forwarding zone setup from a BIND slave (without recursion?)

2021-04-06 Thread RK K 
All,

We have a set of BIND primary servers (MASTERs) and a set of secondary
servers (slaves to the MASTERs).
The secondary BIND DNS servers disabled recursion ( with "*recursion no;" *)
in the global options.
All the applications/systems do use secondary DNS servers for name
resolution.

Now there is a need to configure a forwarding zone in the "secondary DNS
servers" to an external DNS server.

In this scenario, in-order for the secondary server to forward the DNS
query to an external DNS server, is it required to enable the recursion in
the global options on the secondary servers?
Based on reference material, I did not see such a requirement. But my
observation is the query is not getting forwarded ( tried to check using
the packet trace)
When recursion is enabled, the query is getting forwarded.

The BIND version I am using is 9.11.2.x.

Appreciate your ideas and help.

Thank you
Kind Regards,
Ravi Kota
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Still seeing some ALG-7 DNSSE

2021-04-06 Thread Matthijs Mekking 

Most likely you have to delete those files manually.

In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By 
default the keys are retained for 90 days after their latest usage. So 
in that case keys will be cleaned up automatically.


If you run a lower version, or if you set "purge-keys 0;" (disabled), 
you have to purge key files manually.


Best regards,

Matthijs



On 05-04-2021 18:27, @lbutlr wrote:

If I do:

cd /etc/named/working/main/
for i in *; do dig $i +dnssec | grep "A 13 2" | awk '{print $1}';done

I see a list of all the domains on the system, so that's good, everything has a 
ALG-13 signature.

If I do

for i in *; do dig $i +dnssec | grep "A 7 2" | awk '{print $1}';done

I see a list of a handful of domains that still have ALG-7 signatures. This is 
confirmed by a warning in dnsviz.

I don't see any differences in the configurations, and none of the main records 
on the registrar list ALG-7 anymore, only ALG-13.

All of the domains are setup with  dnssec-policy default.

Thera re still 007 keyholes on the system for ALL domains (unexpected), updated 
every hour  (expected).

  8 -rw-r--r--  1 bind  bind   1.0K Apr  5 06:21 Kkreme.com.+007+01083.key
  8 -rw-r--r--  1 bind  bind   587B Apr  5 06:21 Kkreme.com.+007+01083.state
  8 -rw---  1 bind  bind   3.3K Apr  5 06:21 Kkreme.com.+007+01083.private
  8 -rw-r--r--  1 bind  bind   708B Apr  5 06:21 Kkreme.com.+007+30512.key
  8 -rw-r--r--  1 bind  bind   520B Apr  5 06:21 Kkreme.com.+007+30512.state
  8 -rw---  1 bind  bind   1.8K Apr  5 06:21 Kkreme.com.+007+30512.private
  8 -rw-r--r--  1 bind  bind   399B Apr  5 06:21 Kkreme.com.+013+29597.key
  8 -rw-r--r--  1 bind  bind   651B Apr  5 06:21 Kkreme.com.+013+29597.state
  8 -rw---  1 bind  bind   215B Apr  5 06:21 Kkreme.com.+013+29597.private

This domain does not show any ALG-7 keys in dig:

# dig kreme.com +dnssec +short
65.121.55.45
A 13 2 3600 20210415161448 20210401155316 29597 kreme.com. 
Sea2LPlKGeH/aP1kwONwtuH0Jkp2TVHNb/v9PEOUiVQVzCwKMkg79+K9 
bE8yhNQ2vLV4Fxvzk4jknP8Cbq98lQ==

Is there anything I need to do here or not? Will those alg-7 key files continue 
to hang around forever? Do I need to do something to get dnsviz and dig +dnssec 
to stop reporting the old keys or is that like propagation and it will sort 
itself out? I don't see a pattern in the domains that are still showing alg-7 
but it is possible they had the DS/registrar info updated later than the other 
domains.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users