Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

[raf via bind-users]

On Wed, Aug 11, 2021 at 12:14:38PM -0500, Tim Daneliuk via bind-users 
 wrote:

> On 8/10/21 11:27 PM, raf via bind-users wrote:
> > Does that help at all?
> 
> Very much thank you.  I have now discovered my DNS key and corresponding DS
> record.   I believe the DS record is what I have to provide my registrar
> as I understand it.
> -- 
> 
> Tim Daneliuk tun...@tundraware.com
> PGP Key: http://www.tundraware.com/PGP/
> ___

That's great. Although it should be a CDS record that you are seeing,
not a DS record (yet), and its content is what you need to convey to
your registrar so they can create the DS record in the parent zone.

cheers,
raf

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Failure from rate-limit

[Peter]

Hi,

 my servers fail to query the upstream servers with these errors:
 
rate-limit: debug 99: rrl=0x0, HAVECOOKIE=0, result=DNS_R_SERVFAIL,
fname=0x8027a5450(0), is_zone=0, RECURSIONOK=1, query.rpz_st=0x0(0),
RRL_CHECKED=0

The operator of the upstream servers says it is due to a configuration
mistake. How can this be fixed? I do not have any rate-limit option
configured...

rgds,
PMc
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Debug Approach Help?

[Tim Daneliuk via bind-users]

On 8/11/21 12:49 PM, Richard T.A. Neal wrote:
> There's a very good article on the ISC website which discusses BIND logging:
> https://kb.isc.org/docs/aa-01526
> 
> I recommend reading and implementing the logging as per their suggestion 
> (backup or make a note of your current logging configuration options in case 
> you want to revert in future) and then start looking through those logs the 
> next time your on-prem slave stops resolving.
> 
> Once you spot any errors in the look you can post them here on the list and 
> others will try and help explain what may be happening.
> 
> Richard.

Perfect, will do, and thanks...
-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Debug Approach Help?

[Richard T.A. Neal]

There's a very good article on the ISC website which discusses BIND logging:
https://kb.isc.org/docs/aa-01526

I recommend reading and implementing the logging as per their suggestion 
(backup or make a note of your current logging configuration options in case 
you want to revert in future) and then start looking through those logs the 
next time your on-prem slave stops resolving.

Once you spot any errors in the look you can post them here on the list and 
others will try and help explain what may be happening.

Richard.

-Original Message-
From: bind-users  On Behalf Of Tim Daneliuk 
via bind-users
Sent: 11 August 2021 3:56 pm
To: bind-users@lists.isc.org
Subject: Debug Approach Help?

I am running bind 9.16.19 on two FreeBSD 13-STABLE instances.  The master is on 
a Digital Ocean droplet and works fine.  The slave is hosted on physical 
machine here in our offices.

This has always worked flawlessly until recently.   Periodically, the slave
refuses to resolve names like 'git.freebsd.org' and we have to restart bind on 
the slave to get it working correctly again.

Rather than using cron to restart bind every hour (!), we'd like to get to the 
root of the problem.  The slave machine is at the end of a Comcast Business 
pipe and their execrable security edge garbage may be implicated.

We could use some help on an approach to debugging this.  Having never had 
significant bind problems over 20 years of use, we literally have no named 
debugging experience...

TIA,
--

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

[Tim Daneliuk via bind-users]

On 8/10/21 11:27 PM, raf via bind-users wrote:
> Does that help at all?

Very much thank you.  I have now discovered my DNS key and corresponding DS
record.   I believe the DS record is what I have to provide my registrar
as I understand it.


-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DKIM setup

[Vinícius Ferrão via bind-users]

LOL what a joke, country blocking:

Original Message Details
Created Date:   8/11/2021 4:56:17 PM
Sender Address: fer...@versatushpc.com.br
Recipient Address:  
john...@pharmacy.arizona.edu
Subject:Re: DKIM setup

Error Details
Reported error: 550 5.0.350 Remote server returned an error -> 550 Sender email 
address rejected
DSN generated by:   
DM8PR14MB5239.namprd14.prod.outlook.com

There is other countries in the world albeit USA. Now I understood the .ve 
question.

On 11 Aug 2021, at 13:56, Vinícius Ferrão via bind-users 
mailto:bind-users@lists.isc.org>> wrote:

Hello.

Ve is Venezuela. It’s a country.

Alice is the selector name, you can have whatever you want.

https://dmarcly.com/blog/what-is-dkim-selector-and-how-does-it-work-dkim-selector-explained

For Office365 you should follow Office365 names which are selector1 and 
selector2.

On 11 Aug 2021, at 13:47, Bruce Johnson via bind-users 
mailto:bind-users@lists.isc.org>> wrote:

I’m trying to set up DNS records for DKIM in our system; we have a hybrid 
O365/On-Prem Exchange server and separate Mailman list server, all of which 
send email from our domain (and are in the spf list in DNS.)

I’m a little unclear on the syntax described here: 
(https://kb.isc.org/docs/aa-00725 )

alice._domainkey.itverx.com.ve.86400 IN TXT “v=…ZZZ”

Is alice, in this case, the server with the MTA and private keys and 
itverx.com the base domain of the zone?  IE 
alice.itverx.com is the server that is signing the 
emails?

what is the .ve. part?

--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DKIM setup

[Vinícius Ferrão via bind-users]

Hello.

Ve is Venezuela. It’s a country.

Alice is the selector name, you can have whatever you want.

https://dmarcly.com/blog/what-is-dkim-selector-and-how-does-it-work-dkim-selector-explained

For Office365 you should follow Office365 names which are selector1 and 
selector2.

On 11 Aug 2021, at 13:47, Bruce Johnson via bind-users 
 wrote:

I’m trying to set up DNS records for DKIM in our system; we have a hybrid 
O365/On-Prem Exchange server and separate Mailman list server, all of which 
send email from our domain (and are in the spf list in DNS.)

I’m a little unclear on the syntax described here: 
(https://kb.isc.org/docs/aa-00725 )

alice._domainkey.itverx.com.ve.86400 IN TXT “v=…ZZZ”

Is alice, in this case, the server with the MTA and private keys and itverx.com 
the base domain of the zone?  IE alice.itverx.com is the server that is signing 
the emails?

what is the .ve. part?

--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DKIM setup

[Bruce Johnson via bind-users]

I’m trying to set up DNS records for DKIM in our system; we have a hybrid 
O365/On-Prem Exchange server and separate Mailman list server, all of which 
send email from our domain (and are in the spf list in DNS.)

I’m a little unclear on the syntax described here: 
(https://kb.isc.org/docs/aa-00725 )

alice._domainkey.itverx.com.ve.86400 IN TXT “v=…ZZZ”

Is alice, in this case, the server with the MTA and private keys and itverx.com 
the base domain of the zone?  IE alice.itverx.com is the server that is signing 
the emails?

what is the .ve. part?

-- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Debug Approach Help?

[Tim Daneliuk via bind-users]

I am running bind 9.16.19 on two FreeBSD 13-STABLE instances.  The master
is on a Digital Ocean droplet and works fine.  The slave is hosted on
physical machine here in our offices.

This has always worked flawlessly until recently.   Periodically, the slave
refuses to resolve names like 'git.freebsd.org' and we have to restart bind
on the slave to get it working correctly again.

Rather than using cron to restart bind every hour (!), we'd like to get to
the root of the problem.  The slave machine is at the end of a Comcast
Business pipe and their execrable security edge garbage may be implicated.

We could use some help on an approach to debugging this.  Having never had
significant bind problems over 20 years of use, we literally have no named
debugging experience...

TIA,
-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Add DNS records automatically for static IP's

[Roberto Carna]

Thank you so much !

El lun, 9 ago 2021 a las 13:40, tale () escribió:
>
> On Mon, Aug 9, 2021 at 8:46 AM Roberto Carna  wrote:
> > Thanks to all of you, is it possible to use nslookup in order to
> > update DNS records from Linux hosts to a Windows DNS server (not BIND)
>
> Not nslookup, but nsupdate as Brian Cuttler said.  nslookup is purely
> a query tool;
> nsupdate implements the DNS Update protocol, which is one of the mechanisms
> that Windows DNS server supports.
>
> So, yes, you can go Linux -> Windows using nsupdate.
>
> > El jue, 5 ago 2021 a las 14:14, Cuttler, Brian R (HEALTH)
> > () escribió:
> > > I've been using nsupdate for that.
>
> --
> tale
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

[raf via bind-users]

On Wed, Aug 11, 2021 at 09:40:00AM +0200, Matthijs Mekking  
wrote:

> > Syntax question:
> > In https://bind9.readthedocs.io/en/latest/dnssec-guide.html
> > the double quotes are never used in the zone stanza
> > where the dnssec-policy is referred to. The double
> > quotes sometimes (but not always) appear in the
> > dnssec-policy definition stanza.
> > 
> > Are the double quotes optional in both cases?
> 
> Yes, the dnssec-policy defines or refers to a name that is a string, which
> may be a quoted or unquoted string.
> 
> Some additional information on the subject: When it comes to strings, the
> named.conf parser expects some options to be quoted strings (usually file
> paths), some options to be unquoted strings (things like algorithm and class
> names), and some options to be just strings (usually names).

Thanks.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: advance features of BIND DoT and DoH

[Richard T.A. Neal]

Swapneel wrote:

> For DoH, please have a look at the following page[1] and BIND9 
> documentation[2] and for DoT[3]

> [1]: https://www.isc.org/blogs/bind-implements-doh-2021/
> [2]: 
> https://bind9.readthedocs.io/en/latest/reference.html?highlight=DoH#http-statement-definition-and-usage
> [3]: https://kb.isc.org/docs/aa-01386

There’s also the following guide if you’re starting from scratch:
https://www.isc.org/blogs/doh-talkdns/

Richard.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

[Matthijs Mekking]

Syntax question:
In https://bind9.readthedocs.io/en/latest/dnssec-guide.html
the double quotes are never used in the zone stanza
where the dnssec-policy is referred to. The double
quotes sometimes (but not always) appear in the
dnssec-policy definition stanza.

Are the double quotes optional in both cases?


Yes, the dnssec-policy defines or refers to a name that is a string, 
which may be a quoted or unquoted string.


Some additional information on the subject: When it comes to strings, 
the named.conf parser expects some options to be quoted strings (usually 
file paths), some options to be unquoted strings (things like algorithm 
and class names), and some options to be just strings (usually names).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

[Matthijs Mekking]

Hi Tim,

On 11-08-2021 04:19, Tim Daneliuk via bind-users wrote:

On 8/10/21 7:32 PM, raf via bind-users wrote:

To get the DS record information to convey to the
registrar, after starting to use the default policy.
look for the CDS record (the child version of the DS
record) with dig:

   dig CDS EXAMPLE.ORG

For the default policy, you'll only have to do this
once (or until your server gets compromised and you
start again). But until you've done this, it's not
done. The trust chain has to go all the way to the
root, so you need the involvement of your registrar
(to get your DS published and signed).



That's quite helpful, thanks, but still unclear about one
thing.  When I run the dig command above I do get a result
back with a "COOKIE" value in the response.  This value
changes each time I run the dig.   Is any one of these the
"DS record" I want to convey to my registrar?

Other than this I see nothing that resembles  a relevant response AND
the COOKIE field does not show up if I do the dig from outside the zone.


Cookies are a different thing, unrelated to DNSSEC:

https://datatracker.ietf.org/doc/html/rfc7873
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: advance features of BIND DoT and DoH

[Swapneel Patnekar]

On Wed, Aug 11, 2021 at 10:04 AM Divya  wrote:

>
> Dear Admin,
>
> Has anybody implemented  advance features of BIND DoT and DoH, Kindly help
> me to configure DoT and DoH in DNS with BIND 9.17.16+CentOS  7.9.
>

Hello Divya,

For DoH, please have a look at the following page[1] and BIND9
documentation[2] and for DoT[3]

[1]: https://www.isc.org/blogs/bind-implements-doh-2021/
[2]:
https://bind9.readthedocs.io/en/latest/reference.html?highlight=DoH#http-statement-definition-and-usage
[3]: https://kb.isc.org/docs/aa-01386




>
> With Regards
> Divya
>
> - Original Message -
> From: "Ondřej Surý" 
> To: "klaus darilion" 
> Cc: bind-users@lists.isc.org
> Sent: Monday, August 9, 2021 10:48:54 PM
> Subject: Re: Does BIND supports ANAME RR
>
> No, and there’s no strong usercase for that. The ANAME was wrong on every
> level from the protocol perspective and I am glad it is gone.
>
> Ondřej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
> > On 9. 8. 2021, at 17:23, Klaus Darilion via bind-users <
> bind-users@lists.isc.org> wrote:
> >
> > Does every application that uses gethostbyname have a benefit of
> HTTPS/SVCB? That is what I meant.
> > regards
> > Klaus
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Mark Andrews 
> >> Gesendet: Montag, 9. August 2021 15:55
> >> An: Klaus Darilion 
> >> Cc: Evan Hunt ; Gaurav Kansal ;
> bind-
> >> us...@lists.isc.org
> >> Betreff: Re: Does BIND supports ANAME RR
> >>
> >> Every resolver on the planet already supports HTTPS and SVCB.  Every
> >> authoritative server on the planet already supports HTTPS and SVCB via
> >> unknown record format. iOS is already making HTTPS queries for every
> >> webpage. I believe other browsers also make HTTPS queries today. Go look
> >> at your DNS traffic.
> >>
> >> The MR mentioned earlier allows named and the other tools to load and
> >> display the records in presentation format and to do the additional
> section
> >> processing.  None of that it required to be able to return these
> records.   It
> >> just makes it easier.
> >>
> >> Just about all the other DNS vendors also have code that can read and
> >> display presentation format.
> >>
> >> ANAME is dead.
> >> --
> >> Mark Andrews
> >>
> >>> On 9 Aug 2021, at 21:53, Klaus Darilion via bind-users  >> us...@lists.isc.org> wrote:
> >>>
> >>>
> 
>  -Ursprüngliche Nachricht-
>  Von: bind-users  Im Auftrag von
> Evan
>  Hunt
>  Gesendet: Samstag, 7. August 2021 20:21
>  An: Gaurav Kansal 
>  Cc: bind-users@lists.isc.org
>  Betreff: Re: Does BIND supports ANAME RR
> 
> >> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote:
> >> I need the help in figuring out whether BIND supports ANAME ? If
> yes,
> >> then from which version on wards ?
> >
> > No, it doesn't. The effort to standardize ANAME stalled, and I doubt
> > it'll be coming back.
> >
> > The new HTTPS and SVCB records look like a better approach anyway.
> > BIND will have support for those pretty soon.
> >>>
> >>> But honestly SVCB will not solve the ANAME problem. I will take years
> until
> >> all resolvers/client would support SVCB whereas ANAME would be
> >> implemented in the authoritative name server and hence would work for
> >> every client/resolver as client/resolver never sees the ANAME but only
> the
> >> A/ record.
> >>>
> >>> regards
> >>> Klaus
> >>> ___
> >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe
> >> from this list
> >>>
> >>> ISC funds the development of this software with paid support
> >> subscriptions. Contact us at https://www.isc.org/contact/ for more
> >> information.
> >>>
> >>>
> >>> bind-users mailing list
> >>> bind-users@lists.isc.org
> >>> https://lists.isc.org/mailman/listinfo/bind-users
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this