Re: DNSSEC Generating Zone Key hanging

2012-04-22 Thread Mark Elkins 
On Sat, 2012-04-21 at 20:28 -0400, Bill Owens wrote:
 On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote:
 Hello,
 I was setting up BIND DNSSEC and when I issue the following command the
 process never finishes.
 dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
 I straced the process and noticed the following messages
 write(2, Generating key pair., 20Generating key pair.)= 20
 gettimeofday({1335044641, 756413}, NULL) = 0
 read(3, s\2161\363\364\1s1\343\311\212\1, 64) = 13
 read(3, 0x7fffcac9c960, 51) = -1 EAGAIN (Resource temporarily
 unavailable)
 select(4, [3], [], NULL, NULL)  = 1 (in [3])
 read(3, p\32\254\352$\264:\22, 51)= 8
 read(3, 0x7fffcac9c960, 43) = -1 EAGAIN (Resource temporarily
 unavailable)
 select(4, [3], [], NULL, NULL)  = 1 (in [3])
 read(3, \370\270\363IE\342X\343, 43)  = 8
 read(3, 0x7fffcac9c960, 35) = -1 EAGAIN (Resource temporarily
 unavailable)
 select(4, [3], [], NULL, NULL)  = 1 (in [3])
 My machine is a virtual host, does anyone have any ideas what resource is
 temporarily unavailable. 
 
 /dev/random - VMs, with no keyboard or mouse, don't accumulate enough
 entropy to keep /dev/random full. Installing haveged would probably
 help; or consider generating keys on a machine with a decent amount of
 entropy and securely moving them to your VM.

 Bill.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


Yes - lack of Entropy, try...
if=/dev/random of=/dev/null bs=128 count=1
... a few times.

Check your entropy levels
cat /proc/sys/kernel/random/entropy_avail

The package haveged does a very reasonable job - I found a description
of it at: www.irisa.fr/caps/projects/hipsor

or you can buy a hardware entropy source (USB dongle like device)

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNSSEC Generating Zone Key hanging

2012-04-22 Thread Spain, Dr. Jeffry A. 
 I was setting up BIND DNSSEC and when I issue the following command the 
 process never finishes.
 dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com

Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a 
discussion (http://jpmens.net/2012/01/24/entropy-random-data-for-dnssec/) by a 
frequent poster to this forum.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slave zone configuration -- purpose of forward/forwarders?

2012-04-22 Thread Kevin Darcy 

On 4/20/2012 10:55 AM, John Wingenbach wrote:
I've noticed the support in ARM for specifying both the forward and 
forwarders configuration in a zone stanza for slave zones.  What 
is the purpose and value of specifying such?  It seems contradictory 
and confusing.


Yes, it is confusing IMO, but forwarders { }; is how you turn off 
forwarding for subzones of a slave or stub zone, if you have forwarding 
defined at a higher level of the hierarchy, or globally (i.e. in the 
options statement). That's why it's allowed in a slave or stub definition.


I've always thought this should be made more explicit, e.g. 
forward-subzones yes|no, or inherit-forwarding yes|no, but hey, I 
didn't get a vote on that...



- Kevin

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Generating Zone Key hanging

2012-04-22 Thread Damian Myerscough 
Thanks a lot, I have now resolved this issue. However, I was following
the DNSSEC in 6 minutes guide [1]
for learning purposes and I have followed all the steps up to you are now
serving DNSSEC signed zones.

However, I seem to be getting the following errors

Apr 22 15:22:43 darkstar named[29917]: zone
theunsupported.co.uk.signed/IN/trusted: sending notifies (serial 2012031202)
Apr 22 15:22:43 darkstar named[29917]: zone
theunsupported.co.uk.signed/IN/global: sending notifies (serial 2012031202)
Apr 22 15:22:43 darkstar named[29917]: lame server resolving '
ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53
Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED)
resolving 'ns2.theunsupported.co.uk/A/IN': 50.56.249.94#53
Apr 22 15:22:43 darkstar named[29917]: lame server resolving '
ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53
Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED)
resolving 'ns2.theunsupported.co.uk/A/IN': 50.56.249.94#53
Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED)
resolving 'ns2.theunsupported.co.uk//IN': 50.56.249.94#53
Apr 22 15:22:43 darkstar named[29917]: lame server resolving '
ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53
Apr 22 15:22:43 darkstar named[29917]: lame server resolving '
ns2.theunsupported.co.uk' (in 'theunsupported.co.uk'?): 174.143.56.179#53
Apr 22 15:22:43 darkstar named[29917]: error (unexpected RCODE REFUSED)
resolving 'ns2.theunsupported.co.uk//IN': 50.56.249.94#53


When I use the signed zone my views also seem to break... Any idea on this?

[1] http://www.isc.org/files/DNSSEC_in_6_minutes.pdf

On 22 April 2012 12:40, Spain, Dr. Jeffry A. spa...@countryday.net wrote:

  I was setting up BIND DNSSEC and when I issue the following command the
 process never finishes.
  dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com

 Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a
 discussion (http://jpmens.net/2012/01/24/entropy-random-data-for-dnssec/)
 by a frequent poster to this forum.

 Jeffry A. Spain
 Network Administrator
 Cincinnati Country Day School




-- 
Regards,
Damian Myerscough
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Generating Zone Key hanging

2012-04-22 Thread Mark Elkins 
On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote:
 Thanks a lot, I have now resolved this issue. However, I was following
 the DNSSEC in 6 minutes guide [1]
 for learning purposes and I have followed all the steps up to you are
 now serving DNSSEC signed zones.

Reading the presentation - which dates itself

Slide 16, rather use 
dnssec­keygen ­-a RSASHA256 ­-b 1024 -­n ZONE zonename   (for ZSK)

Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048
bits for the KSK.

This avoids you having to do an algorithm rollover - which is a royal
pain in the proverbial. Its also what the 'root' uses.
('dig @i.root-servers.net. . dnskey' gives:
'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8')
The '8' part is algo RSASHA256, you probably have a '5' there.




 
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Generating Zone Key hanging

2012-04-22 Thread Damian Myerscough 
Thanks for your help, I noticed a small regex which modified my
configuration file thus causing errors.

On 22 April 2012 17:03, Mark Elkins m...@posix.co.za wrote:

 On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote:
  Thanks a lot, I have now resolved this issue. However, I was following
  the DNSSEC in 6 minutes guide [1]
  for learning purposes and I have followed all the steps up to you are
  now serving DNSSEC signed zones.

 Reading the presentation - which dates itself

 Slide 16, rather use
 dnssec­keygen ­-a RSASHA256 ­-b 1024 -­n ZONE zonename   (for ZSK)

 Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048
 bits for the KSK.

 This avoids you having to do an algorithm rollover - which is a royal
 pain in the proverbial. Its also what the 'root' uses.
 ('dig @i.root-servers.net. . dnskey' gives:
 'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8')
 The '8' part is algo RSASHA256, you probably have a '5' there.





 --
  .  . ___. .__  Posix Systems - (South) Africa
  /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
 / |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
Regards,
Damian Myerscough
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

new here

2012-04-22 Thread David Milholen 

I am a Wisp admin and I have just configured a couple of new Bind9 servers.
They will resolve using dig google.com @9x.1xx.104.14
I am having some trouble getting them to answer themselves on 127.0.0.1 
for example:


[root@ns4 named]# dig google.com @127.0.0.1 +trace

;  DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5  google.com @127.0.0.1 +trace
;; global options:  printcmd
;; connection timed out; no servers could be reached
[root@ns4 named]#

Here is an my config:
//
// named.conf for Red Hat caching-nameserver
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; rndc-key; };
};

options {
directory /var/named;
dump-file /var/named/data/cache_dump.db;
statistics-file /var/named/data/named_stats.txt;
/*
 * If there is a firewall between you and nameservers you want
 * to talk to, you might need to uncomment the query-source
 * directive below.  Previous versions of BIND always asked
 * questions using port 53, but BIND 8.1 uses an unprivileged
 * port by default.
 */
 // query-source address * port 53;
version Surely you must be joking;
notify yes;
allow-recursion {
127.0.0.1;
9x.1xx.104.0/22;
9x.1xx.108.0/23;
};
allow-transfer { 9x.1xx.104.22;
   };
listen-on {
9x.1xx.104.14;
};
 };
//
logging {
channel my_syslog {
syslog kern;
severity debug;
};
channel my_file {
file /var/named/chroot/var/named/log.msgs;
severity dynamic;
print-category yes;
};
category unmatched {
null;
};
category queries {
my_file;
};
category lame-servers {
null;
};
category general {
default_syslog;
};
};


// a caching only nameserver config
//

zone . IN {
type hint;
file root.servers;
};



zone 104.1xx.9x.in-addr.arpa {
type master;
file /var/named/9x.1xx.104.rev;
allow-transfer {
9x.1xx.104.22;
};
};
zone 0.0.127.in-addr.arpa {
type master;
file /var/named/127.0.0.rev;
};
zone localdomain {
type master;
file /var/named/localdomain.hosts;
};
zone localhost {
type master;
file /var/named/localhost.hosts;
};
key rndc-key {
algorithm hmac-md5;
secret wh6DFiuNGJHzHwvNTy8JEA==;
};

Here is my resolv.conf :
nameserver 127.0.0.1
nameserver 9x.1xx.104.14

Not sure what I broke but it seems to work on some of my older servers.
Thanks for any help.

--

David Milholen
Project Engineer
P:501-318-1300
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: new here

2012-04-22 Thread Larry Brower 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 04/22/2012 10:05 PM, David Milholen wrote:
 listen-on {
 9x.1xx.104.14;
 };

Perhaps add 127.0.0.1; into the listen on clause.



- -- 


Larry Brower, CCENT

Fedora Ambassador - North America
Fedora Quality Assurance
lbro...@fedoraproject.org
http://www.fedoraproject.org/
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJPlMp9AAoJEF1Xw4ZWTEoJMLgP/1yJ09F4QdPQqlq8yXl9MPDs
u8f7pwzgZxipsVGD3fiuV6FAhGh/D3AXMMkZIGqiXXBTb9WNBOnVi4pji+5pee2T
7bgEWBdBtS18jmvJTGi5Uu55BjhX8eSgLNKIRhUuWtJENL6cFl8QM14Qpzzu8eDz
oCAZmRgZ89qxqjQbwleB2ihiHvkdFbeC1AsKQg0IGxgVtrUofsBSVnRP1yVSx+de
dM92Jrhc+yY/A7TpiQsUmfOIljd3JNipfSmhFe/d+pe9a1umO1WQ7I4Fufg3AdIJ
jdlV3dvk0JuZegg4OM2jBmAMVtcJxXiLB4+QW3WGk/3prVYX1z3OawFIknszAnCD
xEB6AZA0dp0nMC3HBh+1RGpFkhc5oZdo6nhvu/BDuV5yI9lKJSAV4AzRd7MPFgEL
RTAeF5FIVPPJuvhgAeOHAsOxip2d5PLF18HvTIPaExx/EuRRGsXic36LJRyYkhUt
roatThoRBHsE6XgDc+CQJyC+Ac32pHBiJ6Y4lOIFYEbWTDjxbcD3Jszj3SaQbUCZ
jc+mzA8E9dLEv4kTtdbXPgnrWLBjeh24P/ZZBm26nvY2S5fZcrmnXsJBVuGB2FqL
di1wyz0xmqvilg3FwNNke9wt6lCRKvpycwUos3RiqadDGYCClMm3VySE4tdSWq/F
NgECeg/P6VrazDxYkHno
=zXKb
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: new here

2012-04-22 Thread Ben Croswell 
You set a listen-on that does not include 127.0.0.1.
On Apr 22, 2012 11:08 PM, David Milholen dmilho...@wletc.com wrote:

  I am a Wisp admin and I have just configured a couple of new Bind9
 servers.
 They will resolve using dig google.com @9x.1xx.104.14
 I am having some trouble getting them to answer themselves on 127.0.0.1
 for example:

 [root@ns4 named]# dig google.com @127.0.0.1 +trace

 ;  DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5  google.com @127.0.0.1+trace
 ;; global options:  printcmd
 ;; connection timed out; no servers could be reached
 [root@ns4 named]#

 Here is an my config:
 //
 // named.conf for Red Hat caching-nameserver
 //
 controls {
 inet 127.0.0.1 allow { localhost; } keys { rndckey; rndc-key; };
 };

 options {
 directory /var/named;
 dump-file /var/named/data/cache_dump.db;
 statistics-file /var/named/data/named_stats.txt;
 /*
  * If there is a firewall between you and nameservers you want
  * to talk to, you might need to uncomment the query-source
  * directive below.  Previous versions of BIND always asked
  * questions using port 53, but BIND 8.1 uses an unprivileged
  * port by default.
  */
  // query-source address * port 53;
 version Surely you must be joking;
 notify yes;
 allow-recursion {
 127.0.0.1;
 9x.1xx.104.0/22;
 9x.1xx.108.0/23;
 };
 allow-transfer { 9x.1xx.104.22;
};
 listen-on {
 9x.1xx.104.14;
 };
  };
 //
 logging {
 channel my_syslog {
 syslog kern;
 severity debug;
 };
 channel my_file {
 file /var/named/chroot/var/named/log.msgs;
 severity dynamic;
 print-category yes;
 };
 category unmatched {
 null;
 };
 category queries {
 my_file;
 };
 category lame-servers {
 null;
 };
 category general {
 default_syslog;
 };
 };


 // a caching only nameserver config
 //

 zone . IN {
 type hint;
 file root.servers;
 };



 zone 104.1xx.9x.in-addr.arpa {
 type master;
 file /var/named/9x.1xx.104.rev;
 allow-transfer {
 9x.1xx.104.22;
 };
 };
 zone 0.0.127.in-addr.arpa {
 type master;
 file /var/named/127.0.0.rev;
 };
 zone localdomain {
 type master;
 file /var/named/localdomain.hosts;
 };
 zone localhost {
 type master;
 file /var/named/localhost.hosts;
 };
 key rndc-key {
 algorithm hmac-md5;
 secret wh6DFiuNGJHzHwvNTy8JEA==;
 };

 Here is my resolv.conf :
 nameserver 127.0.0.1
 nameserver 9x.1xx.104.14

 Not sure what I broke but it seems to work on some of my older servers.
 Thanks for any help.

 --

 David Milholen
 Project Engineer
 P:501-318-1300

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users