example, a max-cache-size of .4*10GB leaves a residual pool that far exceeds BIND's requirements. The answer must be determined empirically; If performance is adversely affected then (and only then) limit the cache size . Dave -- David Forrest Maple Park Development Corporation St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size rule of thumb?
Dennis Perisa wrote: Is there a rule of thumb when setting max-cache-size? e.g. max physical memory * 0.4 Is there even a need to set max-cache-size on a server with plenty of memory (10GB) running only BIND? I'd normally not recommend to limit the cache size - with normal use, it should stabilize on some amount by itself, based on your usage patterns. Memory is fairly cheap these days, too. Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question on minimal file permissions
hostmas...@g-net.be hostmas...@g-net.be wrote: 4 dr--r--r-- 2 bind bind 4096 2011-04-18 14:50 . You should set execute permission on the directory so that bind can traverse it. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5 or 6 later. Rough or very rough. Occasional rain. Moderate or good, occasionally poor. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SOA RNAME Value
I do not understand why I did not get similar test and log results as you indicate below but I appreciate your feedback! Thank you!! On Thu, 2011-04-14 at 17:39 +0100, Tony Finch wrote: Justin Krejci jkre...@usinternet.com wrote: So I am wondering if this is normal/expected behavior for BIND and if so should debug logging or named-checkzone with debugging be able to identify this as the problem. Or am I missing something else altogether? With bind-9.7.3, I get the following log messages with the default logging level: 14-Apr-2011 17:29:39.697 general: error: dns_rdata_fromtext: /zd/29-120.144.168.192.in-addr.arpa:5: near 'root': bad name (check-names) 14-Apr-2011 17:29:39.697 general: error: zone 29/120.144.168.192.in-addr.arpa/IN: loading from master file /zd/29-120.144.168.192.in-addr.arpa failed: bad name (check-names) named-checkzone says: /spool/bind/zd/29-120.144.168.192.in-addr.arpa:5: warning: root.29/120.144.168.192.in-addr.arpa: bad name (check-names) zone 29/120.144.168.192.in-addr.arpa/IN: loaded serial 1 OK named-checkzone -k fail says: dns_rdata_fromtext: /spool/bind/zd/29-120.144.168.192.in-addr.arpa:5: near 'root': bad name (check-names) zone 29/120.144.168.192.in-addr.arpa/IN: loading from master file /spool/bind/zd/29-120.144.168.192.in-addr.arpa failed: bad name (check-names) zone 29/120.144.168.192.in-addr.arpa/IN: not loaded due to errors. The zone file is: $TTL 1h ; @ SOA localhost. root ( 1 ; serial 1h ; refresh 1000; retry 1w ; expiry 1h ); minimum ; NS localhost. ; ; eof Tony. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
slave timers
Dear all, I am testing the migration bind8 to Bind9 and the working for slave zones. To do this, I have put the following values to the timers in the master zone. $ORIGIN com. toto 3600IN SOA ns1.toto.com. postmaster.toto.com. ( 2011041404 302 3600 604800 3600 ) …. …. It is really not working good! - Are there some constraint in the timer values? For my test I have a 302 seconds expired time è can this work even if this timer is smaller than the other ones? - When I do a “rndc reload” on the slave name server, there is no AXFR request to the Master. - When I do a bind9 stop/start on the slave name server, there is no AXFR request to the master. - There is no AXFR request to the master every 302 seconds. Can anyone help me to understand? Thanks in advance, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: slave timers
On Mon, 18 Apr 2011, hugo hugoo wrote: I am testing the migration bind8 to Bind9 and the working for slave zones. To do this, I have put the following values to the timers in the master zone. $ORIGIN com. toto 3600IN SOA ns1.toto.com. postmaster.toto.com. ( 2011041404 302 3600 604800 3600 ) It is really not working good! - Are there some constraint in the timer values? For my test I have a 302 seconds expired time can this work even if this timer is smaller than the other ones? The second parameter is the refresh timer, not the expire timer. 302 seconds is pretty short. Assuming your master-slave notifies are working correctly an hour or 2 (3600 or 7200 seconds) should be fine for a refresh timer value, but there are probably valid reasons to use shorter values. - When I do a 'rndc reload' on the slave name server, there is no AXFR request to the Master. - When I do a bind9 stop/start on the slave name server, there is no AXFR request to the master. - There is no AXFR request to the master every 302 seconds. The slave will check the SOA serial number it has against that of the master. If the master's is newer, it will transfer the zone. If not, the slave has current data so doesn't need to transfer it again. Are you incrementing the SOA serial number on the master? rndc retransfer zone on the slave will force a transfer, ignoring the SOA serial number. See if that works. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question on minimal file permissions
On Apr 18 2011, Tony Finch wrote: Zone files that are managed by bind need to be writable by BIND (mode 644 and owned by BIND). BIND does not overwrite zone file in place! For those that it does manage (type slave/stub, or type master with DNS updates allowed) it is the directory containing the zone file that needs to be writable by BIND, so that it can create new versions and rename them. After which they will usually be as Tony suggests, of course, but they don't need to be after, say, an rndc freeze/thaw sequence - in that case readability by BIND is all that is required. OTOH, journal files are updated in place, as well as new versions being created and renamed when they are shortened. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multiple IP address in Address Record in BIND
On 4/17/2011 2:49 PM, Ben Croswell wrote: In the bind 8 days people would put the same address multiple times and then other addresses as well to weight the responses. -Ben Croswell On Apr 17, 2011 2:45 PM, Eivind Olsen eiv...@aminor.no mailto:eiv...@aminor.no wrote: Hi, we have internal domain called sva.com http://sva.com and address record for this sva.com http://sva.com is pointed to many IP addresses. When i do nslookup, i am getting below output. I would like to enable the same configuration in bind. Let us know how this can be acheived. #nslookup sva.com http://sva.com Name: sva.com http://sva.com Addresses: 10.10.10.10, 10.10.10.10, 10.10.10.10, 10.10.10.10,10.10.10.10 You would like it to point to the same IP-address many times? Why? No longer legal: It is meaningless for two records to ever have label, class, type and data all equal - servers should suppress such duplicates if encountered (RFC 2181, Section 5). - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC, whitehouse, isc, and troubleshooting...
From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad flag as expected. I don't see that flag when I query whitehouse.gov (w/ +dnssec) and I know that zone is signed. Is anyone else seeing this behavior? Also, is there a link that addresses troubleshooting or diagnosing DNSSEC based queries? TIA ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC, whitehouse, isc, and troubleshooting...
On Mon, Apr 18, 2011 at 10:51:04AM -0700, John Williams wrote: From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad flag as expected. I don't see that flag when I query whitehouse.gov (w/ +dnssec) and I know that zone is signed. Is anyone else seeing this behavior? Also, is there a link that addresses troubleshooting or diagnosing DNSSEC based queries? My guess is you're looking at www.whitehouse.gov, which is a CNAME to www.whitehouse.gov.edgesuite.net, which isn't signed, so the ad flag is unset. Try dig +dnssec ns whitehouse.gov and you should see the ad flag. (Anyway, it's working for me at the moment.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC, whitehouse, isc, and troubleshooting...
John Williams wrote: Is anyone else seeing this behavior? Also, is there a link that addresses troubleshooting or diagnosing DNSSEC based queries? One minor issue: If I query a.gov-servers.net for the nameservers of whitehouse.org, it returns a list of 6. If I query any of these, they give me a list of 8 (the additional two being usw5.akam.net and usw6.akam.net). But, to the original question: I get the AD flag when I query through my validating resolver: [eivind@vimes ~]$ /usr/local/bin/dig +dnssec any whitehouse.gov @127.0.0.1 ; DiG 9.8.0 +dnssec any whitehouse.gov @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18201 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 1 ...etc... If on the other hand I ask for www.whitehouse.gov, I get a CNAME outside of the zone, pointing to www.whitehouse.gov.edgesuite.net which is yet another CNAME pointing to a1128.h.akamai.net. Neither of these seem to be DNSSEC signed. Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC, whitehouse, isc, and troubleshooting...
On Mon, Apr 18, 2011 at 11:07 AM, Evan Hunt e...@isc.org wrote: On Mon, Apr 18, 2011 at 10:51:04AM -0700, John Williams wrote: From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad flag as expected. I don't see that flag when I query whitehouse.gov (w/ +dnssec) and I know that zone is signed. Is anyone else seeing this behavior? Also, is there a link that addresses troubleshooting or diagnosing DNSSEC based queries? My guess is you're looking at www.whitehouse.gov, which is a CNAME to www.whitehouse.gov.edgesuite.net, which isn't signed, so the ad flag is unset. Try dig +dnssec ns whitehouse.gov and you should see the ad flag. (Anyway, it's working for me at the moment.) As far as DNSSEC troubleshooting tools, this alias relationship is illustrated using DNSViz, an online analysis tool: http://dnsviz.net/d/www.whitehouse.gov/dnssec/ . Note that the www.whitehouse.gov RRset is secure, but the name it aliases is insecure (no chain of trust). Thus, the resolver (as Evan mentioned) does not set the AD flag when queried for www.whitehouse.gov. Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC, whitehouse, isc, and troubleshooting...
On Mon, 18 Apr 2011, John Williams wrote: Subject: DNSSEC, whitehouse, isc, and troubleshooting... From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad flag as expected. I don't see that flag when I query whitehouse.gov (w/ +dnssec) and I know that zone is signed. Is anyone else seeing this behavior? Also, is there a link that addresses troubleshooting or diagnosing DNSSEC based queries? works for me: [paul@bofh ~]$ dig +dnssec whitehouse.gov ; DiG 9.7.3-RedHat-9.7.3-1.fc14 +dnssec whitehouse.gov ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 14133 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;whitehouse.gov.IN A ;; ANSWER SECTION: whitehouse.gov. 20 IN A 59.151.148.110 whitehouse.gov. 20 IN RRSIG A 7 2 20 20110420224012 20110417214012 43676 whitehouse.gov. M3z/ZHkI07JM+CC25GFf3NZnO9nVddZ+qnGtqnx2pVUtV0AFRa+VX+TX G8qgWL49xNEQzce4vrf0CocEGoqgDf/x0R+qntMy2GmK7go06KrvNoLG pJW0grr9ZLx0k6uN8xRcSDlI/H9/SJyfCWPJq1pHJpDCsHTeiSXtEb0J gnU= Note that www.whitehouse.gov is a CNAME into akamai that's unsigned, so you don't get the AD bit when querying that, unless you specifically ask for the CNAME: ; DiG 9.7.3-RedHat-9.7.3-1.fc14 +dnssec -t cname www.whitehouse.gov ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 29148 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.whitehouse.gov.IN CNAME ;; ANSWER SECTION: www.whitehouse.gov. 3527IN CNAME www.whitehouse.gov.edgesuite.net. www.whitehouse.gov. 3527IN RRSIG CNAME 7 3 3600 20110420224012 20110417214012 43676 whitehouse.gov. n+pU7FVUMC3VvJ3yUQs7HrKCj6fQs4xTL9H35YvaSnKxc42GnoqfrbwM X1dRndkE9qBlD9PnEiu2mJDUgsz/8GDbZQ61/Bphdl/M+2533QwiAB9w dEj0AFRUTmkJFNZrUqM12YS84yvbArIv38OPvCxSGYSO21F4naxcla50 n5U= Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC, whitehouse, isc, and troubleshooting...
On Apr 18 2011, Evan Hunt wrote: On Mon, Apr 18, 2011 at 10:51:04AM -0700, John Williams wrote: From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad flag as expected. I don't see that flag when I query whitehouse.gov (w/ +dnssec) and I know that zone is signed. Is anyone else seeing this behavior? Also, is there a link that addresses troubleshooting or diagnosing DNSSEC based queries? My guess is you're looking at www.whitehouse.gov, which is a CNAME to www.whitehouse.gov.edgesuite.net, which isn't signed, so the ad flag is unset. Try dig +dnssec ns whitehouse.gov and you should see the ad flag. (Anyway, it's working for me at the moment.) Or even dig +dnssec cname www.whitehouse.gov. The CNAME is signed, its target isn't. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users