Re: Possible to condition a view based on the interface the query comes in on?
Thanks for the suggestions, folks. Using views with RPZs just gets problematic. Sharing vs forwarding: forwarding seems cleaner and although there are two copies of /BIND/ I don't know that that visibility really hurts anything. Plus that potentially allows the "rear view" resolver to live on a different machine. https://github.com/m3047/rear_view_rpz/blob/main/install/Optional_DNS_Service.md -- Fred Morris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC implementation on IPv6 PTR Zones
Not able to sign the zone for 2409::/28 dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.4.2.ip6.arpa. -t Zone Pls help.. With Regards From: "Divya" To: m...@posix.co.za Cc: bind-users@lists.isc.org Sent: Monday, November 22, 2021 3:49:30 PM Subject: Re: DNSSEC implementation on IPv6 PTR Zones How to create DS for 2409::/28 With Regards Divya Parashar From: m...@posix.co.za To: bind-users@lists.isc.org Cc: "Divya" Sent: Thursday, November 18, 2021 3:44:56 PM Subject: Re: DNSSEC implementation on IPv6 PTR Zones And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC. One suggestion though. When one signs an IPv4 reverse - use NSEC - as everyone can guess what is there anyway. With IPv6 - you might want to use NSEC3 - as there can be huge holes in the reverse zone. Make the bad guy work at guessing what is in the zone. Also - if signing a brand new zone - try using Algo 13 (Elliptical curve) as it will generate shorter keys - so less chance of your zone being used in a DNS DDOS amplification attack - it doesn't amplify as much. On 11/18/21 12:07 PM, Mark Andrews wrote: You do it exactly the same as any other zone. You create DNSKEYs. You sign the zone. You add DS records to the parent zone. -- Mark Andrews BQ_BEGIN On 18 Nov 2021, at 20:28, Divya [ mailto:divy...@nic.in | ] wrote: BQ_END BQ_BEGIN Dear Admin, Has anybody implemented DNSSEC on IPv6 reverse zones? Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with BIND 9.17.16+CentOS 7.9. With Thanks & Regards Divya [ https://amritmahotsav.nic.in/ ] ___ Please visit [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at [ https://www.isc.org/contact/ | https://www.isc.org/contact/ ] for more information. bind-users mailing list [ mailto:bind-users@lists.isc.org | bind-users@lists.isc.org ] [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] BQ_END ___ Please visit [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at [ https://www.isc.org/contact/ | https://www.isc.org/contact/ ] for more information. bind-users mailing list [ mailto:bind-users@lists.isc.org | bind-users@lists.isc.org ] [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] -- Mark James ELKINS - Posix Systems - (South) Africa [ mailto:m...@posix.co.za | m...@posix.co.za ] Tel: +27.826010496 For fast, reliable, low cost Internet in ZA: [ https://ftth.posix.co.za/ | https://ftth.posix.co.za ] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC implementation on IPv6 PTR Zones
Divya wrote: > How to create DS for 2409::/28 The fun / maddening part of managing reverse DNS is getting to know how your RIR handles it, and the weird differences from common-or-garden forward domain registrations. In your case, 2409::/28 is allocated by APNIC. They have a bit of documentation at the link below, tho I can't find anything about DS records or DNSSEC. Perhaps it's more obvious once you have logged into their resource management web pages. https://www.apnic.net/manage-ip/manage-resources/reverse-dns/ Tony. -- f.anthony.n.finchhttps://dotat.at/ Sole, Lundy, Fastnet: Northeast 4 to 6. Slight or moderate in Lundy, otherwise moderate or rough, becoming slight or moderate in Fastnet. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC implementation on IPv6 PTR Zones
How to create DS for 2409::/28 With Regards Divya Parashar From: m...@posix.co.za To: bind-users@lists.isc.org Cc: "Divya" Sent: Thursday, November 18, 2021 3:44:56 PM Subject: Re: DNSSEC implementation on IPv6 PTR Zones And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC. One suggestion though. When one signs an IPv4 reverse - use NSEC - as everyone can guess what is there anyway. With IPv6 - you might want to use NSEC3 - as there can be huge holes in the reverse zone. Make the bad guy work at guessing what is in the zone. Also - if signing a brand new zone - try using Algo 13 (Elliptical curve) as it will generate shorter keys - so less chance of your zone being used in a DNS DDOS amplification attack - it doesn't amplify as much. On 11/18/21 12:07 PM, Mark Andrews wrote: You do it exactly the same as any other zone. You create DNSKEYs. You sign the zone. You add DS records to the parent zone. -- Mark Andrews BQ_BEGIN On 18 Nov 2021, at 20:28, Divya [ mailto:divy...@nic.in | ] wrote: BQ_END BQ_BEGIN Dear Admin, Has anybody implemented DNSSEC on IPv6 reverse zones? Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with BIND 9.17.16+CentOS 7.9. With Thanks & Regards Divya [ https://amritmahotsav.nic.in/ ] ___ Please visit [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at [ https://www.isc.org/contact/ | https://www.isc.org/contact/ ] for more information. bind-users mailing list [ mailto:bind-users@lists.isc.org | bind-users@lists.isc.org ] [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] BQ_END ___ Please visit [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at [ https://www.isc.org/contact/ | https://www.isc.org/contact/ ] for more information. bind-users mailing list [ mailto:bind-users@lists.isc.org | bind-users@lists.isc.org ] [ https://lists.isc.org/mailman/listinfo/bind-users | https://lists.isc.org/mailman/listinfo/bind-users ] -- Mark James ELKINS - Posix Systems - (South) Africa [ mailto:m...@posix.co.za | m...@posix.co.za ] Tel: +27.826010496 For fast, reliable, low cost Internet in ZA: [ https://ftth.posix.co.za/ | https://ftth.posix.co.za ] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users