RE: DNSSEC Signing & Key Questions

2011-10-04 Thread Marc Lampo 
Hello,



For 3) automate zone signing and zsk roll-over



I know of no tools that are readily available

- there are appliances (look in the IPAM world of products), that handle
DNSSEC for you.

However, I have in our “DNSSEC workshop” course environment a setup that
looks at time stamps of Linux files :

- zone data is stored in files

- when the (unsigned) data has newer time stamp then signed data, script
regenerates RRSIG’s

   à to resign a zone, simply “touch” the file with unsigned data (eg once
a week)

- the script that generates RRSIG’s does so with “all available” keys

   à to perform ZSK rollover, simply add new ZSK/delete old ZSK (at
appropriate time)
and “touch” the file with unsigned data

(!!! Do respect key timing for deleting the old ZSK !!!)

- same principle works for KSK rollover as well,
   but the challenge there is to inform the parent of new KSK …
   (!!! + key timing matters !!!)



Using time stamps of files kind of uses the Linux file system as
“database”;

Should work if the number of files is not too big – one would have to
consider using a real DB for larger number of zones.



Success with your move towards DNSSEC.

Kind regards,



Marc Lampo

Security Officer

EURid



From: McConville, Kevin [mailto:kmcconvi...@albany.edu]
Sent: 04 October 2011 09:10 PM
To: bind-users@lists.isc.org
Subject: DNSSEC Signing & Key Questions



I’m new to this list, so please bear with me if these are/seem like
“newbie” questions.



We are currently evaluating a DNSSEC implementation. We have several
static zones that we would like to implement first.   We are currently
using ISC Bind 9.7.4 – In the test environment (1) Authoritative dns
server and (1) Resolver dns server, both running RHEL 5.7.  We do have an
on-hold Opendnssec server w/softhsm (we are trying to look at the built-in
utilities of isc bind first).



We are trying to make the DNSSEC piece as automatic as possible, so here
are where we are having issues.



1)  Is there any way to have the zsk be auto-generated based upon the
inactive date listed in the zsk meta-data? I know we can pre-publish and
then use dnssec-settime to change the meta-data, but still very hands-on.

2)  With a static zone, are the update-policy local and auto-dnssec
maintain options invalid/don’t work? From the docs, they look like they
are only for automation of dynamic zones?

3)  Are there any ways to automate zone signing and zsk
generation/roll-over with a totally static zone environment?

4)  What key-management, zone-signing management utilities or programs
have you found useful/helpful?





Any suggestions, comments, or questions are greatly appreciated. Thank you
in advance.



Thanks,



-Kevin



Kevin McConville

University at Albany





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec config sanity check

2011-10-04 Thread Paul B. Henson 

On 10/3/2011 11:45 PM, Stephane Bortzmeyer wrote:


Experience of DNSSEC deployment (see my paper at SATIN
)
shows that custom programs have many timing bugs. Many things can go
wrong Why not using an existing program such as OpenDNSSEC ?


From a quick read of your paper, I see you discovered many rollover 
timing issues in the wild, but it doesn't look like those are correlated 
with any particular tool. Other than knowing a given domain had an 
issue, you have no idea what caused it, or what tool they may have been 
using, and it is only an assumption that the issue arose from a custom 
program... They could well have been using some existing programs such 
as OpenDNSsec which presumably aren't guaranteed bug free :).


We initially implemented this over a year ago, but were delayed in 
deployment when it turned out our ISP (who provides secondary services) 
was running an ancient version of bind that didn't do dnssec 8-/. I 
didn't find any good solutions available at the time.


Taking a look at OpenDNSsec, I don't think I'd use it even if we were 
starting today; it is way over engineered for our requirements. I'm not 
a big fan of XML configuration files, and I don't particularly want a 
signing daemon running 24x7. The current capability of bind to 
automatically select which keys to use based on their timing data, with 
a minimal wrapper around it, provides more than enough functionality to 
manage our relatively simple zones.


dnssec is fairly complicated, and the issue of timing can be complex, 
but once the variables are determined than the actual procedures of 
implementation are pretty simple. Generate keys with appropriate 
publication, activation, inactivation, and deletion timings, and then 
use them ;). My hope from my initial posting was to get a little peer 
review of the appropriateness of the timings I've selected...



--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  hen...@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind takes a long time to resolve requests

2011-10-04 Thread Mark Andrews 

In message 
, Pablo Maurelli writes:
> 
> hello, pick up a dns server with bind9, is resolving claims, but it takes
> time to resolve a lot, sometimes throw timeout error and the second time
> resolved, any ideas?
> I pass below my named.conf, host.conf and nsswitch.conf
> 
> from already thank you very much.
> 
> Regards!
> 
This sounds like a upstream problem where a firewall in block DNS UDP
messages bigger than 512 bytes or dropping fragmentent packets.

Can you resolv "dig edns-v4-ok.isc.org txt" and "dig edns-v4-ok.isc.org txt"?

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec config sanity check

2011-10-04 Thread Paul B. Henson 

On 10/3/2011 6:31 PM, Mark Andrews wrote:


Don't ASSUME that the DS will be published in time. Build checks into
your proceedures from the beginning.  e.g.

Publish and activate July 1. Change DS records July 8. Check
that DS is published July 15 and set inactivate and deletion
dates if and only if new DS is published to August 1 and
September 1 respectively.  If the DS is not publish chase
up with parent and recheck the next day slipping inactivate
and deletion dates for a day for each day the DS publication
date is past July 15.


Other than the (regrettably still manual) update of the DS in the parent 
zone via the registrar, everything else is automated. I don't think 
we'll assume the registrar will do the right thing, but rather than 
waiting until verifying they have and then doing manual things, I think 
I'd rather have the automated process take care of things without 
intervention, and then only have to manually step in and tweak if the 
registrar doesn't update in a timely fashion. Call me optimistic :).


Why would I delay a week between publishing the new KSK and updating the 
DS records? With a TTL of only 12 hours, it seems a delay of no longer 
than that would be required (assuming the new zone was successfully 
transferred to all secondaries).


I initially assumed it wouldn't matter if there was a DS entry in the 
parent zone for a KSK that was no longer in use and not published, but 
it seems in that scenario a resolver might consider the zone bogus and 
fail it. From what I've read, it sounds like it shouldn't, but better 
safe than sorry. The update is removing a key no longer in use, and 
adding a key that won't be used for another year. The new DS entry for 
the new key won't really be needed until that year has passed unless a 
key compromise requires an early rollover. The old DS entry shouldn't 
need to be around for any more than the 12 hour TTL that clients might 
still have signatures from the old key in their caches. Operationally, 
I'll probably update the DS entries the day after the new key is 
generated, and with the current 1 day+ latency the registrars seem to be 
displaying, the DS cut over will happen probably 2-3 days after the key 
cutover. If the registrar hasn't updated within 14 days, I'll need to 
tweak the deletion date for the old key to prevent any broken resolvers 
from failing. The key actually being used has already existed in the 
parent zone for the last year, so verifying the current signatures 
shouldn't be an issue even if the registrar flakes out.


Thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  hen...@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind takes a long time to resolve requests

2011-10-04 Thread Kevin Darcy 

On 10/4/2011 12:40 PM, Pablo Maurelli wrote:


hello, pick up a dns server with bind9, is resolving claims, but
it takes time to resolve a lot, sometimes throw timeout error and
the second time resolved, any ideas?
I pass below my named.conf, host.conf and nsswitch.conf



*_DIG:_*

; <<>> DiG 9.7.3 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 90
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

;; QUESTION SECTION:
;.  IN  NS

;; ANSWER SECTION:
.   517816  IN  NS g.root-servers.net 
.
.   517816  IN  NS a.root-servers.net 
.
.   517816  IN  NS m.root-servers.net 
.
.   517816  IN  NS f.root-servers.net 
.
.   517816  IN  NS b.root-servers.net 
.
.   517816  IN  NS e.root-servers.net 
.
.   517816  IN  NS j.root-servers.net 
.
.   517816  IN  NS k.root-servers.net 
.
.   517816  IN  NS i.root-servers.net 
.
.   517816  IN  NS h.root-servers.net 
.
.   517816  IN  NS d.root-servers.net 
.
.   517816  IN  NS c.root-servers.net 
.
.   517816  IN  NS l.root-servers.net 
.


;; ADDITIONAL SECTION:
a.root-servers.net . 604216  IN  A 
  198.41.0.4
a.root-servers.net . 604216  IN 
 2001:503:ba3e::2:30
b.root-servers.net . 604216  IN  A 
  192.228.79.201
c.root-servers.net . 604216  IN  A 
  192.33.4.12
d.root-servers.net . 604216  IN  A 
  128.8.10.90
d.root-servers.net . 604216  IN 
 2001:500:2d::d
e.root-servers.net . 604216  IN  A 
  192.203.230.10
f.root-servers.net . 604216  IN  A 
  192.5.5.241
f.root-servers.net . 604216  IN 
 2001:500:2f::f
g.root-servers.net . 604216  IN  A 
  192.112.36.4
h.root-servers.net . 604216  IN  A 
  128.63.2.53
i.root-servers.net . 604216  IN  A 
  192.36.148.17
j.root-servers.net . 604216  IN  A 
  192.58.128.30
j.root-servers.net . 604217  IN 
 2001:503:c27::2:30


;; Query time: 0 msec
;; SERVER: 172.31.26.85#53(172.31.26.85)
;; WHEN: Tue Oct  4 13:34:03 2011
;; MSG SIZE  rcvd: 500
I would check connectivity to all of those root nameservers using the 
"+norec" and "+buf=4096" options so as to mimic how named itself would 
query them.


If by some chance you have IPv6 enabled on your nameserver, with an 
assigned (non-link-local) IPv6 address, but no actual IPv6 connectivity 
to the Internet, you should probably start named with the "-4" option, 
to prevent it wasting time trying to talk to root nameservers (and 
others) over the IPv6 transport.




- Kevin



*_DIG ns1.resolver01.net _*

root@resolver01:/var/named# dig ns1.resolver01.net 



; <<>> DiG 9.7.3 <<>> ns1.resolver01.net 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61061
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.resolver01.net .IN  A

;; ANSWER SECTION:
ns1.resolver01.net . 43200   IN  A 
  172.31.26.85


;; AUTHORITY SECTION:
resolver01.net . 43200   IN  NS 
ns1.resolver01.net .


;; Query time: 0 msec
;; SERVER: 172.31.26.85#53(172.31.26.85)
;; WHEN: Tue Oct  4 13:34:42 2011
;; MSG SIZE  rcvd: 66
Both queries returned in 0 milliseconds. Are you looking for something 
faster than that? :-)



*_NAMED.CONF_*

// Mis redes permitidas

acl "redes_sky" {
172.31.26.0/24 ;
172.31.25.0/24 ;
172.31.24.0/24 ;
};

R: Bind DLZ and Postgres 8.4.8

2011-10-04 Thread Job 
Hello,

everything is fine, i patched the source tree!

Thank you, regards!

Francesco


Da: bind-users-bounces+job=colliniconsulting...@lists.isc.org 
[mailto:bind-users-bounces+job=colliniconsulting...@lists.isc.org] Per conto di 
Job
Inviato: lunedì 3 ottobre 2011 16:47
A: bind-users@lists.isc.org
Oggetto: Bind DLZ and Postgres 8.4.8

Hello,

by regarding the excellent guide of Jan Pit Mens, i have integrated Bind 9.8.1 
DLZ with Mysql 5.x DB; everything is fine and fantastic.

I cannot use Postgresql 8.4.8 backend; named correctly starts but, when first 
nslookup query take place, named crash with this dump:


*** glibc detected *** named: corrupted double-linked list: 0x0a0e89c0 ***
=== Backtrace: =
/lib/libc.so.6[0x7d67ca]
/lib/libc.so.6(cfree+0x59)[0x7d6b09]
/usr/lib/libpq.so.5(PQclear+0xf0)[0x4adf50]
named[0x8096ec2]
named[0x81657da]
named[0x80c1bd8]
named[0x805c53a]
named[0x806219c]
named[0x8067e1c]
named[0x80519a0]
named[0x81e9263]
named[0x81ec853]
named[0x81ecab8]
named[0x81ecb62]
named[0x805ae06]
/lib/libc.so.6(__libc_start_main+0xdc)[0x782e9c]
named[0x804b4e1]
=== Memory map: 
00101000-00222000 r-xp  08:02 684452 
/usr/lib/mysql/libmysqlclient.so.15.0.0
00222000-00264000 rwxp 0012 08:02 684452 
/usr/lib/mysql/libmysqlclient.so.15.0.0
00264000-00265000 rwxp 00264000 00:00 0
00265000-002f8000 r-xp  08:02 280557 /usr/lib/libkrb5.so.3.3
002f8000-002fb000 rwxp 00092000 08:02 280557 /usr/lib/libkrb5.so.3.3
002fb000-0030b000 r-xp  08:02 1361521/lib/libresolv-2.5.so
0030b000-0030c000 r-xp f000 08:02 1361521/lib/libresolv-2.5.so
0030c000-0030d000 rwxp 0001 08:02 1361521/lib/libresolv-2.5.so
0030d000-0030f000 rwxp 0030d000 00:00 0
0030f000-00324000 r-xp  08:02 1361519/lib/libpthread-2.5.so
00324000-00325000 r-xp 00015000 08:02 1361519/lib/libpthread-2.5.so
00325000-00326000 rwxp 00016000 08:02 1361519/lib/libpthread-2.5.so
00326000-00328000 rwxp 00326000 00:00 0
00328000-0033d000 r-xp  08:02 1361505/lib/libnsl-2.5.so
0033d000-0033e000 r-xp 00014000 08:02 1361505/lib/libnsl-2.5.so
0033e000-0033f000 rwxp 00015000 08:02 1361505/lib/libnsl-2.5.so
0033f000-00341000 rwxp 0033f000 00:00 0
0034a000-0034d000 r-xp  08:02 1361501/lib/libdl-2.5.so
0034d000-0034e000 r-xp 2000 08:02 1361501/lib/libdl-2.5.so
0034e000-0034f000 rwxp 3000 08:02 1361501/lib/libdl-2.5.so
0034f000-0047b000 r-xp  08:02 284429 /usr/lib/libxml2.so.2.6.26
0047b000-0048 rwxp 0012c000 08:02 284429 /usr/lib/libxml2.so.2.6.26
0048-00481000 rwxp 0048 00:00 0
00481000-0048b000 r-xp  08:02 1361511/lib/libnss_files-2.5.so
0048b000-0048c000 r-xp 9000 08:02 1361511/lib/libnss_files-2.5.so
0048c000-0048d000 rwxp a000 08:02 1361511/lib/libnss_files-2.5.so
0048d000-00498000 r-xp  08:02 1363298
/lib/libgcc_s-4.1.2-20080825.so.1
00498000-00499000 rwxp a000 08:02 1363298
/lib/libgcc_s-4.1.2-20080825.so.1
004a3000-004c6000 r-xp  08:02 272273 /usr/lib/libpq.so.5.2
004c6000-004c8000 rwxp 00022000 08:02 272273 /usr/lib/libpq.so.5.2
004c8000-0050c000 r-xp  08:02 1364068/lib/libssl.so.0.9.8e
0050c000-0051 rwxp 00043000 08:02 1364068/lib/libssl.so.0.9.8e
00561000-00562000 r-xp 00561000 00:00 0  [vdso]
00661000-0066a000 r-xp  08:02 1361499/lib/libcrypt-2.5.so
0066a000-0066b000 r-xp 8000 08:02 1361499/lib/libcrypt-2.5.so
0066b000-0066c000 rwxp 9000 08:02 1361499/lib/libcrypt-2.5.so
0066c000-00693000 rwxp 0066c000 00:00 0
00744000-0076b000 r-xp  08:02 1361503/lib/libm-2.5.so
0076b000-0076c000 r-xp 00026000 08:02 1361503/lib/libm-2.5.so
0076c000-0076d000 rwxp 00027000 08:02 1361503/lib/libm-2.5.so
0076d000-008c r-xp  08:02 1361495/lib/libc-2.5.so
008c-008c2000 r-xp 00153000 08:02 1361495/lib/libc-2.5.so
008c2000-008c3000 rwxp 00155000 08:02 1361495/lib/libc-2.5.so
008c3000-008c6000 rwxp 008c3000 00:00 0
00902000-0090a000 r-xp  08:02 280549 /usr/lib/libkrb5support.so.0.1
0090a000-0090b000 rwxp 7000 08:02 280549 /usr/lib/libkrb5support.so.0.1
00962000-00987000 r-xp  08:02 280551 /usr/lib/libk5crypto.so.3.1
00987000-00988000 rwxp 00025000 08:02 280551 /usr/lib/libk5crypto.so.3.1
0099c000-009c9000 r-xp  08:02 280746 /usr/lib/libgssapi_krb5.so.2.2
009c9000-009ca000 rwxp 0002d000 08:02 280746 /usr/lib/libgssapi_krb5.so.2.2
00c33000-00c45000 r-xp  08:02 267645 /usr/lib/libz.so.1.2.3
00c45000-00c46000 rwxp 00011000 08:02 Abortito (core dumped)
[root@none etc]# *** glibc detected *** named: corrupted double-linked list: 
0x0a0e89c0 ***
/usr/lib/libpq.so.5(PQclear+0xf0)[0x4adf50]

Perhaps a bug?

Onyl with Postgresql DB...

Thank you, cheers!

Francesco
___
Please vi

Re: DNSSEC Signing & Key Questions

2011-10-04 Thread Mark Elkins 
Played with OpenDNSSEC - and was a bit disappointed. Actually flew to
Sweden and attended the course. It works - but acts like a black box -
you don't have any finger-poking ability when things go wrong (for fun -
we deleted a key out of the HSM - bad idea!)

I don't like having to run everything Dynamic - which seems to be how
ISC and Bind is currently heading.

I eventually sat down and wrote a Bash Script. Its periodically called
from Cron. It understands Static zones with None (no DNSSEC), NSEC and
NSEC3 forms of DNNSEC. It kinda knows what a dynamic zone is - and does
mainly hands off. It manages Serial Number detection and Updating via
keeping a CheckSum of the zone and comparing/detecting changes - so you
can use the script on non-signed zones - just change the Data - it'll
update the SOA Serial and do an RNDC RELOAD for you.

You can look at it on "www.posixafrica.com" - there is a presentation
there as well that I did at an AfriNIC conference.

I personally use the script for my primary domain (posix.co.za) and
several others. No problems so far

ZSK's are totally automated, KSK's which generate the DS records are
automated if you run Children of parents under your control (Reverse IP
addresses!). There is a method of running a command for Parent zones -
which could be for example to run an EPP client to update the DS records
at the Registry. OpenDNNSEC comes with such a client.

You asked about ZSK's - I run a cron driven rollover so no ZSK is more
than 34 days old (age of the file holding the key - could be modified to
read Meta-Data?). New ZSK's are created every 17 days (old one's
deleted). KSK's are never older than about a year - with a new KSK
generated every 6 months. I guess this could be modified/customised per
zone - but these are very close to the default values. This means you
end up with two ZSK's and two KSK's per zone. This could be further
modified to remove older Keys after appropriate time delays - but...

You should use the Directory structure I suggest - rather - this keeps
files more manageable (Directory per zone). I don't put keys into any
HSM - kinda waiting on Bind to include a patch to work with Rickard
Bellgrim's SoftHSM (now that would be something!) That should one day be
workable.

On Tue, 2011-10-04 at 19:09 +, McConville, Kevin wrote:
> I’m new to this list, so please bear with me if these are/seem like
> “newbie” questions.
> 
>  
> 
> We are currently evaluating a DNSSEC implementation. We have several
> static zones that we would like to implement first.   We are currently
> using ISC Bind 9.7.4 – In the test environment (1) Authoritative dns
> server and (1) Resolver dns server, both running RHEL 5.7.  We do have
> an on-hold Opendnssec server w/softhsm (we are trying to look at the
> built-in utilities of isc bind first).
> 
>  
> 
> We are trying to make the DNSSEC piece as automatic as possible, so
> here are where we are having issues.
> 
>  
> 
> 1) Is there any way to have the zsk be auto-generated based upon
> the inactive date listed in the zsk meta-data? I know we can
> pre-publish and then use dnssec-settime to change the meta-data, but
> still very hands-on.
> 
> 2) With a static zone, are the update-policy local and auto-dnssec
> maintain options invalid/don’t work? From the docs, they look like
> they are only for automation of dynamic zones?
> 
> 3) Are there any ways to automate zone signing and zsk
> generation/roll-over with a totally static zone environment?
> 
> 4) What key-management, zone-signing management utilities or
> programs have you found useful/helpful? 
> 
>  
> 
>  
> 
> Any suggestions, comments, or questions are greatly appreciated. Thank
> you in advance.
> 
>  
> 
> Thanks,
> 
>  
> 
> -Kevin
> 
>  
> 
> Kevin McConville
> 
> University at Albany
> 
>  
> 
>  
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Elkins 
Posix Systems

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Signing & Key Questions

2011-10-04 Thread Tony Finch 
McConville, Kevin  wrote:
>
> 1)  Is there any way to have the zsk be auto-generated based upon the
> inactive date listed in the zsk meta-data?

Not yet, though I believe this feature is on the wish list.

> 2)  With a static zone, are the update-policy local and auto-dnssec
> maintain options invalid/don't work? From the docs, they look like they
> are only for automation of dynamic zones?

Correct.

> 3)  Are there any ways to automate zone signing and zsk
> generation/roll-over with a totally static zone environment?

You can wait for BIND 9.9 and its inline-signing feature. Alternatively,
create a separate live dynamic zone and use something like my nsdiff
script to feed changes from your static zone file into it.

http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Fair Isle, Faeroes: Southwest 6 to gale 8, decreasing 5 or 6 later. High,
becoming very rough. Rain or squally showers. Moderate or good, occasionally
poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC not populating parent zone files with DS records

2011-10-04 Thread Tony Finch 
Raymond Drew Walker  wrote:

> In testing, this pipe sets up the following for nsupdate which fails:

Sorry, I forgot the TTL command. Adjust its value as you require...

  dig +noall +answer dnskey $child |
  dnssec-dsfromkey -f /dev/stdin $child |
  (echo "zone $parent"; echo "ttl 3600"; sed 's/^/update add /'; echo "send") |
  nsupdate -l

> Am I also missing somewhere in the RFC where NS records of children zones
> need be populated in the parent? Is this something that has changed with
> the addition of DNSSEC?

No, it has always been an error. See RFC 2181 section 6. DNSSEC just makes
the breakage more obvious.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Fisher: Southwesterly 5 to 7, occasionally gale 8. Rough or very rough.
Showers then rain. Moderate or good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC not populating parent zone files with DS records

2011-10-04 Thread Bill Owens 
On Tue, Oct 04, 2011 at 06:31:03PM +, Raymond Drew Walker wrote:
> I have been unable to determine the correct method to add a DS record by
> hand. The ultimate goal would be the automation of this process.

Generate the DS record with dnssec-dsfromkey, cut and paste it into the zone 
file, then re-sign the zone (or add it with nsupdate, or however you put 
records into the nau.edu zone).
 
> Am I also missing somewhere in the RFC where NS records of children zones
> need be populated in the parent? Is this something that has changed with
> the addition of DNSSEC?

AFAIK that's always been the case; RFC1034 references it:
"As the last installation step, the delegation NS RRs and glue RRs necessary to 
make the delegation effective should be added to the parent zone."

Bill.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC Signing & Key Questions

2011-10-04 Thread McConville, Kevin 
I'm new to this list, so please bear with me if these are/seem like "newbie" 
questions.

We are currently evaluating a DNSSEC implementation. We have several static 
zones that we would like to implement first.   We are currently using ISC Bind 
9.7.4 - In the test environment (1) Authoritative dns server and (1) Resolver 
dns server, both running RHEL 5.7.  We do have an on-hold Opendnssec server 
w/softhsm (we are trying to look at the built-in utilities of isc bind first).

We are trying to make the DNSSEC piece as automatic as possible, so here are 
where we are having issues.


1)  Is there any way to have the zsk be auto-generated based upon the 
inactive date listed in the zsk meta-data? I know we can pre-publish and then 
use dnssec-settime to change the meta-data, but still very hands-on.

2)  With a static zone, are the update-policy local and auto-dnssec 
maintain options invalid/don't work? From the docs, they look like they are 
only for automation of dynamic zones?

3)  Are there any ways to automate zone signing and zsk 
generation/roll-over with a totally static zone environment?

4)  What key-management, zone-signing management utilities or programs have 
you found useful/helpful?



Any suggestions, comments, or questions are greatly appreciated. Thank you in 
advance.

Thanks,

-Kevin


Kevin McConville

University at Albany


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

some questions about BIND 9's xfrin.c code...

2011-10-04 Thread JINMEI Tatuya / 神明達哉 
I've been looking at BIND 9's IXFR(-in) implementation and encountered
a few questions.  I was not sure if these should be considered a bug,
so I'm asking these here before actually filing a bug report.

The source file in question is lib/dns/xfrin.c.

1. In xfrin_recv_done(), if an RR is found in the state of
   XFRST_IXFR_END, it will be treated as an error of DNS_R_EXTRADATA
   and xfrin will fail.  But all diffs have been committed to the DB
   by then (and will be visible to clients if the server is multi
   threaded, even if the intermediate changes may become invisible
   once the error is detected).  Is that intentional and okay?

2. Likewise, if an IXFR response consists of multiple difference
   sequences (i.e. multiple SOA changes), each change sequence is
   committed to the DB at the end of the sequence (and will be visible
   to clients).  If an error is detected in a later difference
   sequence, the xfrin process is aborted at that point, but some part
   of the changes have already been visible to clients.  Is that
   intentional and okay?

I guess both these questions are related to this part of RFC1995:

   An IXFR client, should only replace an older version with a newer
   version after all the differences have been successfully processed.
   (section 4)

It's not clear to me whether "all the differences" mean all the
differences of all the sequences or all differences of each sequence.
If it's the former, the BIND 9's behavior seems to break this
specification; if it's the latter, it performs exactly what's
specified.

3. When adding an RR in IXFR, an NS record with a wildcard owner name
   is rejected:

case XFRST_IXFR_ADD:
...
if (rdata->type == dns_rdatatype_ns &&
dns_name_iswildcard(name))
FAIL(DNS_R_INVALIDNS);

  This is probably a good practice, but when does it specifically
  check this case, and this case only?  For example,
  rbtdb.c:loading_addrdataset() also rejects wildcard NSEC3 or
  non-origin SOA.  Why shouldn't xfrin also reject them?  I guess we
  could either be very strict or generally accept what the primary
  gives, but the current behavior seems to be incomplete.

---
JINMEI, Tatuya
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC not populating parent zone files with DS records

2011-10-04 Thread Raymond Drew Walker 
-Original Message-

From: Tony Finch 
Date: Mon, 3 Oct 2011 14:59:38 +0100
To: Michael Sinatra 
Cc: , , Raymond Walker

Subject: Re: DNSSEC not populating parent zone files with DS records

>Michael Sinatra  wrote:
>>
>> There are ways of getting the DS records into the zone(s).  Here are
>>some
>> steps that I took on some test zones:
>
>Alternatively, set "update-policy local;" on your parent zone and use this
>little pipeline on the master server. Substitute $parent and $child as
>necessary:
>
>  dig +noall +answer dnskey $child |
>  dnssec-dsfromkey -f /dev/stdin $child |
>  (echo "zone $parent"; sed 's/^/update add /'; echo "send") |
>  nsupdate -l

In testing, this pipe sets up the following for nsupdate which fails:

zone nautest.edu
update add test3.nautest.edu. IN DS 35113 5 1
4D27C35B0F638218659F740252604980CE445F16
update add test3.nautest.edu. IN DS 35113 5 2
843544D4F01EE147257FBDB92D9AC3C51129DEF0FC7D972D57EB6E20 550E4161
Send



The error is:
ttl 'IN': not a valid number
syntax error


I have been unable to determine the correct method to add a DS record by
hand. The ultimate goal would be the automation of this process.

Am I also missing somewhere in the RFC where NS records of children zones
need be populated in the parent? Is this something that has changed with
the addition of DNSSEC?

Raymond Walker
Software Systems Engineer Sr.
ITS Northern Arizona University



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind takes a long time to resolve requests

2011-10-04 Thread Pablo Maurelli 
>
> hello, pick up a dns server with bind9, is resolving claims, but it takes
> time to resolve a lot, sometimes throw timeout error and the second time
> resolved, any ideas?
> I pass below my named.conf, host.conf and nsswitch.conf



*DIG:*

; <<>> DiG 9.7.3 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 90
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

;; QUESTION SECTION:
;.  IN  NS

;; ANSWER SECTION:
.   517816  IN  NS  g.root-servers.net.
.   517816  IN  NS  a.root-servers.net.
.   517816  IN  NS  m.root-servers.net.
.   517816  IN  NS  f.root-servers.net.
.   517816  IN  NS  b.root-servers.net.
.   517816  IN  NS  e.root-servers.net.
.   517816  IN  NS  j.root-servers.net.
.   517816  IN  NS  k.root-servers.net.
.   517816  IN  NS  i.root-servers.net.
.   517816  IN  NS  h.root-servers.net.
.   517816  IN  NS  d.root-servers.net.
.   517816  IN  NS  c.root-servers.net.
.   517816  IN  NS  l.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net. 604216  IN  A   198.41.0.4
a.root-servers.net. 604216  IN  2001:503:ba3e::2:30
b.root-servers.net. 604216  IN  A   192.228.79.201
c.root-servers.net. 604216  IN  A   192.33.4.12
d.root-servers.net. 604216  IN  A   128.8.10.90
d.root-servers.net. 604216  IN  2001:500:2d::d
e.root-servers.net. 604216  IN  A   192.203.230.10
f.root-servers.net. 604216  IN  A   192.5.5.241
f.root-servers.net. 604216  IN  2001:500:2f::f
g.root-servers.net. 604216  IN  A   192.112.36.4
h.root-servers.net. 604216  IN  A   128.63.2.53
i.root-servers.net. 604216  IN  A   192.36.148.17
j.root-servers.net. 604216  IN  A   192.58.128.30
j.root-servers.net. 604217  IN  2001:503:c27::2:30

;; Query time: 0 msec
;; SERVER: 172.31.26.85#53(172.31.26.85)
;; WHEN: Tue Oct  4 13:34:03 2011
;; MSG SIZE  rcvd: 500


*DIG ns1.resolver01.net*

root@resolver01:/var/named# dig ns1.resolver01.net

; <<>> DiG 9.7.3 <<>> ns1.resolver01.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61061
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.resolver01.net.IN  A

;; ANSWER SECTION:
ns1.resolver01.net. 43200   IN  A   172.31.26.85

;; AUTHORITY SECTION:
resolver01.net. 43200   IN  NS  ns1.resolver01.net.

;; Query time: 0 msec
;; SERVER: 172.31.26.85#53(172.31.26.85)
;; WHEN: Tue Oct  4 13:34:42 2011
;; MSG SIZE  rcvd: 66


*NAMED.CONF*

// Mis redes permitidas

acl "redes_sky" {
172.31.26.0/24;
172.31.25.0/24;
172.31.24.0/24;
};

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
version "TXT, ";
listen-on { 127.0.0.1; 172.31.26.85;};
query-source port *;
  //recursive-clients   2500;
allow-transfer{ /* !192.168.100.0/24; */
redes_sky;
};
allow-recursion{ /* !192.168.100.0/24; */
redes_sky;
};
allow-query { redes_sky; localhost;
};

  //recursion no;
};

include "/etc/bind/rndc.key";

logging {
channel default_log {
file "/var/log/named.log" versions 3 size 25m;
severity info;
print-time yes;
print-severity yes;
print-category yes;};
category default {default_log; };
category lame-servers {null; };

};

zone  "." {
type hint;
file "root.hints";
};
zone "0.0.127.in-addr.arpa" in{
type master;
file "named.local";
};
zone "26.31.172.in-addr.arpa" in{
type master;
file "zones/26.31.172.in-addr.arpa";
};
zone "resolver01.net" in{
type master;
file "zones/resolver01.net";
};


*Zones:*

*NAMED.LOCAL*

$TTL 43200  ; 12 hours
@   IN  SOA localhost.  root.localhost. (
2008122911 ; serial
3600   ; refresh (1 hour)
900; retry (15 minutes)
1209600; expire (2 weeks)
43200  ; minimum (12 hours)
)
IN  NS  localhost.
1   IN  PTR localhost.

Bind takes a long time to resolve requests

2011-10-04 Thread Pablo Maurelli 
hello, pick up a dns server with bind9, is resolving claims, but it takes
time to resolve a lot, sometimes throw timeout error and the second time
resolved, any ideas?
I pass below my named.conf, host.conf and nsswitch.conf

from already thank you very much.

Regards!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-10-04 Thread feralert 
Thank you so much people. you rock!.

I have finally gone for two A records, but thanks to all of you I now
understand the pros and cons.

I apologise if I mislead you with the 'redirect' word, I really meant
to say that I wanted both de the domain and the www host to point to
the same ip.


Cheers!
Fred.



On Fri, Sep 30, 2011 at 3:50 PM, Joseph S D Yao  wrote:
> On Wed, Sep 28, 2011 at 04:19:41PM +0200, feralert wrote:
> ...
>> The thing is that i want users redirected to 'www.domain.com' even
>> when they just type the domain name 'domain.com'.
>> In order to do so I am not sure if its best to have one A RR for each
>> or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
>> for 'www.domain.com'.
>>
>>
>> domain.com           A            1.1.1.1
>> www.domain.com   A            1.1.1.1
>>
>> OR
>>
>> domain.com           A            1.1.1.1
>> www.domain.com   CNAME  domain.com
> ...
>
>
> It's clear you need an entry for both.  Which is a matter of future
> maintenance.  If you only want to change it in one place, and you'll
> never need any other records for "www" different from those for the
> domain itself, go ahead and use the CNAME.  (Multiply this by 1000 times
> in 1000 different domains, or maybe all within the one domain, and it
> may matter.  OTOH, if you are using one file for 1000 different domains,
> you CAN't use the CNAME.  I don't think.)
>
> The only downside, besides not being able to have other records for the
> "www" name, is that the resolver now has to make TWO queries.  If your
> name server is a PDP-11/05 running Unix V6 and BIND 4.1.2, this might
> make a difference.  [And if so - may I see it?  ;~)]  However, most name
> servers these days are made of sterner stuff.  And if you're truly doing
> a "redirect" instead of just serving the same Web site at both names,
> it'll have to make two queries anyway.
>
> As someone tried to say but didn't [too many pronouns, not enough clear
> antecedents], a "redirect" would be done by your Web server, not by DNS.
> The Web server at "domain.com" would say, go away, nothing to see here,
> it's all going down at "www.domain.com".  And the Web server at
> "www.domain.com" would have all the goodies.  But if you're serving the
> same Web content at both names, that's NOT a "redirect".  Whichever you
> do, as I started out saying, you need both DNS entries.  Whatever they
> may be.
>
>
> --
> /*\
> **
> ** Joe Yao                              j...@tux.org - Joseph S. D. Yao
> **
> \*/
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users