Re: named service suddenly fails to start

2021-11-04 Thread Mark Andrews 


> On 5 Nov 2021, at 07:11, Grant Taylor via bind-users 
>  wrote:
> 
> On 11/4/21 1:27 PM, Bruce Johnson via bind-users wrote:
>> named-checkconf -z revealed a name had been entered with underscores. The 
>> person responsible has been sacked. (not really, merely reminded no 
>> underscores are allowed in A records :-)
> 
> You might want to apologize to them.
> 
> Underscores are legitimate in DNS record owner names, despite the 
> disagreement of their use in hostnames.
> 
> Underscores are used in _acme-challenge., TLSA records 
> _25._tcp._smtp., and DMARC _dmarc. to name a few 
> legitimate uses.  (from a quick `fgrep dig $HISTFILE | fgrep _`)
> 
> Remember, DNS is (a lot more) than /just/ hostnames.

If the policy is no underscores in A record then there is nothing to apologise 
for.  Additionally publishing A records with non LDH owners and expecting them 
to work in the context of address lookups is asking for trouble.

Sane software checks responses from the DNS.  There are lots of security issues 
if you don’t.

https://storage.googleapis.com/site-media-prod/meetings/NANOG83/2399/20211101_Jeitner_Injection_Attacks_Reloaded__v1.pdf

> -- 
> Grant. . . .
> unix || die
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named service suddenly fails to start

2021-11-04 Thread Fred Morris 
Grant Taylor's reply is good, but you might also look at the check-names 
option. As he says, underscores are frowned on in hostnames but that's 
about it in theory if not in practice.


You could also contemplate changing the logging destination and level... 
or not.


--

Fred Morris

On Thu, 4 Nov 2021, Bruce  Johnson via bind-users wrote:


This morning our server started failing to reload or start.

checking the status reveals not a lot of info:

systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
  Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor 
preset: disabled)
  Active: failed (Result: exit-code) since Thu 2021-11-04 11:55:17 MST; 27s ago
 Process: 2020 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then 
/usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is 
disabled"; fi (code=exit>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named service suddenly fails to start

2021-11-04 Thread Reindl Harald 




Am 04.11.21 um 21:11 schrieb Grant Taylor via bind-users:

On 11/4/21 1:27 PM, Bruce Johnson via bind-users wrote:
named-checkconf -z revealed a name had been entered with underscores. 
The person responsible has been sacked. (not really, merely reminded 
no underscores are allowed in A records :-)


You might want to apologize to them.

Underscores are legitimate in DNS record owner names, despite the 
disagreement of their use in hostnames.


how does that matter in context of "no underscores are allowed in A 
records"?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named service suddenly fails to start

2021-11-04 Thread Grant Taylor via bind-users 

On 11/4/21 1:27 PM, Bruce Johnson via bind-users wrote:
named-checkconf -z revealed a name had been entered with underscores. 
The person responsible has been sacked. (not really, merely reminded no 
underscores are allowed in A records :-)


You might want to apologize to them.

Underscores are legitimate in DNS record owner names, despite the 
disagreement of their use in hostnames.


Underscores are used in _acme-challenge., TLSA records 
_25._tcp._smtp., and DMARC _dmarc. to name a 
few legitimate uses.  (from a quick `fgrep dig $HISTFILE | fgrep _`)


Remember, DNS is (a lot more) than /just/ hostnames.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named service suddenly fails to start

2021-11-04 Thread John Thurston 



On 11/4/2021 11:27 AM, Bruce Johnson via bind-users wrote:
named-checkconf -z revealed a name had been entered with underscores. 
The person responsible has been sacked. (not really, merely reminded no 
underscores are allowed in A records :-)


Sounds to me like you might want to incorporate some validity checks 
into your edit/deploy process.


--
Do things because you should, not just because you can.

John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named service suddenly fails to start

2021-11-04 Thread Reindl Harald 



Am 04.11.21 um 20:27 schrieb Bruce Johnson via bind-users:
On Nov 4, 2021, at 12:01 PM, Bruce Johnson > wrote:


This morning our server started failing to reload or start.

checking the status reveals not a lot of info:

systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
  Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; 
enabled; vendor preset: disabled)
  Active: failed (Result: exit-code) since Thu 2021-11-04 11:55:17 
MST; 27s ago
 Process: 2020 ExecStartPre=/bin/bash -c if [ ! 
"$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t 
/var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files 
is disabled"; fi (code=exit>


named-checkconf -z revealed a name had been entered with underscores. 
The person responsible has been sacked. (not really, merely reminded no 
underscores are allowed in A records :-)


Does named-checkzone not check for this?


but what should it do at the point of a service restart?

the better question is why don't your admin backends prevent such mistakes
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named service suddenly fails to start

2021-11-04 Thread Bruce Johnson via bind-users 


On Nov 4, 2021, at 12:05 PM, Reindl Harald 
mailto:h.rei...@thelounge.net>> wrote:


ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then 
/usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo 
"Checking of zone files is disabled"; fi (code=exi

this nonsense of bash in systemd units typically comes from distributions and 
so you should at least name which one you are using

In this case it is CentOS8.


--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named service suddenly fails to start

2021-11-04 Thread Bruce Johnson via bind-users 
On Nov 4, 2021, at 12:01 PM, Bruce Johnson 
mailto:john...@pharmacy.arizona.edu>> wrote:

This morning our server started failing to reload or start.

checking the status reveals not a lot of info:

systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
  Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor 
preset: disabled)
  Active: failed (Result: exit-code) since Thu 2021-11-04 11:55:17 MST; 27s ago
 Process: 2020 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == 
"yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; 
else echo "Checking of zone files is disabled"; fi (code=exit>

named-checkconf -z revealed a name had been entered with underscores. The 
person responsible has been sacked. (not really, merely reminded no underscores 
are allowed in A records :-)

Does named-checkzone not check for this?


--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named service suddenly fails to start

2021-11-04 Thread Reindl Harald 



Am 04.11.21 um 20:01 schrieb Bruce Johnson via bind-users:

This morning our server started failing to reload or start.

checking the status reveals not a lot of info:

systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; 
vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2021-11-04 11:55:17 MST; 27s 
ago
   Process: 2020 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then 
/usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is 
disabled"; fi (code=exit>

Nov 04 11:55:17 elixir bash[2020]: zone 126.140.10.IN-ADDR.ARPA/IN: loaded 
serial 4
Nov 04 11:55:17 elixir bash[2020]: zone 233.196.128.IN-ADDR.ARPA/IN: loaded 
serial 350
Nov 04 11:55:17 elixir bash[2020]: zone 
pharm-classless.124.135.150.IN-ADDR.ARPA/IN: loaded serial 4830
Nov 04 11:55:17 elixir bash[2020]: zone 
bio5-classless.123.135.150.in-addr.arpa/IN: loaded serial 402
Nov 04 11:55:17 elixir bash[2020]: zone 18.129.10.IN-ADDR.ARPA/IN: loaded 
serial 4755
Nov 04 11:55:17 elixir bash[2020]: zone 19.129.10.IN-ADDR.ARPA/IN: loaded 
serial 4756
Nov 04 11:55:17 elixir bash[2020]: zone 118.193.10.IN-ADDR.ARPA/IN: loaded 
serial 9
Nov 04 11:55:17 elixir systemd[1]: named-chroot.service: Control process 
exited, code=exited status=1
Nov 04 11:55:17 elixir systemd[1]: named-chroot.service: Failed with result 
'exit-code'.
Nov 04 11:55:17 elixir systemd[1]: Failed to start Berkeley Internet Name 
Domain (DNS).

We have one dynamically updated zone and only three other zone files that have 
been updated today and named-checkzone says they’re ok.

I'm guessing it’s the zone file after the last successfully loaded one, but we 
have a LOT of zone files; is there a particular order in which they’re loaded 
at startup? I’ve made no changed to named.conf or anything else on this server


ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; 
then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; 
else echo "Checking of zone files is disabled"; fi (code=exi


this nonsense of bash in systemd units typically comes from 
distributions and so you should at least name which one you are using

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named service suddenly fails to start

2021-11-04 Thread Bruce Johnson via bind-users 
This morning our server started failing to reload or start. 

checking the status reveals not a lot of info:

systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; 
vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2021-11-04 11:55:17 MST; 27s ago
  Process: 2020 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == 
"yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; 
else echo "Checking of zone files is disabled"; fi (code=exit>

Nov 04 11:55:17 elixir bash[2020]: zone 126.140.10.IN-ADDR.ARPA/IN: loaded 
serial 4
Nov 04 11:55:17 elixir bash[2020]: zone 233.196.128.IN-ADDR.ARPA/IN: loaded 
serial 350
Nov 04 11:55:17 elixir bash[2020]: zone 
pharm-classless.124.135.150.IN-ADDR.ARPA/IN: loaded serial 4830
Nov 04 11:55:17 elixir bash[2020]: zone 
bio5-classless.123.135.150.in-addr.arpa/IN: loaded serial 402
Nov 04 11:55:17 elixir bash[2020]: zone 18.129.10.IN-ADDR.ARPA/IN: loaded 
serial 4755
Nov 04 11:55:17 elixir bash[2020]: zone 19.129.10.IN-ADDR.ARPA/IN: loaded 
serial 4756
Nov 04 11:55:17 elixir bash[2020]: zone 118.193.10.IN-ADDR.ARPA/IN: loaded 
serial 9
Nov 04 11:55:17 elixir systemd[1]: named-chroot.service: Control process 
exited, code=exited status=1
Nov 04 11:55:17 elixir systemd[1]: named-chroot.service: Failed with result 
'exit-code'.
Nov 04 11:55:17 elixir systemd[1]: Failed to start Berkeley Internet Name 
Domain (DNS).

We have one dynamically updated zone and only three other zone files that have 
been updated today and named-checkzone says they’re ok.

I'm guessing it’s the zone file after the last successfully loaded one, but we 
have a LOT of zone files; is there a particular order in which they’re loaded 
at startup? I’ve made no changed to named.conf or anything else on this server.

-- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users