Re: Freeze/thaw and signed zone files
On 2/21/19 6:28 PM, @lbutlr wrote:
rndc reload did not recreate (or at least update the time stamp) on the
.signed file.
Hum. Maybe it's something different about how you're doing DNSSEC than
I am.
I have BIND managing DNSSEC for me via "auto-dnssec maintain;". So I
don't get .signed files.
I was just able to do the following:
rndc freeze $ZONE
rndc sync -clean $ZONE
$EDITOR $ZONEFILE
rndc thaw $ZONE
rndc sign $ZONE
I did have to manually do the "rndc sign" for DNSViz to be happy with
the new test entry. I don't know if that's expected or not.
But at no point do I get the new subdomains I added to the zone added
to the zone.signed
The new record showed up exactly as expected.
Granted, I only added an A record and didn't create a new sub-domain.
I’ll try sync clean and see if I get further.
Nope, now the .signed file isn’t touched at all after the zone file
is edited.
zone "example.com" { type master; file "master/example.com.signed";
update-policy local; auto-dnssec maintain; };
I don't have .signed files.
So I am still with a zone file that contains two subdomains that are
not represented in the .signed zone file, so do not load and nothing
that I do seems to be able to recreate the .signed file with the correct
information.
Does your actual zone file have the DNSSEC records in it? That's where
mine are. I don't have a separate unsigned zone file.
Is the original random key that was generated at the time of signing
kept somewhere? NSEC3 seems to contain a 16 character hex sting that
recurs throughout the file.
I believe so. Do you have a "managed-keys-directory" entry in your
named.conf file? (I do. My .key and .private files are in the
specified directory.)
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 21 Feb 2019, at 18:28, @lbutlr wrote:
> Is the original random key that was generated at the time of signing kept
> somewhere? NSEC3 seems to contain a 16 character hex sting that recurs
> throughout the file.
OK, I moved aside the signed file, resigned the domain using the 16 character
string I found repeated in the original .signed file and the dsset file
contained the same strings, and the signed file was created anew and it
contains the new subdomains. So, that immediate problem is solved.
First instance is on NSEC3PARAM parma line, so awk '/NSEC3PARAM 1/{ print $NF}’
zone.signed
--
people didn't seem to be able to remember what it was like with the
elves around. Life was certainly more interesting then, but usually
because it was shorter. And it was more colourful, if you liked the
colour of blood. --Lords and Ladies
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
>> OK, but rndc flush example.com results in:
>> rndc: 'flush' failed: not found
>
> *FACEpalm*
>
> I'm sorry. I gave you the wrong command. You want "sync", not "flush". My
> brain always thinks "flush the journal to disk" when it's really supposed to
> be "sync the journal to disk". You can pass the optional "-clean" command to
> cause BIND to remove the synced journal file.
>
> "flush" is flushing caches, and you can optionally specify a view. I'm
> guessing that you don't have a view named "example.com".
>
>> Then service named stop, service named start.
>
> When you use the proper commands, you don't need to restart the named
> service. You can also use rndc reload without needing to restart the named
> service.
rndc reload did not recreate (or at least update the time stamp) on the .signed
file.
But at no point do I get the new subdomains I added to the zone added to the
zone.signed
I’ll try sync clean and see if I get further.
Nope, now the .signed file isn’t touched at all after the zone file is edited.
zone "example.com" { type master; file "master/example.com.signed";
update-policy local; auto-dnssec maintain; };
So I am still with a zone file that contains two subdomains that are not
represented in the .signed zone file, so do not load and nothing that I do
seems to be able to recreate the .signed file with the correct information.
Is the original random key that was generated at the time of signing kept
somewhere? NSEC3 seems to contain a 16 character hex sting that recurs
throughout the file.
--
all your snowflakes are urine and you can't even find the cat
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 02/21/2019 02:03 PM, @lbutlr via bind-users wrote: OK, but rndc flush example.com results in: rndc: 'flush' failed: not found *FACEpalm* I'm sorry. I gave you the wrong command. You want "sync", not "flush". My brain always thinks "flush the journal to disk" when it's really supposed to be "sync the journal to disk". You can pass the optional "-clean" command to cause BIND to remove the synced journal file. "flush" is flushing caches, and you can optionally specify a view. I'm guessing that you don't have a view named "example.com". Then service named stop, service named start. When you use the proper commands, you don't need to restart the named service. You can also use rndc reload without needing to restart the named service. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 22/02/2019 07:03, @lbutlr via bind-users wrote: >> I don't recall if reloading or thawing will automatically re-sign the zone >> or if you need to also explicitly "rndc sign $ZONE". > > Sign recreates the .jnl file, but doesn't touch the .signed file. > > Doing the following recreated the .signed file, but still didn't add the new > subdomains. > > Freeze, flush, edit, thaw, > > Then service named stop, service named start. freeze, edit, thaw, rndc_reload is all thats needed -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
> On 21 Feb 2019, at 13:41, Grant Taylor via bind-users > wrote: > > On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote: >> I edited a zone file after issuing a rndc freeze command, added two new sub >> zones, changed the serial number, saved the file, and then did an rndc thaw. > > I don't see an "rndc flush " in there. OK, but rndc flush example.com results in: rndc: 'flush' failed: not found > rndc freeze $ZONE > rndc flush $ZONE > $EDITOR $ZONE > rndc thaw $ZONE Other than the flush, that is what I did. > I don't recall if reloading or thawing will automatically re-sign the zone or > if you need to also explicitly "rndc sign $ZONE”. Sign recreates the .jnl file, but doesn’t touch the .signed file. Doing the following recreated the .signed file, but still didn’t add the new subdomains. Freeze, flush, edit, thaw, Then service named stop, service named start. Had a previous subdomain gallery and it is listed in both the zone file and the signed file Zone: gallery CNAME www zone.signed: gallery CNAME www Added a new sub zone, cam Zone: cam CNAME www zone.signed: This matches up with the results from dig. So, now I do have a .signed file that has the serial number updated to match the zone file, but still doesn’t contain the new sub zones. So, I did the whole dance again. Freeze, flush, edit (change serial, add another subdomain, thaw, stop/start). Nothing. But the time stamp on the .signed file changes. And I misspoke earlier, the serial number in the signed file’s SOA didn’t change, but the serial numbers/dates in the RRSIG did update. -- This wasn't a proper land. The sky was blue, not flaming with all the colours of the aurora. And time was passing. To a creature not born subject to time, it was a sensation not unakin to falling. --Lords and Ladies ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Freeze/thaw and signed zone files
On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote: I edited a zone file after issuing a rndc freeze command, added two new sub zones, changed the serial number, saved the file, and then did an rndc thaw. I don't see an "rndc flush " in there. Which means that BIND likely still has the journal of the zone. And BIND prefers the journal over the actual textual representation of the zone. zone serial (2019020105) unchanged. zone may fail to transfer to slaves. which is the previous serial number. I would expect this if you edited the zone file and the journal file wasn't flushed. So, I tried to move the .signed file aside, thinking maybe thaw might recreate it, But no, it complains the file doesn’t exist, so I put it back. I don't think this is related to DNSSEC. Is it possible for me to edit the zone file (as in with vim) and have bind update, or do I have to do everything through nsupdate and never access the zone files directly? Yes, it is certainly possible to edit zone files outside of BIND's control. rndc freeze $ZONE rndc flush $ZONE $EDITOR $ZONE rndc thaw $ZONE I don't recall if reloading or thawing will automatically re-sign the zone or if you need to also explicitly "rndc sign $ZONE". At this point, how do I get the zone updated? Use the method above, or some sort of dynamic update. If I try to dig for the new subdomains that are in the zone, they do not resolve, and all the information in DNS is the information that was there on 21090201. That sounds like the old contents of the zone which are still in the journal file. I am currently updating to bind912-9.12.3P1_3 to see if anything changes. I don't think changing the BIND version will change anything. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Freeze/thaw and signed zone files
I edited a zone file after issuing a rndc freeze command, added two new sub zones, changed the serial number, saved the file, and then did an rndc thaw. In var/log.messages I get zone serial (2019020105) unchanged. zone may fail to transfer to slaves. which is the previous serial number. So, I tried to move the .signed file aside, thinking maybe thaw might recreate it, But no, it complains the file doesn’t exist, so I put it back. Is it possible for me to edit the zone file (as in with vim) and have bind update, or do I have to do everything through nsupdate and never access the zone files directly? At this point, how do I get the zone updated? If I try to dig for the new subdomains that are in the zone, they do not resolve, and all the information in DNS is the information that was there on 21090201. I am currently updating to bind912-9.12.3P1_3 to see if anything changes. -- If you think that Mick Jagger will still be doing the whole rock star thing at age fifty, well, then, you are sorely, sorely mistaken. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
Thanks a lot.
Greetings !!!
El mié., 20 feb. 2019 a las 16:55, Matus UHLAR - fantomas (<
uh...@fantomas.sk>) escribió:
> On 20.02.19 10:48, Roberto Carna wrote:
> >You tell me to do this:
> >
> >zone "." {
> >type master;
> >file "empty.db";
> >};
> >
> >The root zone Is "type master" or "type hint" ???
> >
> >The empty.db is really an empty file with no data at all ???
>
> debian ships db.empty which contains everything an empty zone file needs.
>
> >And where do I have to put my current file:
>
> >recursion yes;
>
> useless as it's the default
>
> >zone "teamviewer.com" {
> >type forward;
> >forwarders { 8.8.8.8; };
> >};
>
> anywhere, but your files looks like debian installation, it should go to
> db.local.
>
> I think you can specify empty forwarders list and BIND should do the
> resolution itself.
>
> >> On Tue, Feb 19, 2019 at 10:29 AM Roberto Carna <
> robertocarn...@gmail.com>
> >> wrote:
> >> >
> >> > Dear Matus and Kevin, please tell me if it's OK if I do thsi:
> >> >
> >> > named.conf:
> >> > include "/etc/bind/named.conf.default-zones";
> >> >
> >> > named.conf.default-zones:
> >> > recursion yes;
> >> > zone "teamviewer.com" {
> >> > type forward;
> >> > forwarders { 8.8.8.8; };
> >> > };
> >> >
> >> > named.conf.local:
> >> >
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Server can not resolve Domain
On 21 Feb 2019, at 9:28, Wolfgang Pähler wrote: > The domain is: paehler.coud Zonemaster reports problems with the (currently) delegated name servers. I've put a little more detail in a private message. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Server can not resolve Domain
The domain is: paehler.coud Am 21. Februar 2019 10:12:50 MEZ schrieb Matus UHLAR - fantomas : >On 20.02.19 14:48, haidao wrote: >>we use a own nameserver on our System. I have install bind9 now ,and >>configure the zone files. At our Provider I have change the nameserver >>to our System. But the Server can not resolve the name. I have >>search a lot of time,but I can not see the problem. > >would be good if you gave us the real domain name. > >>I have the following Setup: >>Forward Zone: >>;; db.domainname >>;; Forwardlookupzone für domainname >>;; >>$TTL 2D >>@ IN SOA my.domain. mail.my.domain. ( >>200603 ; Serial >>8H ; Refresh >>2H ; Retry >>4W ; Expire >>3H ) ; NX (TTL Negativ Cache) >> >>@ IN NS my.domain. >>@ IN NS sns.serverkompetenz.de. >>IN MX 10 mail.my.domain. > >>@ IN A 81.169.255.130 >>my.domain. IN A 81.169.255.130 > >aren't these two exactly the same records? > >>www IN A 81.169.255.130 >>mail IN A 81.169.255.130 >>localhost IN A 127.0.0.1 > >don't put localhost into any domain. > >>smtp IN CNAME www >>imap IN CNAME www >> >> >>@ IN TXT "v=spf1 mx -all" > > >... is the sns.serverkompetenz.de. fetching the domain from your >server? > >>Feb 20 21:40:16 mail named[4833]: automatic empty zone: >>8.B.D.0.1.0.0.2.IP6.ARPA >>Feb 20 21:40:16 mail named[4833]: automatic empty zone: >EMPTY.AS112.ARPA >>Feb 20 21:40:16 mail named[4833]: configuring command channel from >>'/etc/bind/rndc.key' >>Feb 20 21:40:16 mail named[4833]: configuring command channel from >>'/etc/bind/rndc.key' >>Feb 20 21:40:16 mail named[4833]: reloading configuration succeeded >>Feb 20 21:40:16 mail named[4833]: reloading zones succeeded >>Feb 20 21:40:16 mail named[4833]: all zones loaded >>Feb 20 21:40:16 mail named[4833]: running > >do you actually have the "my.domain" in your nameserver configuration? > >-- >Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ >Warning: I wish NOT to receive e-mail advertising to this address. >Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >Enter any 12-digit prime number to continue. >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to >unsubscribe from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Server can not resolve Domain
On 20.02.19 14:48, haidao wrote: we use a own nameserver on our System. I have install bind9 now ,and configure the zone files. At our Provider I have change the nameserver to our System. But the Server can not resolve the name. I have search a lot of time,but I can not see the problem. would be good if you gave us the real domain name. I have the following Setup: Forward Zone: ;; db.domainname ;; Forwardlookupzone für domainname ;; $TTL 2D @ IN SOA my.domain. mail.my.domain. ( 200603 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 3H ) ; NX (TTL Negativ Cache) @ IN NS my.domain. @ IN NS sns.serverkompetenz.de. IN MX 10 mail.my.domain. @ IN A 81.169.255.130 my.domain. IN A 81.169.255.130 aren't these two exactly the same records? www IN A 81.169.255.130 mail IN A 81.169.255.130 localhost IN A 127.0.0.1 don't put localhost into any domain. smtp IN CNAME www imap IN CNAME www @ IN TXT "v=spf1 mx -all" ... is the sns.serverkompetenz.de. fetching the domain from your server? Feb 20 21:40:16 mail named[4833]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Feb 20 21:40:16 mail named[4833]: automatic empty zone: EMPTY.AS112.ARPA Feb 20 21:40:16 mail named[4833]: configuring command channel from '/etc/bind/rndc.key' Feb 20 21:40:16 mail named[4833]: configuring command channel from '/etc/bind/rndc.key' Feb 20 21:40:16 mail named[4833]: reloading configuration succeeded Feb 20 21:40:16 mail named[4833]: reloading zones succeeded Feb 20 21:40:16 mail named[4833]: all zones loaded Feb 20 21:40:16 mail named[4833]: running do you actually have the "my.domain" in your nameserver configuration? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Combining forward with master zone.
On Wed, Feb 20, 2019 at 3:40 PM King, Harold Clyde (Hal)
wrote:
Could I just define needs.example.com as a zone in a separate file so:
zone "example.com" { type master; notify no; file "static/antiphish.db";
};
zone "needs.example.com" { type forward; forwards{8.8.8.8;};
On 20.02.19 16:08, Kevin Darcy wrote:
Delegate needs.example.com from example.com and you should be set.
if this is not clear enough, it means that the "example.com" zone stored in
"static/antiphish.db" file must contain NS record for "needs":
needs NS your.name.server.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
