DNSSec mess with SHA1
Hi Folks, I just wonder what's your take is on the current DNSSec mess with SHA1? There are still a lot of top level domains being signed with SHA1 and look like nobody really cares? Current OS releases like RHEL9 and others simply removed SHA1 from the code so if you're running BIND with "dnssec-validation auto" all those domains fails to resolve and the only way is to "dnssec-validation no" which eliminated the whole idea of DNSSec! The worst is that even nist.gov fails WFT! https://dnsviz.net/d/nist.gov/dnssec/ Any advice or ideas? Thank you, Wolfgang Wolfgang Riedel | Distinguished Engineer | CCIE #13804 | VCP #42559 Am Leitenbruennlein 22 | D-91056 Erlangen | Bayern | Germany phone: +49-9131-610-310 fax: +49-9131-610-333 email: wolfgang.rie...@f1-consult.com web: www.f1-consult.com OpenPGP key: CAF005CEC96C30CF4DBA5AFA3DBAFBAF63364 Zoom: https://zoom.us/j/5776157658 WebEx: https://f1-consult.webex.com/meet/wolfgang.riedel __ This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Instructions to use delv to test DNS configured domain before DS uploaded to parent
and to answer my own question as I finally found the section in the manual here: https://bind9.readthedocs.io/en/latest/dnssec-guide.html#verification On Wed, 13 Dec 2023, Brett Delmage via bind-users wrote: Sorry, I pasted the wrong version (too many remote shells open today) Should be: ii bind9 1:9.18.19-1~deb12u1 amd64Internet Domain Name Server ii bind9-utils1:9.18.19-1~deb12u1 amd64Utilities for BIND 9 On Wed, 13 Dec 2023, Brett Delmage wrote: I previously used delv with a manually made trust/key file to test that a DNSSEC-enabled zone was generated correctly. Despite sarching for all kinds of terms I cannot find those instructions (in readthedocs I believe). Could someone please point me there? bind9, bind9-dnsutils: 9.18.15 Thanks. Brett -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)
Hi there, On Wed, 13 Dec 2023, Greg Choules wrote: If your server can reach the Internet it can recurse all on its own. And for extra information, I recommend you give the '+trace' option to dig. I hope that helps. Ditto. :) -- 73, Ged. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)
Hi Michel.
You will get an authoritative answer (AA bit = 1) if the server is either
primary (master) or secondary (slave) for the QNAME (query name); in this
case "reseau1.lan". From the config snip you provided this is because you
have the config:
zone "reseau1.lan" {
type master;
...
};
If you make a query for "xxx.reseau1.lan" to this server, the response you
get back will depend on whether you have anything in the zone file
("db.reseau1.lan")
that would match that QNAME. If you do not have "xxx" or "*" (wildcard)
then there will be no match and the response will be (authoritative)
NXDOMAIN - this name does not exist at all.
Personally I would not use a wildcard because it gives the impression that
any name exists when really it doesn't.
NOTE that the existence of "reseau1.lan" means that ALL names beneath this
point will be swallowed by the server, e.g. "a.b.c.d.e.f.reseau1.lan" will
all return NXDOMAIN +AA=1
What behaviour do you think you would like to see?
Looking at another part of your config, you should not need this at all:
options {
forwarders {8.8.8.8;};
...
};
If your server can reach the Internet it can recurse all on its own.
I hope that helps.
Greg
On Wed, 13 Dec 2023 at 16:29, Michel Diemer via bind-users <
bind-users@lists.isc.org> wrote:
>
>
> Dear Bind user,
>
> I am a teacher and trying to understand how dns works. I am spending hours
> reading various sources without finding satisfying information. For
> teaching purposes I have created a virtual machine with isc dhcp server and
> bind9 and another virtual machine that uses the first one as ics dhcp and
> dns server.
>
> I have disabled IPv6 by setting link-local: [] in netplan's setting.
>
> The name of the network (dns zone) is "reseau1.lan". When I "dig -4
> reseau1.lan" the AUTHORITY bit is set to 1.
>
> Why or when should the AUTHORITY bit set to 1 ? What does it take for
> nslookup to give me an authoritative answer ?
>
> If I "ping xxx.reseau1.lan" I get an NXDOMAIN answer. Why NXDOMAIN and not
> NOERROR (NODATA) ? The domain "reseau1.lan" exists and my dns server is
> authoritative for this zone (SOA record) but the computer "xxx" on this
> domain does not. Should I use a wildcard dns record ?
>
> I have tryed to empty the list of forwarders and disable the dns cache ...
> should I configure a dns-resolver only for the domain reseau1.lan and then
> a dns forwared for external dns queries ? Or maybe configure the resolver
> for the lan network interface and the forwarder on the internet network
> interface on the dns server ?
>
> I managed to get "AUTHORITY: 1" when typing "dig -4 soa reseau1.lan" by
> disabling the forwarders and the cache so I guess I should configure bind
> per network interface. But when typing "dig -4 pc1.reseau1.lan" the
> AUTHORITY bit is always set to 0.
>
>
> ͏
>
>
>
> ͏
>
>
> Kind Regards,
>
> Michel Diemer
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)
On Wed, Dec 13, 2023 at 05:29:02PM +0100, Michel Diemer via bind-users wrote a message of 1723 lines which said: > another virtual machine that uses the first one as ics dhcp and dns > server. An important thing about DNS: there are two types of DNS servers, very different. Resolvers and authoritative. They use the same protocol, and BIND can do both, but they have very different properties. > I have disabled IPv6 by setting link-local: [] in netplan's setting. Too bad. This is 2023, not the 20th century. > The name of the network (dns zone) is "reseau1.lan". When I "dig -4 > reseau1.lan" the AUTHORITY bit is set to 1. You mean AA (authoritative answer)? > Why or when should the AUTHORITY bit set to 1 ? What does it take > for nslookup to give me an authoritative answer ? nslookup is an old and not very satisfying program. I would suggest using dig instead. > If I "ping xxx.reseau1.lan" I get an NXDOMAIN answer. Why NXDOMAIN > and not NOERROR (NODATA) ? The domain "reseau1.lan" exists and my > dns server is authoritative for this zone (SOA record) but the > computer "xxx" on this domain does not. Should I use a wildcard dns > record ? Adding an entry for the "xxx" subdomain seems simpler. > I have tryed to empty the list of forwarders and disable the dns > cache ... should I configure a dns-resolver only for the domain > reseau1.lan and then a dns forwared for external dns queries ? Or > maybe configure the resolver for the lan network interface and the > forwarder on the internet network interface on the dns server ? I strongly suggest to separate resolver and authoritative. You normally have authoritative answers from the authoritative servers (surprise!) and non-authoritative from the resolvers, at least when their cache is warm. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about DNS / bind9 / authoritative and NXDOMAIN vs NOERROR (NODATA)
Dear Bind user, I am a teacher and trying to understand how dns works. I am spending hours reading various sources without finding satisfying information. For teaching purposes I have created a virtual machine with isc dhcp server and bind9 and another virtual machine that uses the first one as ics dhcp and dns server. I have disabled IPv6 by setting link-local: [] in netplan's setting. The name of the network (dns zone) is "reseau1.lan". When I "dig -4 reseau1.lan" the AUTHORITY bit is set to 1. Why or when should the AUTHORITY bit set to 1 ? What does it take for nslookup to give me an authoritative answer ? If I "ping xxx.reseau1.lan" I get an NXDOMAIN answer. Why NXDOMAIN and not NOERROR (NODATA) ? The domain "reseau1.lan" exists and my dns server is authoritative for this zone (SOA record) but the computer "xxx" on this domain does not. Should I use a wildcard dns record ? I have tryed to empty the list of forwarders and disable the dns cache ... should I configure a dns-resolver only for the domain reseau1.lan and then a dns forwared for external dns queries ? Or maybe configure the resolver for the lan network interface and the forwarder on the internet network interface on the dns server ? I managed to get "AUTHORITY: 1" when typing "dig -4 soa reseau1.lan" by disabling the forwarders and the cache so I guess I should configure bind per network interface. But when typing "dig -4 pc1.reseau1.lan" the AUTHORITY bit is always set to 0. ͏ ͏ Kind Regards, Michel Diemer -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Instructions to use delv to test DNS configured domain before DS uploaded to parent
Sorry, I pasted the wrong version (too many remote shells open today) Should be: ii bind9 1:9.18.19-1~deb12u1 amd64Internet Domain Name Server ii bind9-utils1:9.18.19-1~deb12u1 amd64Utilities for BIND 9 On Wed, 13 Dec 2023, Brett Delmage wrote: I previously used delv with a manually made trust/key file to test that a DNSSEC-enabled zone was generated correctly. Despite sarching for all kinds of terms I cannot find those instructions (in readthedocs I believe). Could someone please point me there? bind9, bind9-dnsutils: 9.18.15 Thanks. Brett -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Instructions to use delv to test DNS configured domain before DS uploaded to parent
I previously used delv with a manually made trust/key file to test that a DNSSEC-enabled zone was generated correctly. Despite sarching for all kinds of terms I cannot find those instructions (in readthedocs I believe). Could someone please point me there? bind9, bind9-dnsutils: 9.18.15 Thanks. Brett -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I debug if the queries are not getting resolved?
That's good advice Greg, I thought I'd read up some more about that in the
DNSSEC guide within the Admin. Reference Manual -
https://bind9.readthedocs.io/en/v9.18.20/dnssec-guide.html - only it is not
mentioned within that section (dnssec-validation is). It is in the
Configuration Reference -
https://bind9.readthedocs.io/en/v9.18.20/reference.html#namedconf-statement-validate-except
- right under dnssec-validation (which ideally would mention it too).
I've create an enhancement request
https://gitlab.isc.org/isc-projects/bind9/-/issues/4489
--
Stace
On 12 Dec 2023, at 18:00, Greg Choules via bind-users wrote:
> I really wouldn't recommend that.
> If you have to, create exceptions for domains that won't validate correctly
> by using the "validate-except {..." statement.
> In parallel with that, encourage people with broken domains to fix them,
> which makes life better for all of us.
>
> Cheers, Greg
>
> On Tue, 12 Dec 2023 at 17:42, Blason R wrote:
>
>> Thanks folks
>>
>> I just disabled DNSSEC validation from bind config file (globally) and
>> those domains started resolving fine.
>>
>>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
