Re: DNSSEC Generating Zone Key hanging
On Sat, 2012-04-21 at 20:28 -0400, Bill Owens wrote: On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote: Hello, I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com I straced the process and noticed the following messages write(2, Generating key pair., 20Generating key pair.)= 20 gettimeofday({1335044641, 756413}, NULL) = 0 read(3, s\2161\363\364\1s1\343\311\212\1, 64) = 13 read(3, 0x7fffcac9c960, 51) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) read(3, p\32\254\352$\264:\22, 51)= 8 read(3, 0x7fffcac9c960, 43) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) read(3, \370\270\363IE\342X\343, 43) = 8 read(3, 0x7fffcac9c960, 35) = -1 EAGAIN (Resource temporarily unavailable) select(4, [3], [], NULL, NULL) = 1 (in [3]) My machine is a virtual host, does anyone have any ideas what resource is temporarily unavailable. /dev/random - VMs, with no keyboard or mouse, don't accumulate enough entropy to keep /dev/random full. Installing haveged would probably help; or consider generating keys on a machine with a decent amount of entropy and securely moving them to your VM. Bill. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Yes - lack of Entropy, try... if=/dev/random of=/dev/null bs=128 count=1 ... a few times. Check your entropy levels cat /proc/sys/kernel/random/entropy_avail The package haveged does a very reasonable job - I found a description of it at: www.irisa.fr/caps/projects/hipsor or you can buy a hardware entropy source (USB dongle like device) -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC Generating Zone Key hanging
I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a discussion (http://jpmens.net/2012/01/24/entropy-random-data-for-dnssec/) by a frequent poster to this forum. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zone configuration -- purpose of forward/forwarders?
On 4/20/2012 10:55 AM, John Wingenbach wrote: I've noticed the support in ARM for specifying both the forward and forwarders configuration in a zone stanza for slave zones. What is the purpose and value of specifying such? It seems contradictory and confusing. Yes, it is confusing IMO, but forwarders { }; is how you turn off forwarding for subzones of a slave or stub zone, if you have forwarding defined at a higher level of the hierarchy, or globally (i.e. in the options statement). That's why it's allowed in a slave or stub definition. I've always thought this should be made more explicit, e.g. forward-subzones yes|no, or inherit-forwarding yes|no, but hey, I didn't get a vote on that... - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
Thanks a lot, I have now resolved this issue. However, I was following the DNSSEC in 6 minutes guide [1] for learning purposes and I have followed all the steps up to you are now serving DNSSEC signed zones. However, I seem to be getting the following errors Apr 22 15:22:43 darkstar named[29917]: zone theunsupported.co.uk.signed/IN/trusted: sending notifies (serial 2012031202) Apr 22 15:22:43 darkstar named[29917]: zone theunsupported.co.uk.signed/IN/global: sending notifies (serial 2012031202) Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk/A/IN': 50.56.249.94#53 Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk/A/IN': 50.56.249.94#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk//IN': 50.56.249.94#53 Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: lame server resolving ' ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53 Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED) resolving 'ns2.theunsupported.co.uk//IN': 50.56.249.94#53 When I use the signed zone my views also seem to break... Any idea on this? [1] http://www.isc.org/files/DNSSEC_in_6_minutes.pdf On 22 April 2012 12:40, Spain, Dr. Jeffry A. spa...@countryday.net wrote: I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a discussion (http://jpmens.net/2012/01/24/entropy-random-data-for-dnssec/) by a frequent poster to this forum. Jeffry A. Spain Network Administrator Cincinnati Country Day School -- Regards, Damian Myerscough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote: Thanks a lot, I have now resolved this issue. However, I was following the DNSSEC in 6 minutes guide [1] for learning purposes and I have followed all the steps up to you are now serving DNSSEC signed zones. Reading the presentation - which dates itself Slide 16, rather use dnsseckeygen -a RSASHA256 -b 1024 -n ZONE zonename (for ZSK) Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048 bits for the KSK. This avoids you having to do an algorithm rollover - which is a royal pain in the proverbial. Its also what the 'root' uses. ('dig @i.root-servers.net. . dnskey' gives: 'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8') The '8' part is algo RSASHA256, you probably have a '5' there. -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC Generating Zone Key hanging
Thanks for your help, I noticed a small regex which modified my configuration file thus causing errors. On 22 April 2012 17:03, Mark Elkins m...@posix.co.za wrote: On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote: Thanks a lot, I have now resolved this issue. However, I was following the DNSSEC in 6 minutes guide [1] for learning purposes and I have followed all the steps up to you are now serving DNSSEC signed zones. Reading the presentation - which dates itself Slide 16, rather use dnsseckeygen -a RSASHA256 -b 1024 -n ZONE zonename (for ZSK) Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048 bits for the KSK. This avoids you having to do an algorithm rollover - which is a royal pain in the proverbial. Its also what the 'root' uses. ('dig @i.root-servers.net. . dnskey' gives: 'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8') The '8' part is algo RSASHA256, you probably have a '5' there. -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Regards, Damian Myerscough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
new here
I am a Wisp admin and I have just configured a couple of new Bind9 servers. They will resolve using dig google.com @9x.1xx.104.14 I am having some trouble getting them to answer themselves on 127.0.0.1 for example: [root@ns4 named]# dig google.com @127.0.0.1 +trace ; DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 google.com @127.0.0.1 +trace ;; global options: printcmd ;; connection timed out; no servers could be reached [root@ns4 named]# Here is an my config: // // named.conf for Red Hat caching-nameserver // controls { inet 127.0.0.1 allow { localhost; } keys { rndckey; rndc-key; }; }; options { directory /var/named; dump-file /var/named/data/cache_dump.db; statistics-file /var/named/data/named_stats.txt; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; version Surely you must be joking; notify yes; allow-recursion { 127.0.0.1; 9x.1xx.104.0/22; 9x.1xx.108.0/23; }; allow-transfer { 9x.1xx.104.22; }; listen-on { 9x.1xx.104.14; }; }; // logging { channel my_syslog { syslog kern; severity debug; }; channel my_file { file /var/named/chroot/var/named/log.msgs; severity dynamic; print-category yes; }; category unmatched { null; }; category queries { my_file; }; category lame-servers { null; }; category general { default_syslog; }; }; // a caching only nameserver config // zone . IN { type hint; file root.servers; }; zone 104.1xx.9x.in-addr.arpa { type master; file /var/named/9x.1xx.104.rev; allow-transfer { 9x.1xx.104.22; }; }; zone 0.0.127.in-addr.arpa { type master; file /var/named/127.0.0.rev; }; zone localdomain { type master; file /var/named/localdomain.hosts; }; zone localhost { type master; file /var/named/localhost.hosts; }; key rndc-key { algorithm hmac-md5; secret wh6DFiuNGJHzHwvNTy8JEA==; }; Here is my resolv.conf : nameserver 127.0.0.1 nameserver 9x.1xx.104.14 Not sure what I broke but it seems to work on some of my older servers. Thanks for any help. -- David Milholen Project Engineer P:501-318-1300 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: new here
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04/22/2012 10:05 PM, David Milholen wrote: listen-on { 9x.1xx.104.14; }; Perhaps add 127.0.0.1; into the listen on clause. - -- Larry Brower, CCENT Fedora Ambassador - North America Fedora Quality Assurance lbro...@fedoraproject.org http://www.fedoraproject.org/ -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJPlMp9AAoJEF1Xw4ZWTEoJMLgP/1yJ09F4QdPQqlq8yXl9MPDs u8f7pwzgZxipsVGD3fiuV6FAhGh/D3AXMMkZIGqiXXBTb9WNBOnVi4pji+5pee2T 7bgEWBdBtS18jmvJTGi5Uu55BjhX8eSgLNKIRhUuWtJENL6cFl8QM14Qpzzu8eDz oCAZmRgZ89qxqjQbwleB2ihiHvkdFbeC1AsKQg0IGxgVtrUofsBSVnRP1yVSx+de dM92Jrhc+yY/A7TpiQsUmfOIljd3JNipfSmhFe/d+pe9a1umO1WQ7I4Fufg3AdIJ jdlV3dvk0JuZegg4OM2jBmAMVtcJxXiLB4+QW3WGk/3prVYX1z3OawFIknszAnCD xEB6AZA0dp0nMC3HBh+1RGpFkhc5oZdo6nhvu/BDuV5yI9lKJSAV4AzRd7MPFgEL RTAeF5FIVPPJuvhgAeOHAsOxip2d5PLF18HvTIPaExx/EuRRGsXic36LJRyYkhUt roatThoRBHsE6XgDc+CQJyC+Ac32pHBiJ6Y4lOIFYEbWTDjxbcD3Jszj3SaQbUCZ jc+mzA8E9dLEv4kTtdbXPgnrWLBjeh24P/ZZBm26nvY2S5fZcrmnXsJBVuGB2FqL di1wyz0xmqvilg3FwNNke9wt6lCRKvpycwUos3RiqadDGYCClMm3VySE4tdSWq/F NgECeg/P6VrazDxYkHno =zXKb -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: new here
You set a listen-on that does not include 127.0.0.1. On Apr 22, 2012 11:08 PM, David Milholen dmilho...@wletc.com wrote: I am a Wisp admin and I have just configured a couple of new Bind9 servers. They will resolve using dig google.com @9x.1xx.104.14 I am having some trouble getting them to answer themselves on 127.0.0.1 for example: [root@ns4 named]# dig google.com @127.0.0.1 +trace ; DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 google.com @127.0.0.1+trace ;; global options: printcmd ;; connection timed out; no servers could be reached [root@ns4 named]# Here is an my config: // // named.conf for Red Hat caching-nameserver // controls { inet 127.0.0.1 allow { localhost; } keys { rndckey; rndc-key; }; }; options { directory /var/named; dump-file /var/named/data/cache_dump.db; statistics-file /var/named/data/named_stats.txt; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; version Surely you must be joking; notify yes; allow-recursion { 127.0.0.1; 9x.1xx.104.0/22; 9x.1xx.108.0/23; }; allow-transfer { 9x.1xx.104.22; }; listen-on { 9x.1xx.104.14; }; }; // logging { channel my_syslog { syslog kern; severity debug; }; channel my_file { file /var/named/chroot/var/named/log.msgs; severity dynamic; print-category yes; }; category unmatched { null; }; category queries { my_file; }; category lame-servers { null; }; category general { default_syslog; }; }; // a caching only nameserver config // zone . IN { type hint; file root.servers; }; zone 104.1xx.9x.in-addr.arpa { type master; file /var/named/9x.1xx.104.rev; allow-transfer { 9x.1xx.104.22; }; }; zone 0.0.127.in-addr.arpa { type master; file /var/named/127.0.0.rev; }; zone localdomain { type master; file /var/named/localdomain.hosts; }; zone localhost { type master; file /var/named/localhost.hosts; }; key rndc-key { algorithm hmac-md5; secret wh6DFiuNGJHzHwvNTy8JEA==; }; Here is my resolv.conf : nameserver 127.0.0.1 nameserver 9x.1xx.104.14 Not sure what I broke but it seems to work on some of my older servers. Thanks for any help. -- David Milholen Project Engineer P:501-318-1300 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users