Re: "an error occurred while creating registry keys" - BIND 9 installer

2023-06-08 Thread Petr Špaček 

Hello,

let me remind everyone on this list that Windows support is going to end 
at the end of 2023:

https://kb.isc.org/docs/supported-platforms

Better to start looking for alternatives now.

Petr Špaček

On 07. 06. 23 21:07, Danny Mayer wrote:

You need to be an administrator to do this as it's a privileged operation.


Danny

On 6/7/23 5:53 AM, Bozhidar Petrov wrote:

Hi,
Please pardon the amateur question but I'm getting "an error occurred 
while creating registry keys" from the BIND 9 installer.

How can I resolve this?
Thank you.
Boz


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question regarding delv and custom local trust anchor

2023-06-08 Thread Evan Hunt 
On Thu, Jun 08, 2023 at 07:57:12PM +, Evan Hunt wrote:
> So, I'm guessing systemd-resolved is choking on the EDNS COOKIE option.
> This needs to be reported as a bug to the systemd maintainers. And, maybe
> delv should have a +nocookie option.

Hmm, on further inspection, I was wrong about this - the COOKIE isn't the
problem.  It seems to be sending back NOTIMP if you specify the CD and DO
bits (i.e., +cd and +dnssec) in the same query.

I had added the +cd flag to the query because I was seeing SERVFAIL on a
query for the .org DS record. I guessed that this was caused by an upstream
validation problem, and I may have been right about that, but we can't
bypass it with +cd because of this NOTIMP bug.

So... I'm not sure what the specific problem is now, but the general
problem does appear to be systemd-resolved.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question regarding delv and custom local trust anchor

2023-06-08 Thread Evan Hunt 
On Thu, Jun 08, 2023 at 09:54:15AM -0400, Josh Kuo wrote:
> *$ delv -a right.key www.example.com . A*;; broken
> trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53
> ;; resolution failed: broken trust chain

The address 127.0.0.53 was the clue I needed to figure this out: I suspect
you're on linux, and it's using systemd-resolved as the local resolver.

When I tried delv on a system configured that way, it got a NOTIMP response
to its first query:

$ delv +cd +mtrace @127.0.0.53 www.isc.org
;; fetch: www.isc.org/A
;; sending packet to 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   7870
;; flags: rd cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 8e31ae172137a02f
;; QUESTION SECTION:
;www.isc.org.   IN  A


;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id:   7870
;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
; OPT=5: 05 07 08 0a 0d 0e 0f ("...")
; OPT=6: 01 02 04 ("...")
; OPT=7: 01 (".")
;; QUESTION SECTION:
;www.isc.org.   IN  A


;; NOTIMP unexpected RCODE resolving 'www.isc.org/A/IN': 127.0.0.53#53
;; resolution failed: SERVFAIL

So, I'm guessing systemd-resolved is choking on the EDNS COOKIE option.
This needs to be reported as a bug to the systemd maintainers. And, maybe
delv should have a +nocookie option.

In the meantime, the workaround is the one you found: point delv to a
resolver that implements EDNS correctly. It will validate the data it
receives, but it has to receive some.

The newest version of delv, in the BIND 9.19 development release, has
a 'delv +ns' option to do its own resolution internally, without needing
an external server to look up the data; that would also work.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question regarding delv and custom local trust anchor

2023-06-08 Thread Josh Kuo 
Hello,
I am trying to use delv (version 19.8.2 on Ubuntu 0.22.04) to troubleshoot
using a custom trust anchor. However, I am getting very strange results
from delv. The short of it is, I must point delv at another validating
resolver (such as @8.8.8.8) for the custom trust anchors (-a) to work.

First, I use the correct trust anchor (right.key), I query twice, with and
without @8.8.8.8:

$ *cat right.key*
trust-anchors {
. initial-key 257 3 8
"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
};


*$ delv -a right.key www.example.com . A*;; broken
trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain


*$ delv -a right.key www.example.com . A @8.8.8.8
*; fully validated
www.example.com. 10545 IN A 93.184.216.34
www.example.com. 10545 IN RRSIG A 13 3 86400 20230626193619 20230605194008
44029 example.com. grjd2rY82fZuYxz3laDCQKu2ZbcOmy4/eApedHRVFsMGOGwmLJ3FU08D
2dr4BWtpVm12HAgyt0euyGCcQLDErg==

Then, I tested it with a purposely misconfigured key. Again, two queries,
with and without @8.8.8.8:

*$ cat wrong.key*
trust-anchors {
. initial-key 257 3 8
"AwEAAcxpNx7yHa+8KpYjdi8wPJw8cXusWGo2deQsPANOJFDhF4Dx2NTrEjvIDMGymLpXLSj7PpAzbhBwcKMQ/WEUprTl7Dfn26HYXFl3K0U4AahZO99seYkQao82n21VkfjguSv1SXmzerrwsGXP91CncXJ7Apz8wieJDLe3u4gA/DkqvjeCtE+sf+DcSqalnKgY6TWmKFX0VPPL2W3TXwLHyfVh5AWV2mGpugJ4YUoqtmDgXwOjUvkZDxQFsliE/iYc1S9tYVD40fbfL3l8vRXoVfListNNQBKh7oDXpPKEXgOn5kl8V05hcG1LAbB0jtOtPdgs+BJ+3WN0o2q+PSo9QVE=";
};


*$ delv -a wrong.key www.example.com . A*;; broken
trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain


*$ delv -a wrong.key www.example.com . A @8.8.8.8
*;; validating ./DNSKEY: no valid signature found (DS)
;; no valid RRSIG resolving './DNSKEY/IN': 8.8.8.8#53
;; broken trust chain resolving 'com/DS/IN': 8.8.8.8#53
;; broken trust chain resolving 'com/DNSKEY/IN': 8.8.8.8#53
;; broken trust chain resolving 'example.com/DS/IN': 8.8.8.8#53
;; broken trust chain resolving 'example.com/DNSKEY/IN': 8.8.8.8#53
;; broken trust chain resolving 'www.example.com/A/IN': 8.8.8.8#53
;; resolution failed: broken trust chain

This has me scratching my head... I know delv is capable of acting as a
validating resolver. And I want it to. What am I doing wrong? What other
information can I provide? +vtrace?

A note about why I am doing this seemingly pointless exercise: Back in
2018/2019 during the first root key rollover, several others experienced
the issue where the trust anchor on their validating resolver(s) did not
change, resulting in SERVFAIL. Not everyone has access to the validating
resolver's configuration, in fact, some of them had to prove to their ISP
or whoever is running the validating resolver that it's the trust anchor
that needs to be updated. This is an exercise that I am planning to teach
others, so when/if this happens again the next time the root key rolls,
they know how to use delv to produce evidence to show their DNS
administrators to update the trust anchor.

Thanks in advance.

-Josh
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users