RE: dnssec-delegation seems to be broken from .gov to bls.gov

[Bhangui, Sandeep - BLS CTR via bind-users]

Point taken and understood.

But you know how it is when there is major outage the push from upper 
management is always for "fix it now" and get us up and running do your RCA 
later.

Thanks
Sandeep



-Original Message-
From: Mark Andrews  
Sent: Wednesday, December 6, 2023 10:19 PM
To: Bhangui, Sandeep - BLS CTR 
Cc: Nick Tait ; bind-users@lists.isc.org
Subject: Re: dnssec-delegation seems to be broken from .gov to bls.gov

CAUTION: This email originated from outside of BLS. DO NOT click (select) links 
or open attachments unless you recognize the sender and know the content is 
safe. Please report suspicious emails through the "Phish Alert Report" button 
on your email toolbar.

More to the point why was the old KSK removed *before* checking that the DS 
record for the new KSK was published and had been for the TTL of the DS RRset?  
With proper procedures this should not happen.  When something goes wrong / is 
delayed in a key rollover the process should stall until that step is complete, 
not proceed blindly ahead.

> On 7 Dec 2023, at 07:35, Bhangui, Sandeep - BLS CTR via bind-users 
>  wrote:
> 
> The problem has been resolved.
>  The automatic KSK rollover on the dotgov.gov did not happen properly and 
> once we manually updated the DS record with the correct KSK keytags and keys 
> things were fixed.
>  All is good now.
>  Now to see if we can find out as to why the automatic KSK failover on the 
> dotgov.gov did not happen correctly.
>  Thanks
> Sandeep
>  From: bind-users  On Behalf Of Nick 
> Tait via bind-users
> Sent: Wednesday, December 6, 2023 3:23 PM
> To: bind-users@lists.isc.org
> Subject: Re: dnssec-delegation seems to be broken from .gov to bls.gov
>  CAUTION: This email originated from outside of BLS. DO NOT click (select) 
> links or open attachments unless you recognize the sender and know the 
> content is safe. Please report suspicious emails through the “Phish Alert 
> Report” button on your email toolbar. On 7/12/2023 9:05 am, Nick Tait via 
> bind-users wrote:
> I could be wrong, but based on the output above it looks like the current TTL 
> is 0, which means that doing this should provide immediate relief.
> Sorry it looks like the DNS server on the Wi-Fi network I'm connected to has 
> done something weird with the TTL.
> This is what I get when querying one of the "gov." authoritative servers 
> directly:
> $ dig -t ds bls.gov @a.ns.gov +norecurse
>  
> ; <<>> DiG 9.18.18-0ubuntu2-Ubuntu <<>> -t ds bls.gov @a.ns.gov 
> +norecurse ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32241 ;; flags: qr 
> aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>  
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;bls.gov.   IN  DS
>  
> ;; ANSWER SECTION:
> bls.gov.3600IN  DS  50951 8 2 
> E6B0A294066904F20A2B8EBA3FA9920F9A1822802977F59D706B30A1 77F7DC0C
>  
> ;; Query time: 16 msec
> ;; SERVER: 2001:503:ff40::1#53(a.ns.gov) (UDP) ;; WHEN: Thu Dec 07 
> 09:19:24 NZDT 2023 ;; MSG SIZE  rcvd: 84 This means when you remove 
> the DS record, it will take 1 hour to fully take effect (assuming no delay 
> replicating between authoritative servers).
> Nick.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dnssec-delegation seems to be broken from .gov to bls.gov

[Bhangui, Sandeep - BLS CTR via bind-users]

The problem has been resolved.

The automatic KSK rollover on the dotgov.gov did not happen properly and once 
we manually updated the DS record with the correct KSK keytags and keys things 
were fixed.

All is good now.

Now to see if we can find out as to why the automatic KSK failover on the 
dotgov.gov did not happen correctly.

Thanks
Sandeep

From: bind-users  On Behalf Of Nick Tait via 
bind-users
Sent: Wednesday, December 6, 2023 3:23 PM
To: bind-users@lists.isc.org
Subject: Re: dnssec-delegation seems to be broken from .gov to bls.gov

CAUTION: This email originated from outside of BLS. DO NOT click (select) links 
or open attachments unless you recognize the sender and know the content is 
safe. Please report suspicious emails through the “Phish Alert Report” button 
on your email toolbar.
On 7/12/2023 9:05 am, Nick Tait via bind-users wrote:
I could be wrong, but based on the output above it looks like the current TTL 
is 0, which means that doing this should provide immediate relief.

Sorry it looks like the DNS server on the Wi-Fi network I'm connected to has 
done something weird with the TTL.

This is what I get when querying one of the "gov." authoritative servers 
directly:

$ dig -t ds bls.gov @a.ns.gov +norecurse



; <<>> DiG 9.18.18-0ubuntu2-Ubuntu <<>> -t ds bls.gov @a.ns.gov +norecurse

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32241

;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

;; QUESTION SECTION:

;bls.gov.   IN  DS



;; ANSWER SECTION:

bls.gov.3600IN  DS  50951 8 2 
E6B0A294066904F20A2B8EBA3FA9920F9A1822802977F59D706B30A1 77F7DC0C



;; Query time: 16 msec

;; SERVER: 2001:503:ff40::1#53(a.ns.gov) (UDP)

;; WHEN: Thu Dec 07 09:19:24 NZDT 2023

;; MSG SIZE  rcvd: 84

This means when you remove the DS record, it will take 1 hour to fully take 
effect (assuming no delay replicating between authoritative servers).

Nick.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-delegation seems to be broken from .gov to bls.gov

[Bhangui, Sandeep - BLS CTR via bind-users]

Hi

It seems the DNSSEC delegation is broken from ".gov" to bls.gov domain and due 
to which the records for bls.gov are considered as bogus and we are having 
issues at our site.

It looks like we were in the process of KSK rollover and that may have caused 
the issue as things were fine till yesterday.

As we troubleshoot this issue was wondering whether from our master DNS server 
can we use some option in named.conf so that dnssec verification is NOT done 
for any bls.gov DNS lookups from outside to get a quick fix to this problem.

Currently DNS lookups from outside are flaky and I believe the reason behind 
that being that the DNSSEC delegation is broken.

>From the output at dnsviz.net analyzing for bls.gov it seems that KSK rollover 
>for bls.gov is the issue.

Basically, trying to see if I can get a quick interim fix till we resolve the 
issue correctly.

Please advise.

Thanks
Sandeep


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Facing issues while resolving only one record

[Bhangui, Sandeep - BLS CTR via bind-users]

This seems to be an issue with the domain incometax.gov.in.

DNSSEC looks like is broken for that domain.

NS servers at our location also cannot resolve that directly  but if I forward 
that query to any ISP provider NS which are more lax it resolves just fine.

Thanks
Sandeep

From: bind-users  On Behalf Of John W. Blue 
via bind-users
Sent: Wednesday, August 30, 2023 9:39 AM
To: bind-users 
Subject: RE: Facing issues while resolving only one record

CAUTION: This email originated from outside of BLS. DO NOT click (select) links 
or open attachments unless you recognize the sender and know the content is 
safe. Please report suspicious emails through the “Phish Alert Report” button 
on your email toolbar.
Recommend you turn off DNSSEC validation and see if it starts working.

If it does, then you know the issue is with how DNSSEC is configured on your 
server.

John

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Blason R
Sent: Wednesday, August 30, 2023 8:20 AM
To: bind-users
Subject: Facing issues while resolving only one record

Hi all,

I have bind BIND 9.18.17-1+ubuntu22.04.1+isc+1-Ubuntu (Extended Support Version)
And I am facing this weird issue. Somehow 
eportal.incometax.gov.in site is not getting 
resolved through DNS.

I tried a lot but unfortunately the issue still persists.

Here are packet capture logs.

listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 
262144 bytes
18:47:19.56 ens18 In  IP 192.168.1.162.61110 > 192.168.1.133.53: 20+ A? 
eportal.incometax.gov.in. (42)
18:47:19.587705 ens18 Out IP 192.168.1.133.40263 > 208.67.222.222.53: 30627+% 
[1au] A? eportal.incometax.gov.in. (65)
18:47:19.599214 ens18 Out IP 192.168.1.133.44299 > 1.1.1.1.53: 62952+% [1au] 
DNSKEY? incometax.gov.in. (57)
18:47:20.800736 ens18 Out IP 192.168.1.133.56154 > 8.8.8.8.53: 16152+% [1au] 
DNSKEY? incometax.gov.in. (57)
18:47:21.573628 ens18 In  IP 192.168.1.162.53536 > 192.168.1.133.53: 21+ ? 
eportal.incometax.gov.in. (42)
18:47:21.576427 ens18 Out IP 192.168.1.133.55356 > 8.8.8.8.53: 57361+% [1au] 
? eportal.incometax.gov.in. (65)
18:47:22.002738 ens18 Out IP 192.168.1.133.33064 > 208.67.222.222.53: 16204+% 
[1au] DNSKEY? incometax.gov.in. (57)
18:47:22.777934 ens18 Out IP 192.168.1.133.58739 > 208.67.222.222.53: 34205+% 
[1au] ? eportal.incometax.gov.in. (65)
18:47:23.20 ens18 Out IP 192.168.1.133.60920 > 9.9.9.9.53: 46145+% [1au] 
DNSKEY? incometax.gov.in. (57)
18:47:23.584820 ens18 In  IP 192.168.1.162.53962 > 192.168.1.133.53: 22+ A? 
eportal.incometax.gov.in. (42)
18:47:24.405041 ens18 Out IP 192.168.1.133.56475 > 198.41.0.4.53: 12349 [1au] 
DNSKEY? incometax.gov.in. (57)
18:47:25.205136 ens18 Out IP 192.168.1.133.33517 > 192.36.148.17.53: 18768 
[1au] DNSKEY? incometax.gov.in. (57)
18:47:25.237837 ens18 Out IP 192.168.1.133.43646 > 156.154.100.20.53: 28883 
[1au] DNSKEY? incometax.gov.in. (57)
18:47:25.259888 ens18 Out IP 192.168.1.133.51762 > 59.160.103.171.53: 46716 
[1au] DNSKEY? incometax.gov.in. (57)
18:47:25.597312 ens18 In  IP 192.168.1.162.53963 > 192.168.1.133.53: 23+ ? 
eportal.incometax.gov.in. (42)
18:47:26.498891 ens18 Out IP 192.168.1.133.52631 > 125.16.225.122.53: 12762 
[1au] DNSKEY? incometax.gov.in. (57)

I feel this is something related to DNS RRKEY Record size?

Plus then I dumbdb on my server and went through cache using command
#rndc dumpdb -all

And here is the output

incometax.gov.in.   3422NS  
ns01.incometax.gov.in.
3422NS  
ns02.incometax.gov.in.
ns01.incometax.gov.in.  131 \-  ;-$NXRRSET
; ns01.incometax.gov.in. RRSIG NSEC ...
; ns01.incometax.gov.in. NSEC 
ns02.incometax.gov.in. A RRSIG NSEC
; incometax.gov.in. SOA 
ns01.incometax.gov.in. 
ns-admin.cpc.incometax.gov.in. 2023060970 
7200 3600 1209600 3600
; incometax.gov.in. RRSIG SOA ...
ns02.incometax.gov.in.  120 \-  ;-$NXRRSET
; ns02.incometax.gov.in. RRSIG NSEC ...
; ns02.incometax.gov.in. NSEC 
ns03.incometax.gov.in. A RRSIG NSEC
; 

Intermittent issues resolving "labor.upload.akamai.com"

[Bhangui, Sandeep - BLS CTR via bind-users]

Hi

We are running ISC DNS Bind Version 9.18.10 ( will soon be moving to 9.18.11) 
on our Linux Servers.

DNS resolution in general seems to work just fine as expected.

It seems we have intermittent issues resolving "labor.upload.akamai.com" and 
then some scripts fail. It is clear that the failure of the script is due to 
DNS name lookup.

Not sure if this is an issue that needs to be looked up at our end ( since DNS 
as such is working just fine for all the rest of the name resolution) or things 
are not configured properly at other end as far as how this DNS record is 
published and due to which I see the behavior of intermittent dns name lookup 
failure.

Any pointers would be appreciated.

Thanks
Sandeep

dig labor.upload.akamai.com

; <<>> DiG 9.18.10 <<>> labor.upload.akamai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51211
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 17e14f79ba23179d010063dc4895fbcf47353a31763c (good)
;; QUESTION SECTION:
;labor.upload.akamai.com.   IN  A

;; Query time: 1203 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 02 18:34:45 EST 2023
;; MSG SIZE  rcvd: 80


But if I point to a public DNS server like VZ or google I seem to resolve it 
fine all the time.

dig @198.6.1.1 labor.upload.akamai.com

; <<>> DiG 9.18.10 <<>> @198.6.1.1 labor.upload.akamai.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43891
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;labor.upload.akamai.com.   IN  A

;; ANSWER SECTION:
labor.upload.akamai.com. 300IN  CNAME   labor.c-ftp.upload.akamai.com.
labor.c-ftp.upload.akamai.com. 900 IN   CNAME   
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net.
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.137
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.149
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.144
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.143
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.142
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.148
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.139
r33674-33729.neards.1.cftp.e.stor.lb.akamai.net. 23 IN A 23.200.4.146

;; Query time: 202 msec
;; SERVER: 198.6.1.1#53(198.6.1.1) (UDP)
;; WHEN: Thu Feb 02 18:35:50 EST 2023
;; MSG SIZE  rcvd: 267
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Issue with dns resolution for www.ssa.gov

[Bhangui, Sandeep - BLS CTR via bind-users]

If I go to my personal computer or my personal phone ( not on VPN connected to 
BLS network or using BLS resources) I can get to the site www.ssa.gov which I 
would mean to believe that it is able to resolve www.ssa.gov.

Does that mean the dns resolution for www.ssa.gov is not broken globally as 
explained below?

 Or maybe personal computer & my personal phone are querying different DNS 
servers over the internet which are able to resolve www.ssa.gov correctly and 
get to the website?

Thanks
Sandeep



-Original Message-
From: bind-users  On Behalf Of Bjørn Mork
Sent: Thursday, September 1, 2022 5:26 PM
To: BIND users 
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to sec...@bls.gov.

www.ssa.gov is a separate zone according to the ssa.gov NS:

bjorn@idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; 
QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good) ;; QUESTION 
SECTION:
;www.ssa.gov.   IN  NS

;; AUTHORITY SECTION:
www.ssa.gov.60  IN  NS  gtms2.ssa.gov.
www.ssa.gov.60  IN  NS  gtms1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu2.ssa.gov.

;; ADDITIONAL SECTION:
GTMS1.ssa.gov.  36000   IN  2001:1930:e03::13
GTMS2.ssa.gov.  36000   IN  2001:1930:e03::14
GTMU1.ssa.gov.  36000   IN  2001:1930:d07:1::10
GTMU2.ssa.gov.  36000   IN  2001:1930:d07:1::11
GTMS1.ssa.gov.  36000   IN  A   137.200.4.203
GTMS2.ssa.gov.  36000   IN  A   137.200.4.204
GTMU1.ssa.gov.  36000   IN  A   137.200.43.16
GTMU2.ssa.gov.  36000   IN  A   137.200.43.17

;; Query time: 107 msec
;; SERVER: 2001:1930:d07:1::8#53(2001:1930:d07:1::8)
;; WHEN: Thu Sep 01 23:24:13 CEST 2022
;; MSG SIZE  rcvd: 348



But it's a CNAME according to the www.ssa.gov NS:


bjorn@idefix:~$ dig a www.ssa.gov @gtms1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> a www.ssa.gov @gtms1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43620 ;; flags: qr aa rd; 
QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   www.ssa.gov.edgekey.net.

;; Query time: 127 msec
;; SERVER: 2001:1930:e03::13#53(2001:1930:e03::13)
;; WHEN: Thu Sep 01 23:25:01 CEST 2022
;; MSG SIZE  rcvd: 77



CDNs playing tricks. This won't fly.



Bjørn
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Issue with dns resolution for www.ssa.gov

[Bhangui, Sandeep - BLS CTR via bind-users]

Thanks Bjorn.

This indeed looks like a mess up from SSA side.

Sandeep

-Original Message-
From: bind-users  On Behalf Of Bjørn Mork
Sent: Thursday, September 1, 2022 5:26 PM
To: BIND users 
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to sec...@bls.gov.

www.ssa.gov is a separate zone according to the ssa.gov NS:

bjorn@idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; 
QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good) ;; QUESTION 
SECTION:
;www.ssa.gov.   IN  NS

;; AUTHORITY SECTION:
www.ssa.gov.60  IN  NS  gtms2.ssa.gov.
www.ssa.gov.60  IN  NS  gtms1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu2.ssa.gov.

;; ADDITIONAL SECTION:
GTMS1.ssa.gov.  36000   IN  2001:1930:e03::13
GTMS2.ssa.gov.  36000   IN  2001:1930:e03::14
GTMU1.ssa.gov.  36000   IN  2001:1930:d07:1::10
GTMU2.ssa.gov.  36000   IN  2001:1930:d07:1::11
GTMS1.ssa.gov.  36000   IN  A   137.200.4.203
GTMS2.ssa.gov.  36000   IN  A   137.200.4.204
GTMU1.ssa.gov.  36000   IN  A   137.200.43.16
GTMU2.ssa.gov.  36000   IN  A   137.200.43.17

;; Query time: 107 msec
;; SERVER: 2001:1930:d07:1::8#53(2001:1930:d07:1::8)
;; WHEN: Thu Sep 01 23:24:13 CEST 2022
;; MSG SIZE  rcvd: 348



But it's a CNAME according to the www.ssa.gov NS:


bjorn@idefix:~$ dig a www.ssa.gov @gtms1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> a www.ssa.gov @gtms1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43620 ;; flags: qr aa rd; 
QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   www.ssa.gov.edgekey.net.

;; Query time: 127 msec
;; SERVER: 2001:1930:e03::13#53(2001:1930:e03::13)
;; WHEN: Thu Sep 01 23:25:01 CEST 2022
;; MSG SIZE  rcvd: 77



CDNs playing tricks. This won't fly.



Bjørn
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Issue with dns resolution for www.ssa.gov

[Bhangui, Sandeep - BLS CTR via bind-users]

John,

We have not moved to PDNS as yet.

I am not sure about DNSSEC for SSA will check on that.

Thanks
Sandeep

From: bind-users  On Behalf Of John W. Blue 
via bind-users
Sent: Thursday, September 1, 2022 5:03 PM
To: bind-users@lists.isc.org
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to 
sec...@bls.gov<mailto:sec...@bls.gov>.

Sandeep,

Are you all using CISA's Protective DNS?  If so, there might be a ruleset that 
is causing problems.

If not, and I have not checked, but is DNSSEC for SSA working correctly?

John

Sent from Nine<http://www.9folders.com/>


From: "Bhangui, Sandeep - BLS CTR via bind-users" 
mailto:bind-users@lists.isc.org>>
Sent: Thursday, September 1, 2022 3:11 PM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Issue with dns resolution for www.ssa.gov<http://www.ssa.gov>

Hi

We are running Bind Version 9.16.31 on RHEL 7.X Server and things are working 
fine in general.

Having issue with DNS resolution for www.ssa.gov<http://www.ssa.gov> no other 
DNS issues reported at this time.

Our DNS server cannot seem to resolve www.ssa.gov<http://www.ssa.gov> using 
nslookup ( know this is an old utility and cannot be used much for 
troubleshooting), dig seems to respond properly.

Just curious what could be the issue is this on our DNS server as nslookup 
seems to work fine for lot of other sites that I used just to check if it 
responds correctly.

The VZ public NS which is listed as one of the NS under /etc/resolv.conf seems 
to respond to nslookup just fine.

I am not sure what more information I could include which could be helpful if 
anything else is needed please let me know and I will post it.

Thanks in advance.

Sandeep


# nslookup www.ssa.gov<http://www.ssa.gov>

;; Got SERVFAIL reply from 127.0.0.1, trying next server

Server: 198.6.1.1
Address:198.6.1.1#53

Non-authoritative answer:
www.ssa.gov<http://www.ssa.gov> canonical name = 
www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>.
www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net> canonical name = 
e82396.dsca.akamaiedge.net.
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.54
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.58
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:293
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:289


Dig output from the same DNS server seems to give a response.

# dig www.ssa.gov<http://www.ssa.gov>

; <<>> DiG 9.16.31 <<>> www.ssa.gov<http://www.ssa.gov>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24578
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov<http://www.ssa.gov>.300 IN  CNAME   
www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>.
www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>. 9625   IN  CNAME   
e82396.dsca.akamaiedge.net.
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.58
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.51

;; Query time: 171 msec
;; SERVER: 198.6.1.1#53(198.6.1.1)
;; WHEN: Thu Sep 01 16:03:21 EDT 2022
;; MSG SIZE  rcvd: 146


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Issue with dns resolution for www.ssa.gov

[Bhangui, Sandeep - BLS CTR via bind-users]

Hi

We are running Bind Version 9.16.31 on RHEL 7.X Server and things are working 
fine in general.

Having issue with DNS resolution for www.ssa.gov no other 
DNS issues reported at this time.

Our DNS server cannot seem to resolve www.ssa.gov using 
nslookup ( know this is an old utility and cannot be used much for 
troubleshooting), dig seems to respond properly.

Just curious what could be the issue is this on our DNS server as nslookup 
seems to work fine for lot of other sites that I used just to check if it 
responds correctly.

The VZ public NS which is listed as one of the NS under /etc/resolv.conf seems 
to respond to nslookup just fine.

I am not sure what more information I could include which could be helpful if 
anything else is needed please let me know and I will post it.

Thanks in advance.

Sandeep


# nslookup www.ssa.gov

;; Got SERVFAIL reply from 127.0.0.1, trying next server

Server: 198.6.1.1
Address:198.6.1.1#53

Non-authoritative answer:
www.ssa.gov canonical name = www.ssa.gov.edgekey.net.
www.ssa.gov.edgekey.net canonical name = e82396.dsca.akamaiedge.net.
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.54
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.58
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:293
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:289


Dig output from the same DNS server seems to give a response.

# dig www.ssa.gov

; <<>> DiG 9.16.31 <<>> www.ssa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24578
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   www.ssa.gov.edgekey.net.
www.ssa.gov.edgekey.net. 9625   IN  CNAME   e82396.dsca.akamaiedge.net.
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.58
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.51

;; Query time: 171 msec
;; SERVER: 198.6.1.1#53(198.6.1.1)
;; WHEN: Thu Sep 01 16:03:21 EDT 2022
;; MSG SIZE  rcvd: 146


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about linking jemalloc with Bind 9.18.x when doing the compile.

[Bhangui, Sandeep - BLS CTR via bind-users]

Hello all

We are getting ready to test Bind 9.18.x. Currently we are running the latest 
version of 9.16.x branch.

We have downloaded and successfully installed the jemalloc module on the Server 
( RHEL 7.9 OS) and getting ready to compile the latest version of Bind 9.18.x.

Can someone please point me to some documentation which tells as to what exact 
flags/parameters to use to properly link jemalloc when we compile latest 
version of Bind 9.18.x using "configure" so that we get the compile correctly 
done in the first run.

Thanks in advance.

Sandeep


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Errors loading Named ( 9.16.26) on RHEL 7.9

[Bhangui, Sandeep - BLS CTR via bind-users]

Thanks Ondrej….will check on that.

From: Ondřej Surý 
Sent: Thursday, February 24, 2022 1:29 PM
To: Bhangui, Sandeep - BLS CTR 
Cc: bind-users@lists.isc.org
Subject: Re: Errors loading Named ( 9.16.26) on RHEL 7.9

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to 
sec...@bls.gov<mailto:sec...@bls.gov>.


The server isn’t same. All the libraries that you are using to compile BIND 9 
needs to be at same or higher version, which isn’t the case here.

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


On 24. 2. 2022, at 19:06, Bhangui, Sandeep - BLS CTR via bind-users 
mailto:bind-users@lists.isc.org>> wrote:

Hello

Successfully compiled 9.16.26 on RHEL 7.9 server. The compile server is a 
different one but running the exact same OS and kernel as the DNS server on 
which, the created RPM packaged was installed.

Installed the rpm package and tried to start named on a DNS server it does not 
load and gives a fatal error.

I will dig into things further to troubleshoot and capture the core dump as 
with this install attempt the core dump was not captured so there is not much 
to go with but for the messages captured from the logs.

Usually, I have seen errors doing compile, but this is the first time I am 
having issues loading named after a successful compile.

Based on what little information is provided below would appreciate if someone 
can throw some light/pointers as to what the issue may be.

Currently we are running 9.16.25 in our environment and I have reverted back 
successfully.

Thanks
Sandeep


Feb 24 11:28:08 cpdnsquar01v named[72797]: starting BIND 9.16.26 (Extended 
Support Version) 
Feb 24 11:28:08 cpdnsquar01v named[72797]: running on Linux x86_64 
3.10.0-1160.53.1.el7.x86_64 #1 SMP Thu Dec 16 10:19:28 UTC 2021
Feb 24 11:28:08 cpdnsquar01v named[72797]: built with 
'--prefix=/usr/local/named-jail9.16.26' 
'--sysconfdir=/usr/local/named-jail9.16.26/etc' 
'--mandir=/usr/local/named-jail9.16.26/usr/man' 
'--bindir=/usr/local/named-jail9.16.26/usr/bin' '--sb
indir=/usr/local/named-jail9.16.26/usr/sbin' 
'--libexecdir=/usr/local/named-jail9.16.26/usr/libexec' 
'--sharedstatedir=/usr/local/named-jail9.16.26/usr/shared' 
'--localstatedir=/usr/local/named-jail9.16.26/var' 
'--libdir=/usr/local/named-jail9
.16.26/usr/lib' '--includedir=/usr/local/named-jail9.16.26/usr/include' 
'--with-randomdev=/dev/urandom' '--disable-static' '--with-openssl' 
'--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset' 
'--enable-rrl' '--enable-large
file' '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2 -g 
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong 
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 
'PKG_CONFIG_PATH=:/u
sr/lib64/pkgconfig:/usr/share/pkgconfig'
Feb 24 11:28:08 cpdnsquar01v named[72797]: running as: named -u named
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled by GCC 4.8.5 20150623 (Red 
Hat 4.8.5-44)
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with OpenSSL version: 
OpenSSL 1.0.2k-fips  26 Jan 2017
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to OpenSSL version: OpenSSL 
1.0.2k-fips  26 Jan 2017
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with libxml2 version: 2.9.1
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to libxml2 version: 20901
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with zlib version: 1.2.7
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to zlib version: 1.2.7
Feb 24 11:28:08 cpdnsquar01v named[72797]: 

Feb 24 11:28:08 cpdnsquar01v named[72797]: BIND 9 is maintained by Internet 
Systems Consortium,
Feb 24 11:28:08 cpdnsquar01v named[72797]: Inc. (ISC), a non-profit 501(c)(3) 
public-benefit
Feb 24 11:28:08 cpdnsquar01v named[72797]: corporation.  Support and training 
for BIND 9 are
Feb 24 11:28:08 cpdnsquar01v named[72797]: available at 
https://www.isc.org/support
Feb 24 11:28:08 cpdnsquar01v named[72797]: 

Feb 24 11:28:08 cpdnsquar01v named[72797]: adjusted limit on open files from 
4096 to 1048576
Feb 24 11:28:08 cpdnsquar01v named[72797]: found 1 CPU, using 1 worker thread
Feb 24 11:28:08 cpdnsquar01v named[72797]: using 1 UDP listener per interface
Feb 24 11:28:08 cpdnsquar01v named[72797]: using up to 21000 sockets
Feb 24 11:28:08 cpdnsquar01v named[72797]: loading configuration from 
'/usr/local/named-jail9.16.26/etc/named.conf'
Feb 24 11:28:08 cpdnsquar01v named[72797]: reading built-in trust anchors from 
file '/usr/local/named-jail9.16.26/etc/bind.keys'
Feb 24 11:28:08 cpdnsquar01v named[72797]: using default UDP/IPv4 port range: 
[32768, 60999]
Feb 24 11:28:08 

Errors loading Named ( 9.16.26) on RHEL 7.9

[Bhangui, Sandeep - BLS CTR via bind-users]

Hello

Successfully compiled 9.16.26 on RHEL 7.9 server. The compile server is a 
different one but running the exact same OS and kernel as the DNS server on 
which, the created RPM packaged was installed.

Installed the rpm package and tried to start named on a DNS server it does not 
load and gives a fatal error.

I will dig into things further to troubleshoot and capture the core dump as 
with this install attempt the core dump was not captured so there is not much 
to go with but for the messages captured from the logs.

Usually, I have seen errors doing compile, but this is the first time I am 
having issues loading named after a successful compile.

Based on what little information is provided below would appreciate if someone 
can throw some light/pointers as to what the issue may be.

Currently we are running 9.16.25 in our environment and I have reverted back 
successfully.

Thanks
Sandeep


Feb 24 11:28:08 cpdnsquar01v named[72797]: starting BIND 9.16.26 (Extended 
Support Version) 
Feb 24 11:28:08 cpdnsquar01v named[72797]: running on Linux x86_64 
3.10.0-1160.53.1.el7.x86_64 #1 SMP Thu Dec 16 10:19:28 UTC 2021
Feb 24 11:28:08 cpdnsquar01v named[72797]: built with 
'--prefix=/usr/local/named-jail9.16.26' 
'--sysconfdir=/usr/local/named-jail9.16.26/etc' 
'--mandir=/usr/local/named-jail9.16.26/usr/man' 
'--bindir=/usr/local/named-jail9.16.26/usr/bin' '--sb
indir=/usr/local/named-jail9.16.26/usr/sbin' 
'--libexecdir=/usr/local/named-jail9.16.26/usr/libexec' 
'--sharedstatedir=/usr/local/named-jail9.16.26/usr/shared' 
'--localstatedir=/usr/local/named-jail9.16.26/var' 
'--libdir=/usr/local/named-jail9
.16.26/usr/lib' '--includedir=/usr/local/named-jail9.16.26/usr/include' 
'--with-randomdev=/dev/urandom' '--disable-static' '--with-openssl' 
'--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset' 
'--enable-rrl' '--enable-large
file' '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2 -g 
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong 
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 
'PKG_CONFIG_PATH=:/u
sr/lib64/pkgconfig:/usr/share/pkgconfig'
Feb 24 11:28:08 cpdnsquar01v named[72797]: running as: named -u named
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled by GCC 4.8.5 20150623 (Red 
Hat 4.8.5-44)
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with OpenSSL version: 
OpenSSL 1.0.2k-fips  26 Jan 2017
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to OpenSSL version: OpenSSL 
1.0.2k-fips  26 Jan 2017
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with libxml2 version: 2.9.1
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to libxml2 version: 20901
Feb 24 11:28:08 cpdnsquar01v named[72797]: compiled with zlib version: 1.2.7
Feb 24 11:28:08 cpdnsquar01v named[72797]: linked to zlib version: 1.2.7
Feb 24 11:28:08 cpdnsquar01v named[72797]: 

Feb 24 11:28:08 cpdnsquar01v named[72797]: BIND 9 is maintained by Internet 
Systems Consortium,
Feb 24 11:28:08 cpdnsquar01v named[72797]: Inc. (ISC), a non-profit 501(c)(3) 
public-benefit
Feb 24 11:28:08 cpdnsquar01v named[72797]: corporation.  Support and training 
for BIND 9 are
Feb 24 11:28:08 cpdnsquar01v named[72797]: available at 
https://www.isc.org/support
Feb 24 11:28:08 cpdnsquar01v named[72797]: 

Feb 24 11:28:08 cpdnsquar01v named[72797]: adjusted limit on open files from 
4096 to 1048576
Feb 24 11:28:08 cpdnsquar01v named[72797]: found 1 CPU, using 1 worker thread
Feb 24 11:28:08 cpdnsquar01v named[72797]: using 1 UDP listener per interface
Feb 24 11:28:08 cpdnsquar01v named[72797]: using up to 21000 sockets
Feb 24 11:28:08 cpdnsquar01v named[72797]: loading configuration from 
'/usr/local/named-jail9.16.26/etc/named.conf'
Feb 24 11:28:08 cpdnsquar01v named[72797]: reading built-in trust anchors from 
file '/usr/local/named-jail9.16.26/etc/bind.keys'
Feb 24 11:28:08 cpdnsquar01v named[72797]: using default UDP/IPv4 port range: 
[32768, 60999]
Feb 24 11:28:08 cpdnsquar01v named[72797]: using default UDP/IPv6 port range: 
[32768, 60999]
Feb 24 11:28:08 cpdnsquar01v named[72797]: listening on IPv4 interface lo, 
127.0.0.1#53
Feb 24 11:28:08 cpdnsquar01v named[72797]: udp.c:226: fatal error:
Feb 24 11:28:08 cpdnsquar01v named[72797]: RUNTIME_CHECK(r == 0) failed
Feb 24 11:28:08 cpdnsquar01v named[72797]: exiting (due to fatal error in 
library)
Feb 24 11:28:08 cpdnsquar01v abrt-hook-ccpp: Process 72797 (named) of user 200 
killed by SIGABRT - dumping core
Feb 24 11:28:10 cpdnsquar01v abrt-server: Package 'bind' isn't signed with 
proper key
Feb 24 11:28:10 cpdnsquar01v abrt-server: 'post-create' on 
'/var/spool/abrt/ccpp-2022-02-24-11:28:08-72797' exited with 1
Feb 24 11:28:10 cpdnsquar01v abrt-server: Deleting problem directory 
'/var/spool/abrt/ccpp-2022-02-24-11:28:08-72797'


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to 

RE: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X [ Issue resolved on RHEL 7.X ]

[Bhangui, Sandeep - BLS CTR via bind-users]

Hello

Finally got time to work on this and happy to report that the  compile was 
successful for 9.16.3 on RHEL 7.X. 

What it needed was just the installation of  libuv-devel package to be 
installed on RHEL 7.X

So basically addition of two libuv packages on RHEL 7.X resolved the compile 
issue for me.

Now moving to address the issue on RHEL 6.X.

Thanks
Sandeep





-Original Message-
From: Anand Buddhdev [mailto:ana...@ripe.net] 
Sent: Tuesday, March 24, 2020 4:04 PM
To: Bhangui, Sandeep - BLS CTR ; 
bind-users@lists.isc.org
Subject: Re: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X

On 24/03/2020 20:44, Bhangui, Sandeep - BLS CTR via bind-users wrote:

Hi Sandeep,

[snip]

> As far as I can tell has the libuv library packageis installed on this 
> RHEL 7.X machine.
> 
> sh-4.2# rpm -qa | grep -i libuv
> 
> libuv-1.34.0-1.el7.x86_64

This package contains just the runtime library. However, in order to compile 
code that links against libuv, you need the "libuv-devel"
package. Besides "libuv-devel", you also need some other packages to build and 
run BIND properly.

However, seeing as you're stumbling on even this basic step, I'd advise you not 
to compile BIND. You're better off using packages made by other experienced 
people. The packages also contain additional files, such as systemd unit files, 
that make it easy to run BIND. For CentOS, have a look at:

https://copr.fedorainfracloud.org/coprs/isc/

Regards,
Anand

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X

[Bhangui, Sandeep - BLS CTR via bind-users]

Anand

Thanks for the update.

 I have  always compiled all versions of Bind we have used so far...we are 
currently running 9.14.11 so have gone through the compile process before for 
multiple versions of Bind.

My last successful compile was 9.14.11 and this looks like some new 
dependencies for 9.16.1 so will try to compile further by getting the package.

Will also look at the link you have provided but those I believe would be set 
packages and those configuration may not map with what we have but will take a 
look if need be.

Thanks
Sandeep


-Original Message-
From: Anand Buddhdev [mailto:ana...@ripe.net] 
Sent: Tuesday, March 24, 2020 4:04 PM
To: Bhangui, Sandeep - BLS CTR ; 
bind-users@lists.isc.org
Subject: Re: Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X

On 24/03/2020 20:44, Bhangui, Sandeep - BLS CTR via bind-users wrote:

Hi Sandeep,

[snip]

> As far as I can tell has the libuv library packageis installed on this 
> RHEL 7.X machine.
> 
> sh-4.2# rpm -qa | grep -i libuv
> 
> libuv-1.34.0-1.el7.x86_64

This package contains just the runtime library. However, in order to compile 
code that links against libuv, you need the "libuv-devel"
package. Besides "libuv-devel", you also need some other packages to build and 
run BIND properly.

However, seeing as you're stumbling on even this basic step, I'd advise you not 
to compile BIND. You're better off using packages made by other experienced 
people. The packages also contain additional files, such as systemd unit files, 
that make it easy to run BIND. For CentOS, have a look at:

https://copr.fedorainfracloud.org/coprs/isc/

Regards,
Anand

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Compile errors for Bind 9.16.1 on RHEL7.x and RHEL 6.X

[Bhangui, Sandeep - BLS CTR via bind-users]

Hello

Trying to compile Bind 9.16.1 on RHEL 7.X and RHEL 6.X and getting compile 
errors hopefully someone can point me in the right direction.

The download for the source code from the ISC site was done sometimes late last 
week.

Configuration.

RHEL 7.X  and RHEL 6.X running on HP-BLADE physical server.

RHEL 7.X Kernel

Linux  3.10.0-1062.12.1.el7.x86_64 #1 SMP Thu Dec 12 06:44:49 EST 2019 x86_64 
x86_64 x86_64 GNU/Linux

As far as I can tell has the libuv library packageis installed on this RHEL 
7.X machine.

sh-4.2# rpm -qa | grep -i libuv

libuv-1.34.0-1.el7.x86_64


This is the configure error I getwhen I try to compileon the RHEL 7.X 
machine.

checking for sched_setaffinity... yes

checking for pthread_setname_np... yes

checking for pthread_set_name_np... no

checking for pthread_np.h... no

checking for libuv... checking for libuv >= 1.0.0... no

configure: error: libuv not found

+ exit 0

I am getting a similar error on RHEL 6.X machine but on that machine I do not 
have the libuv package so that could explain that.

Please advise.

Thanks in advance.

Sandeep

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Checking whether some configure options to compile are not longer available for Bind 9.14.1

[Bhangui, Sandeep - BLS CTR via bind-users]

Hi

Is IPV6  by default enabled in DNS bind Ver 9.14.1 ?

I am trying to compile the 9.14.1 source code on Sparc Solaris 10 and I see 
that following options are not recognizes any more when used with configure.

 " -enable-ipv6" and "-enable-threads"

Both these options worked with source code for 9.12.4.am I doing something 
wrong or wondering whether I have messed up something in my configure file.


These are the options I am using.

./configure --build=sparc-sun-solaris2.10
--host=sparc-sun-solaris2.10
--with-openssl
--with-libxml2 --disable-
--enable-ipv6
--enable-fixed-rrset
--enable-threads
--enable-largefile
   --enable-querytrace
  --with-python=no




Thanks
Sandeep

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: BIND 9.12.4-P1 build fails on Solaris 10

[Bhangui, Sandeep - BLS CTR via bind-users]

Solaris 10, Sparc based.  

Forgot to addthat

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
Bhangui, Sandeep - BLS CTR via bind-users
Sent: Friday, April 26, 2019 1:31 PM
To: bind-us...@isc.org
Subject: BIND 9.12.4-P1 build fails on Solaris 10

Hi

Seen exact similar thread from last few days for Bind 9.11.6-P1 on Solaris. 

I get a make error when I try to compile Bind 9.12.4-P1 on Solaris 10. 

Using same configure file I can compile Bind 9.12.4 successfully on Solaris 10.

This is the make error that I get 

ndefined   first referenced
 symbol in file
isc_atomic_xadd ../../lib/ns/libns.a(client.o)
ld: fatal: symbol referencing errors. No output written to namedtmp0
collect2: ld returned 1 exit status
*** Error code 1

I see that someone posted this two links to check... this talks about Solaris 
11 but looking at the error it seems that is what I am hitting too


https://gitlab.isc.org/isc-projects/bind9/issues/999


https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864


Some questions.

1. Has this been considered/reported as a BUG and will be fixed in next release 
?

2. The second link above talks of making changes to client.c what exact changes 
have to be made? Is this worthwhile or better to wait till this is addressed in 
the next release ( assuming that this is considered as a Bug and will be 
addressed in the next release ).


The configure file I am using is as follows...if that is of any relevance.

./configure --build=sparc-sun-solaris2.10
--host=sparc-sun-solaris2.10 
--with-openssl
--with-libxml2 --disable- 
--enable-ipv6 
--enable-fixed-rrset 
--enable-threads 
--enable-largefile  
   --enable-querytrace 
  --with-python=no 


Any advice/help would be appreciated.

Thanks
Sandeep


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.12.4-P1 build fails on Solaris 10

[Bhangui, Sandeep - BLS CTR via bind-users]

Hi

Seen exact similar thread from last few days for Bind 9.11.6-P1 on Solaris. 

I get a make error when I try to compile Bind 9.12.4-P1 on Solaris 10. 

Using same configure file I can compile Bind 9.12.4 successfully on Solaris 10.

This is the make error that I get 

ndefined   first referenced
 symbol in file
isc_atomic_xadd ../../lib/ns/libns.a(client.o)
ld: fatal: symbol referencing errors. No output written to namedtmp0
collect2: ld returned 1 exit status
*** Error code 1

I see that someone posted this two links to check... this talks about Solaris 
11 but looking at the error it seems that is what I am hitting too


https://gitlab.isc.org/isc-projects/bind9/issues/999


https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864


Some questions.

1. Has this been considered/reported as a BUG and will be fixed in next release 
?

2. The second link above talks of making changes to client.c what exact changes 
have to be made? Is this worthwhile or better to wait till this is addressed in 
the next release ( assuming that this is considered as a Bug and will be 
addressed in the next release ).


The configure file I am using is as follows...if that is of any relevance.

./configure --build=sparc-sun-solaris2.10
--host=sparc-sun-solaris2.10 
--with-openssl
--with-libxml2 --disable- 
--enable-ipv6 
--enable-fixed-rrset 
--enable-threads 
--enable-largefile  
   --enable-querytrace 
  --with-python=no 


Any advice/help would be appreciated.

Thanks
Sandeep


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Make install error compiling Bind 9.12.4 on RHEL 6.X [ Resolved ]

[Bhangui, Sandeep - BLS CTR via bind-users]

My badI had an typo when I tried."--without-python" option did the 
trick.

Was able to compile it successfully.

Thanks a lot 

Sandeep

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
Bhangui, Sandeep - BLS CTR via bind-users
Sent: Wednesday, April 3, 2019 9:18 AM
To: bind-users@lists.isc.org
Subject: RE: Make install error compiling Bind 9.12.4 on RHEL 6.X

Thanks

Tried what was suggested and got the same exact error.

Sandeep

-Original Message-
From: Anand Buddhdev [mailto:ana...@ripe.net]
Sent: Wednesday, April 3, 2019 8:29 AM
To: Bhangui, Sandeep - BLS CTR ; 
bind-users@lists.isc.org
Subject: Re: Make install error compiling Bind 9.12.4 on RHEL 6.X

On 03/04/2019 14:05, Bhangui, Sandeep - BLS CTR via bind-users wrote:

Hi Sandeep,

> Trying to compile Bind 9.12.4 on RHEL 6.X running on physical HP blade server.
> 
> Looks like I am missing something trivial  but have looked at things 
> couple of times but cannot figure it out.

One cause could be that this version of BIND will try to build the "isc"
python module, and fail, because it requires python >= 2.7. However, RHEL 6 
only ships with python 2.6. You can probably see this if you examine the build 
logs.

You'll need to add "--without-python" to work around this.

I also recommend that you remove the DIG_SIGCHASE define. This feature has been 
deprecated, and the newest release of BIND, 9.14.0, doesn't even have it any 
more.

Regards,
Anand

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Make install error compiling Bind 9.12.4 on RHEL 6.X

[Bhangui, Sandeep - BLS CTR via bind-users]

Thanks

Tried what was suggested and got the same exact error.

Sandeep

-Original Message-
From: Anand Buddhdev [mailto:ana...@ripe.net] 
Sent: Wednesday, April 3, 2019 8:29 AM
To: Bhangui, Sandeep - BLS CTR ; 
bind-users@lists.isc.org
Subject: Re: Make install error compiling Bind 9.12.4 on RHEL 6.X

On 03/04/2019 14:05, Bhangui, Sandeep - BLS CTR via bind-users wrote:

Hi Sandeep,

> Trying to compile Bind 9.12.4 on RHEL 6.X running on physical HP blade server.
> 
> Looks like I am missing something trivial  but have looked at things 
> couple of times but cannot figure it out.

One cause could be that this version of BIND will try to build the "isc"
python module, and fail, because it requires python >= 2.7. However, RHEL 6 
only ships with python 2.6. You can probably see this if you examine the build 
logs.

You'll need to add "--without-python" to work around this.

I also recommend that you remove the DIG_SIGCHASE define. This feature has been 
deprecated, and the newest release of BIND, 9.14.0, doesn't even have it any 
more.

Regards,
Anand

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Make install error compiling Bind 9.12.4 on RHEL 6.X

[Bhangui, Sandeep - BLS CTR via bind-users]

Hello

Trying to compile Bind 9.12.4 on RHEL 6.X running on physical HP blade server.

Looks like I am missing something trivial  but have looked at things couple of 
times but cannot figure it out.

Did a fresh download of the source code but got the same error.

Here are the detailsabout the machine, SPEC FILe used and the make install 
error The install directory exists.

Thanks
Sandeep

[root@cfsand01 SPECS]# uname -a
Linux cfsand01 2.6.32-754.11.1.el6.x86_64 #1 SMP Tue Jan 22 17:25:23 EST 2019 
x86_64 x86_64 x86_64 GNU/Linux

[root@cfsand01 SPECS]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.10 (Santiago)

We have rpm-build, rpmdevtools and openssl-devel installed.

We have the /rpmbuild directory under /root with the bind9.12.4.tar.gz source 
code under /root/rpmbuild/SOURCES.

Here is the SPEC file.


Vendor: Internet Systems Consortium ISC
# Orginal Name: Bind
#This is the spec file used to build  a bind-9.12.4 rpm package.

%define _topdir  /root/rpmbuild
%define DESTDIR  /usr/local/named-jail9.12.4
%define name   bind
%define version9.12.4
%define release%{dist}

Summary:   Setup to use ISC BIND at BLS
URL:   http://www.isc.org/
Packager:  xyz
License:ISC
Name:  %{name}
Version:  %{version}
Release:  %{dist}
Group: Development/Tools
#Source: http://www.isc.org/downloads/
# artifical source for tar file name
Source:%{name}-%{version}.tar.gz
Prefix:/usr

# Location installed package
BuildRoot: %{buildroot}

%description
Bind configured for BLS use
Set as a first time install on a server
No previous version of bind exists

%prep
%setup  -n %{name}-%{version}
# In the prep section the tar.gz file gets unpacked to a directory.

%build
# First we make sure we start clean
rm -rf $RPM_BUILD_ROOT

#Create directory
mkdir -p $RPM_BUILD_ROOT

STD_CDEFINES="-DDIG_SIGCHASE=1"
export STD_CDEFINES

CFLAGS="$RPM_OPT_FLAGS" ./configure \
--prefix=/usr/local/named-jail9.12.4\
   --sysconfdir=/usr/local/named-jail9.12.4/etc  \
   --mandir=/usr/local/named-jail9.12.4/usr/man  \
   --bindir=/usr/local/named-jail9.12.4/usr/bin  \
   --sbindir=/usr/local/named-jail9.12.4/usr/sbin  \
   --libexecdir=/usr/local/named-jail9.12.4/usr/libexec  \
   --sharedstatedir=/usr/local/named-jail9.12.4/usr/shared  \
   --localstatedir=/usr/local/named-jail9.12.4/var  \
   --libdir=/usr/local/named-jail9.12.4/usr/lib  \
   --includedir=/usr/local/named-jail9.12.4/usr/include  \
   --with-randomdev=/dev/urandom \
   --disable-static \
   --with-openssl   \
   --disable-openssl-version-check \
   --enable-ipv6  \
   --enable-fixed-rrset   \
   --enable-rrl\
   --enable-largefile  \
   --enable-newstats  \
   --with-libxml2  \
   --enable-fullreport  \
&&
make

%install
make install DESTDIR=$RPM_BUILD_ROOT

mkdir -p $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev
mkdir -p $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log
mkdir -p $RPM_BUILD_ROOT//usr/local/named-jail9.12.4/var/run/named
mkdir  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/usr/named
mkdir -p $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/usr/share/lib/zoneinfo


touch  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log/named.lame
touch   $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log/named.log
touch  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log/named.querylog
touch  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/run/named.pid

%clean
rm -rf $RPM_BUILD_ROOT

%files -f /adminfiles/Rhel6.5/bind/rpmbuild/

%defattr(-, named, named)
%attr(-, root, root)
%attr(700, named, named) /usr/local/named-jail9.12.4


%post

chown -R named:named /usr/local/named-jail9.12.4

# directory ownership

chmod 755 $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var
chmod 770 $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/run
chgrp -R named $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/run
chmod 770 $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log
chgrp -R named  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log
chown  named:named  
$RPM_BUILD_ROOT/usr/local/named-jail9.12.4/var/log/named.lame
chown named:named /usr/local/named-jail9.12.4/var/log/named.log
chown named:named /usr/local/named-jail9.12.4/var/log/named.querylog
chown -R root:named /usr/local/named-jail9.12.4/usr/named
chmod 770 /usr/local/named-jail9.12.4/usr/named



mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/tcp c 11 42
mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/udp c 11 41
mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/log c 21 5
mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/null c 13 2
mknod $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/zero c 13 2
chmod 666 $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/null
mknod  $RPM_BUILD_ROOT/usr/local/named-jail9.12.4/dev/conslog  c 21 0
mknod  

Question regarding different responses that I am getting for a lookup.

[Bhangui, Sandeep - BLS CTR]

Hello

Not sure why I am getting different responses when I perform a dig on 
sso.dol.gov.

Dig is performed from a server which is capable of querying the root 
servers….what could be the issue.   Both dig commands below are run from the 
same server which acts as DNS server capable of performing DNS queries on the 
internet.

The dig +trace +all output is the same when I query my local server as well as 
when I query the VZ NS.

Any guidance/pointers would be appreciated.

Running Bind 9.11.3 on RHEL 6.x is that is of any relevance.

I have a feeling that the external DNS entry presented  for sso.dol.gov is 
messed up…

Thanks
Sandeep



sh-4.1# dig sso.dol.gov

; <<>> DiG 9.11.3 <<>> sso.dol.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12647
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 191369419bc6df077b8f30ce5b688c9e77211f348bb29b35 (good)
;; QUESTION SECTION:
;sso.dol.gov.   IN  A

;; ANSWER SECTION:
sso.dol.gov.77266   IN  CNAME   sso.gslb.dol.gov.
sso.gslb.dol.gov.   15  IN  A   10.49.1.80

;; AUTHORITY SECTION:
gslb.dol.gov.   77266   IN  NS  silprodgslb.dol.gov.
gslb.dol.gov.   77266   IN  NS  stldrpgslb.dol.gov.

;; Query time: 27 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 06 13:59:58 EDT 2018
;; MSG SIZE  rcvd: 158


sh-4.1# dig @198.6.1.1 sso.dol.gov

; <<>> DiG 9.11.3 <<>> @198.6.1.1 sso.dol.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25189
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;sso.dol.gov.   IN  A

;; ANSWER SECTION:
sso.dol.gov.86378   IN  CNAME   sso.gslb.dol.gov.
sso.gslb.dol.gov.   15  IN  A   152.180.20.21

;; Query time: 93 msec
;; SERVER: 198.6.1.1#53(198.6.1.1)
;; WHEN: Mon Aug 06 14:01:42 EDT 2018
;; MSG SIZE  rcvd: 79

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-validation [ ddig_sigchase option ]

[Bhangui, Sandeep - BLS CTR]

Hi

Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3.

Was trying to run dig commands to do some dnssec validation and got the 
following message "

"Invalid option: +sigchase"

When checked found that the dig utility has to be compiled with 
"-DDIG_SIGCHASE" option for that apparently looks like I have not done when we 
compiled 9.10.4-P2

I plan to soon compile 9.10.4.-P3 is it simply using " --DDIG_SIGCHASE" when I 
compile which will than allow me to run the dig binary with the "+sigchase" 
option?

My current compile options are as follows so would I be just adding 
"--DDIG_SIGCHASE" to get the dig binary which will allow me run dig with 
+sigchase option when I run the compile for 9.10.4-P3?


 BIND 9.10.4-P2 
running on SunOS sun4u 5.10 Generic_150400-39
built by make with '--build=sparc-sun-solaris2.10' 
'--host=sparc-sun-solaris2.10' '--with-openssl' '--with-libxml2' 
'--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset' 
'--enable-threads' '--enable-sit' '--enable-largefile' '--enable-full-report' 
'--enable-fetchlimit' '--prefix=/usr/local/named-jail9.10.4P2' 
'--bindir=/usr/local/named-jail9.10.4P2/usr/bin' 
'--sbindir=/usr/local/named-jail9.10.4P2/usr/sbin' 
'--libexecdir=/usr/local/named-jail9.10.4P2/usr/libexec' 
'--sysconfdir=/usr/local/named-jail9.10.4P2/etc' 
'--sharedstatedir=/usr/local/named-jail9.10.4P2/usr/shared' 
'--localstatedir=/usr/local/named-jail9.10.4P2/var' 
'--libdir=/usr/local/named-jail9.10.4P2/usr/lib' 
'--includedir=/usr/local/named-jail9.10.4P2/usr/include' 
'--mandir=/usr/local/named-jail9.10.4P2/usr/man' 
'build_alias=sparc-sun-solaris2.10' 'host_alias=sparc-sun-solaris2.10'

Thanks in advance

Thanks
Sandeep

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Organization IP address is getting redirected to a website which does not belong to the organization.

[Bhangui, Sandeep - BLS CTR]

Understood and I am sure they are aware of those protocols.

We do not have a webserver which is hosted on 146.142.7.113 that I can 
categorically say as that falls under our team.

Network folks are having a tough time even finding an active device with that 
IP on the network.

Thanks
Sandeep


From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alberto 

Sent: Saturday, September 17, 2016 12:52 PM
To: bind-users@lists.isc.org
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.


hmmm if they manage firewalls , they should be aware of TCP/IP 
foundamentals and HTTP working and much more



the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 
146.142.7.113 say item moved / redirect to http://us.watcheezy.com/



you have to check web server configuration or HTML / PHP /  pages on 
root link from the web server 146.142.7.113



when the browser get a REDIRECT , is the browser on client machine that perform 
a new GET statement on the new address



is normal that firewall team see nothing else if not a packet capture and 
analisys is performed








From: bind-users 
<bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org>> on 
behalf of Bhangui, Sandeep - BLS CTR 
<bhangui.sand...@bls.gov<mailto:bhangui.sand...@bls.gov>>
Sent: Saturday, September 17, 2016 6:43 PM
To: Lyle; bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Thanks

We suspected that but network folks are not able to find any device with that 
IP on the BLS network.

Also it seems firewall folks claim they looked for the traffic coming in the 
BLS network and if the redirect is happening from a host which is 146.142.7.113 
they should have seen some traffic correct and apparently we do not see any 
traffic.

Thanks
Sandeep


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle
Sent: Saturday, September 17, 2016 12:01 PM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.
That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95.

Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Organization IP address is getting redirected to a website which does not belong to the organization.

[Bhangui, Sandeep - BLS CTR]

Thanks  & Understood and that is what I had thought.

I am trying to help BLS folks to resolve the situation as http requests to that 
IP from the Internet which is registered with BLS is going to a site which does 
not belong to us.

Sandeep



From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alberto 

Sent: Saturday, September 17, 2016 12:43 PM
Cc: bind-users@lists.isc.org <bind-us...@isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.


A security scan is only a probe and does not change in any way a web server 
content or configuration.



performing a http://x1.x2.x3.x4 statement where x... are the 4 IP octect does 
not involve DNS in any way



IP is loaded inside IEEE MAC "train" but work with dottet IPv4 /v6 addresses 
and not with DNS names.



When you ask a NAME (not an IP) is resolved from any DNS configured inside your 
TCP/IP configuration but if you ask a direct IP , DNS is totally jumped and is 
a DIRECT CALL






From: bind-users 
<bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org>> on 
behalf of Bhangui, Sandeep - BLS CTR 
<bhangui.sand...@bls.gov<mailto:bhangui.sand...@bls.gov>>
Sent: Saturday, September 17, 2016 6:33 PM
To: John Miller
Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Thanks John

Security Dept from BLS reported this to our team which manages the DNS and 
infrastructure.   I think some scans run by them on the network may have caught 
this not sure though.

And yes we do not have any record for that IP in our DNS for bls.gov zone.

Sandeep



-Original Message-
From: John Miller [mailto:johnm...@brandeis.edu]
Sent: Saturday, September 17, 2016 12:14 PM
To: Bhangui, Sandeep - BLS CTR 
<bhangui.sand...@bls.gov<mailto:bhangui.sand...@bls.gov>>
Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> 
<bind-us...@isc.org<mailto:bind-us...@isc.org>>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Hi Sandeep,

The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address 
and got:

john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113...
Connected to 146.142.7.113.
Escape character is '^]'.
GET / HTTP/1.1
Host: 146.142.7.113

HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:30:46 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Connection closed by foreign host.

But something is definitely listening on that IP address.  Could be a rogue 
device or some sort of routing issue.  Here's a traceroute from the Brandeis 
network:

traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets
 1  129.64.99.1 (129.64.99.1)  1.112 ms  1.127 ms  0.981 ms
 2  * * *
 3  * * *
 4  * * *
 5  te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1)  2.471 ms
2.427 ms  2.375 ms
 6  be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13)  8.046 ms
7.721 ms  7.546 ms
 7  be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106)  13.692 ms
13.661 ms  13.665 ms
 8  be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106)  14.765 ms
14.832 ms  14.701 ms
 9  verizon.iad02.atlas.cogentco.com (154.54.10.198)  13.629 ms
204.148.79.53 (204.148.79.53)  12.886 ms  12.862 ms
10  0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195)  49.347 ms 
0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207)  15.000 ms 0.ae3.XT1.DCA5.ALTER.NET 
(140.222.225.195)  49.297 ms
11  GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21)  14.489 ms
14.502 ms  14.311 ms
12  bls-gw.customer.alter.net (152.179.53.66)  15.437 ms  16.771 ms  16.918 ms
13  146.142.7.129 (146.142.7.129)  17.427 ms  17.338 ms  17.421 ms
14  146.142.7.96 (146.142.7.96)  20.523 ms  20.475 ms  20.421 ms
15  146.142.7.97 (146.142.7.97)  21.510 ms  21.471 ms  21.409 ms
16  146.142.7.83 (146.142.7.83)  18.520 ms  18.453 ms  18.359 ms
17  146.142.7.142 (146.142.7.142)  21.138 ms  21.098 ms  19.436 ms
18  146.142.7.93 (146.142.7.93)  43.152 ms  43.061 ms  43.062 ms
19  146.142.7.66 (146.142.7.66)  133.226 ms  133.169 ms  133.147 ms
20  146.142.7.112 (146.142.7.112)  130.701 ms  130.606 ms  130.737 ms
21  * * *
22  146.142.7.68 (146.142.7.68)  135.039 ms  134.986 ms  134.897 ms
23  146.142.7.132 (146.142.7.132)  127.341 ms  127.256 ms  127.221 ms
24  146.142.7.87 (146.142.7.87)  126.358 ms * *
25  146.142.7.113 (146.142.7.113)  154.693 ms  156.353 ms  156.385 ms

That's one convoluted route to stay in the same /24!  I'd have a chat with your 
network admins and see what's up--this doesn't look normal.

Question for you: how'd you uncover the issue?  Do any DNS records point to

RE: Organization IP address is getting redirected to a website which does not belong to the organization.

[Bhangui, Sandeep - BLS CTR]

Thanks

We suspected that but network folks are not able to find any device with that 
IP on the BLS network.

Also it seems firewall folks claim they looked for the traffic coming in the 
BLS network and if the redirect is happening from a host which is 146.142.7.113 
they should have seen some traffic correct and apparently we do not see any 
traffic.

Thanks
Sandeep


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle
Sent: Saturday, September 17, 2016 12:01 PM
To: bind-users@lists.isc.org
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.  
That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95.

Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Organization IP address is getting redirected to a website which does not belong to the organization.

[Bhangui, Sandeep - BLS CTR]

-Original Message-
From: Mukund Sivaraman [mailto:m...@isc.org] 
Sent: Saturday, September 17, 2016 12:01 PM
To: Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov>
Cc: 'bind-users@lists.isc.org' <bind-us...@isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

On Sat, Sep 17, 2016 at 03:51:00PM +0000, Bhangui, Sandeep - BLS CTR wrote:
> Hi
> 
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
> 
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
> 
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com" 
> 
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS. 
> 
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
> 
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.


[muks@jurassic ~]$ wget --debug http://146.142.7.113 DEBUG output created by 
Wget 1.18 on linux-gnu.

Reading HSTS entries from /home/muks/.wget-hsts URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2016-09-17 21:28:13--  http://146.142.7.113/ Connecting to 
146.142.7.113:80... connected.
Created socket 3.
Releasing 0x564b513bd220 (new refcount 0).
Deleting unused 0x564b513bd220.

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 146.142.7.113
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:26:06 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html


It is a HTTP redirect (see the location: header above). Check the configuration 
of the HTTP server (webserver) that's serving for this IP address.


I think you are referring to www.watcheezy.com  when you say check the 
configuration of the HTTP server.if that is the case that server is not 
ours I believe this site is from UK do not even know where the server is 
actually hosted.

If apologize if I have not understood your response correctly.

Sandeep




Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Organization IP address is getting redirected to a website which does not belong to the organization.

[Bhangui, Sandeep - BLS CTR]

Thanks John

Security Dept from BLS reported this to our team which manages the DNS and 
infrastructure.   I think some scans run by them on the network may have caught 
this not sure though.

And yes we do not have any record for that IP in our DNS for bls.gov zone.

Sandeep



-Original Message-
From: John Miller [mailto:johnm...@brandeis.edu] 
Sent: Saturday, September 17, 2016 12:14 PM
To: Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov>
Cc: bind-users@lists.isc.org <bind-us...@isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Hi Sandeep,

The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address 
and got:

john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113...
Connected to 146.142.7.113.
Escape character is '^]'.
GET / HTTP/1.1
Host: 146.142.7.113

HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:30:46 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Connection closed by foreign host.

But something is definitely listening on that IP address.  Could be a rogue 
device or some sort of routing issue.  Here's a traceroute from the Brandeis 
network:

traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets
 1  129.64.99.1 (129.64.99.1)  1.112 ms  1.127 ms  0.981 ms
 2  * * *
 3  * * *
 4  * * *
 5  te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1)  2.471 ms
2.427 ms  2.375 ms
 6  be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13)  8.046 ms
7.721 ms  7.546 ms
 7  be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106)  13.692 ms
13.661 ms  13.665 ms
 8  be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106)  14.765 ms
14.832 ms  14.701 ms
 9  verizon.iad02.atlas.cogentco.com (154.54.10.198)  13.629 ms
204.148.79.53 (204.148.79.53)  12.886 ms  12.862 ms
10  0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195)  49.347 ms 
0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207)  15.000 ms 0.ae3.XT1.DCA5.ALTER.NET 
(140.222.225.195)  49.297 ms
11  GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21)  14.489 ms
14.502 ms  14.311 ms
12  bls-gw.customer.alter.net (152.179.53.66)  15.437 ms  16.771 ms  16.918 ms
13  146.142.7.129 (146.142.7.129)  17.427 ms  17.338 ms  17.421 ms
14  146.142.7.96 (146.142.7.96)  20.523 ms  20.475 ms  20.421 ms
15  146.142.7.97 (146.142.7.97)  21.510 ms  21.471 ms  21.409 ms
16  146.142.7.83 (146.142.7.83)  18.520 ms  18.453 ms  18.359 ms
17  146.142.7.142 (146.142.7.142)  21.138 ms  21.098 ms  19.436 ms
18  146.142.7.93 (146.142.7.93)  43.152 ms  43.061 ms  43.062 ms
19  146.142.7.66 (146.142.7.66)  133.226 ms  133.169 ms  133.147 ms
20  146.142.7.112 (146.142.7.112)  130.701 ms  130.606 ms  130.737 ms
21  * * *
22  146.142.7.68 (146.142.7.68)  135.039 ms  134.986 ms  134.897 ms
23  146.142.7.132 (146.142.7.132)  127.341 ms  127.256 ms  127.221 ms
24  146.142.7.87 (146.142.7.87)  126.358 ms * *
25  146.142.7.113 (146.142.7.113)  154.693 ms  156.353 ms  156.385 ms

That's one convoluted route to stay in the same /24!  I'd have a chat with your 
network admins and see what's up--this doesn't look normal.

Question for you: how'd you uncover the issue?  Do any DNS records point to 
146.142.7.113?  There's no reverse record for it that I can see.

John

On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR 
<bhangui.sand...@bls.gov> wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113;   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Organization IP address is getting redirected to a website which does not belong to the organization.

[Bhangui, Sandeep - BLS CTR]

Hi

Not exactly sure whether this is a DNS issue but hoping someone here on this 
forum can provide some advice/suggestion as I am trying to figure out what is 
going on.

Our organization BLS owns ( registered with the registrar )  the network 
address 146.142.xxx.xxx.

But if someone  from the Internet [ outside of BLS network )  tries to go to 
"http://146.142.7.113;   it gets redirected to a site in UK called 
"us.watcheezy.com" 

I have checked the DNS from the BLS  side and we do not have any entry of  any 
kind for  the record  146.142.7.113 on our DNS. 

I have also done DNS lookups for watcheezy.com and those seem to be good too 
with respect to IP and the NS and as to what those NS are reporting.

Can anyone throw some light on as to what is going on here.does not look 
like a DNS issue to me but I could be wrong.

Thanks
Sandeep

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Question about managed-keys-zone

[Bhangui, Sandeep - BLS CTR]

Thanks Jeremy


Logging section from named.conf

logging {
channel "named-log" {
file "/usr/local/named-jail9.10.3P4/var/adm/named.log" versions 
3 size 30m;
severity info;
print-time yes; print-category yes; print-severity yes;
};

channel "named-lame" {
file "/usr/local/named-jail9.10.3P4/var/adm/named.lame" 
versions 3 size 30m;
severity info;
print-time yes; print-category yes; print-severity yes;
};

channel "named-querylog" {
file "/usr/local/named-jail9.10.3P4/var/adm/named.querylog" 
versions 3 size 30m;
severity dynamic;
print-time yes; print-category yes; print-severity yes;
};

category "general" { "named-log"; };
category "security" { "named-log"; };
category "xfer-in" { "named-log"; };
category "xfer-out" { "named-log"; };
category "client" { "named-log"; };
category "update" { "named-log"; };
category "lame-servers" { "named-lame"; };
category "queries" { "named-querylog"; };
category edns-disabled { null; };
/* category "delegation-only" { "named-querylog"; }; */
};


And yes the directory "/usr/local/named-jail9.10.3P4/var/adm/" exists and the 
files are there....owned by named:named.

I know it using rndc is a good practice but is there an option to specify in 
named.conf to disable it?

-Original Message-
From: Jeremy C. Reed [mailto:jr...@isc.org] 
Sent: Friday, April 08, 2016 9:37 AM
To: Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov>
Cc: Bind Users Mailing List <bind-users@lists.isc.org>
Subject: Re: Question about managed-keys-zone

On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:


> '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2

Unrelated to your problem, but the --enable-newstats configure switch is not 
used for BIND 9.10.

> 1. Cannot seem to start named and it seems that it is looking for some 
> keys to validation locally.

(I reordered your email some:)

> Apr 7 15:15:32 cfdnsquar01 named[37952]: isc_stdio_open 
> '/usr/local/named-jail9.10.3P4/var/adm/named.log' failed: file not 
> found Apr 7 15:15:32 cfdnsquar01 named[37952]: configuring logging: 
> file not found Apr 7 15:15:32 cfdnsquar01 named[37952]: loading 
> configuration: file not found Apr  7 15:15:32 cfdnsquar01 
> named[37952]: exiting (due to fatal error)

Your named cannot start due to logging configuration. You didn't share your 
configuration elated to it, but does the directory 
/usr/local/named-jail9.10.3P4/var/adm/ exist?

 
> I believe managed-key-zone validation is by default enabled in 
> Bind..is there an option that I can use in named.conf file to 
> disable that so that it does not look for the key..I guess this is 
> just a self-validation on the master itself and has nothing to do with 
> DNSSEC signing as it seems I am not even able to get the named up...

Yes, it is unrelated.

> I guess question is do I have an option that I can specify such that 
> it will not look for self-validation keys at all so that I do not have 
> to deal with rndc.key and rndc.conf or is this something I cannot get 
> by with when I use "views" ? Or am I not understanding this properly?

The rndc keys (used for connecting to the control interface) are unrelated to 
the keys used with DNSSEC.  But for operations it is a good idea. See the ARM 
and/or rndc-confgen manpage about generating the rndc configuration.

Let's get your named startup working first before we work on your goal. 
(If I understand correctly, you want named to serve internally unsigned zones, 
an external appliance will sign the zones, and then named can then serve the 
signed zones publicly.)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about managed-keys-zone

[Bhangui, Sandeep - BLS CTR]

Hi

I am trying to do a simple proof of concept test for DNSSEC signing for our 
organization.

We are an agency under DOL and the plan is to use a DNSSECsigner appliance 
hosted at DOL to sign the zones so that we do not have to do DNSSEC key 
management.

So basically the configuration is from our DNS server we send unsigned zones to 
the DNSSECSIGNER appliance physically hosted at a different location it does 
the DNSSEC signing and sends the signed zones back to our master and we than 
present the DNSSEC signed zones for our zone to the world. All DNSSEC key 
management will be done by the DNSSECSIGNER appliance. Meaning  DNSSEC key 
management is not done by our agency.

Running 9.10.3P4 on Red Hat Linux 6.x

Was compiled using the following options.

Apr  7 15:15:32 cfdnsquar01 named[37952]: built with 
'--prefix=/usr/local/named-jail9.10.3P4' 
'--sysconfdir=/usr/local/named-jail9.10.3P4/etc' 
'--mandir=/usr/local/named-jail9.10.3P4/usr/man' 
'--bindir=/usr/local/named-jail9.10.3P4/usr/bin' 
'--sbindir=/usr/local/named-jail9.10.3P4/usr/sbin' 
'--libexecdir=/usr/local/named-jail9.10.3P4/usr/libexec' 
'--sharedstatedir=/usr/local/named-jail9.10.3P4/usr/shared' 
'--localstatedir=/usr/local/named-jail9.10.3P4/var' 
'--libdir=/usr/local/named-jail9.10.3P4/usr/lib' 
'--includedir=/usr/local/named-jail9.10.3P4/usr/include' 
'--with-randomdev=/dev/urandom' '--disable-static' '--with-openssl' 
'--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset' 
'--enable-rrl' '--enable-largefile' '--enable-newstats' '--with-libxml2' 
'--enable-fullreport' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Relevant parts of Named.conf is as follows.


options {
version "None";
recursive-clients 2000;
listen-on-v6 { any; };
auth-nxdomain no;
directory "/usr/named";
check-names master ignore;
check-names slave ignore;
check-names response ignore;
allow-transfer { 10.183.168.21; 10.183.168.22; 198.6.1.115; 
198.6.1.154;};
allow-query { bls;};
allow-recursion { bls;};
allow-query-cache { bls;};
empty-zones-enable no;
masterfile-format text;
interface-interval 0;
};


controls {
inet 127.0.0.1 allow { localhost; };
};



view "unsigned" {
zone "149.10.in-addr.arpa" {
type master;
file "/usr/named/test.rev";
  };

match-clients { 10.1.1.1; };   
--> DNSSEC appliance hosted at other place.
zone "joe.com" {
type master;
file "/usr/named/testunsigned.hosts";
also-notify { 10.1.1.1; };  -> 
DNSSEC appliance hosted at other place.
};
};
view "signed" {
match-clients { any; };
zone "149.10.in-addr.arpa" {
  type master;
  file "/usr/named/test.rev";
  allow-query { any;};
   };
zone "joe.com" {
type slave;
file "/usr/named/test.hosts";
masters { 10.1.1.2; };
-> DNSSEC appliance at hosted at other place.
allow-query { any; };
};
};


Problem,

1. Cannot seem to start named and it seems that it is looking for some keys to 
validation locally.

I believe managed-key-zone validation is by default enabled in Bind..is 
there an option that I can use in named.conf file to disable that so that it 
does not look for the key..I guess this is just a self-validation on the 
master itself and has nothing to do with DNSSEC signing as it seems I am not 
even able to get the named up...

I guess question is do I have an option that I can specify such that it will 
not look for self-validation keys at all so that I do not have to deal with 
rndc.key and rndc.conf or is this something I cannot get by with when I use 
"views" ? Or am I not understanding this properly?

If there is no option to disable the key check  can I just put the secret key 
generated ( looks like the log below has some keys )  in rdnc.key file  for 
self-validation will that work?

Any advice suggestions??  

Apr  7 15:15:32 cfdnsquar01 named[37952]: BIND 9 is maintained by Internet 
Systems Consortium,
Apr  7 15:15:32 cfdnsquar01 named[37952]: Inc. (ISC), a non-profit 501(c)(3) 
public-benefit 
Apr  7 15:15:32 cfdnsquar01 named[37952]: corporation.  Support and training 
for BIND 9 are 
Apr  7 15:15:32 cfdnsquar01 named[37952]: available at 
https://www.isc.org/support
Apr  7 15:15:32 cfdnsquar01 named[37952]: 

Apr  7 15:15:32 cfdnsquar01 named[37952]: adjusted limit on open files from 
4096 to 1048576
Apr  7 15:15:32 cfdnsquar01 named[37952]: found 32 CPUs, using 32 worker threads
Apr  7 15:15:32 cfdnsquar01 

RE: Question about name resolution.

[Bhangui, Sandeep - BLS CTR]

Thank you.

Yes indeed the dns configuration looks like is broken.

Some  of the servers have correct information looks like. But the ones that I 
am querying have incorrect information.

Thanks
Sandeep

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John W. Blue
Sent: Tuesday, October 27, 2015 1:20 AM
To: bind-users@lists.isc.org; dns-t...@adobe.com
Subject: RE: Question about name resolution.

"Life is tough, but it's tougher if you're stupid."
- John Wayne


-Original Message-

Adobe's admins have been repeatedly told that their nameservers are broken yet 
refuse / don't know how to fix them.  They are Cc'd here again.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about name resolution.

[Bhangui, Sandeep - BLS CTR]

Hello

Had the following question about  name resolution of the following two 
linksone of the link resolves fine from our Internal network but the second 
one does not resolve at all it comes back stating host not resolvable.

At this point I am not clear whether this is an issue with our Internal Network 
or something beyond our control.  

As such our DNS seems to be working properly and DNS resolution seems to be 
working fine on our Internal Network meaning we do not have any other reported 
cases of name resolution issues.

A. The following link works fine from our Internal Network.  If I do a dig on 
"www.adobe.com" I see an A record.

http://www.adobe.com/devnet/air/air-sdk-download.html

B. The following link does NOT work from our Internal Network. If I do a dig on 
"airdownload.adobe.com" I only see an CNAME record. And folks get the error 
host not resolvable when they try to access on our Internal Network.

http://airdownload.adobe.com

I have tried the second link which does not work on our internal network on  my 
phone using AT network and it seems to get redirected to www.adobe.com.  So 
it looks like the redirect is not working properly when folks try to access it 
from our Internal Network. 

Not sure what exactly is happening here. Could this be an Firewall issue?

Any help or pointers would be appreciated.  Not sure whether I have provided 
enough information.  

Thanks
Sandeep





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question on --with-libxml2 option while compiling on Sparc Solaris 10 and the Configuration Summary output.

[Bhangui, Sandeep - BLS CTR]

Hello


This is what I get in the summary after I run configure  on BIND 9.10.2P3 
source code when I use the -with-libxml2 option for compiling .  As we can 
see the summary  says that the option has been enabled.

Configuration summary:

Optional features enabled:
Multiprocessing support (--enable-threads)
Mutex lock type: adaptive
GSS-API (--with-gssapi)
Source Identity Token support (--enable-sit)
Algorithm: aes
IPv6 support (--enable-ipv6)
OpenSSL cryptography/DNSSEC (--with-openssl)
XML statistics (--with-libxml2)
Allow 'fixed' rrset-order (--enable-fixed-rrset)
Print backtrace on crash (--enable-backtrace)
Use symbol table for backtrace, named only (--enable-symtable)
Dynamically loadable zone (DLZ) drivers:
None

Features disabled or unavailable on this platform:
Large-system tuning (--with-tuning)
GeoIP access control (--with-geoip)
PKCS#11/Cryptoki support (--with-pkcs11)
Native PKCS#11/Cryptoki support (--enable-native-pkcs11)
GOST algorithm support (--with-gost)
ECDSA algorithm support (--with-ecdsa)
Use libseccomp system call filtering (--enable-seccomp)
Use GNU libtool (--with-libtool)
Automated Testing Framework (--with-atf)
Python tools (--with-python)
JSON statistics (--with-libjson)


The complied 9.10.2P3 named binary shows that it is compiled with  
-with-libxml2

./named -V
BIND 9.10.2-P3 id:e5e8feec built by make with '--build=sparc-sun-solaris2.10' 
'--host=sparc-sun-solaris2.10' '--with-openssl' '--with-libxml2' 
'--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset' 
'--enable-threads' '--enable-sit' '--enable-largefile' '--enable-full-report' 
'--prefix=/usr/local/named-jail9.10.2P3' 
'--bindir=/usr/local/named-jail9.10.2P3/usr/bin' 
'--sbindir=/usr/local/named-jail9.10.2P3/usr/sbin' 
'--libexecdir=/usr/local/named-jail9.10.2P3/usr/libexec' 
'--sysconfdir=/usr/local/named-jail9.10.2P3/etc' 
'--sharedstatedir=/usr/local/named-jail9.10.2P3/usr/shared' 
'--localstatedir=/usr/local/named-jail9.10.2P3/var' 
'--libdir=/usr/local/named-jail9.10.2P3/usr/lib' 
'--includedir=/usr/local/named-jail9.10.2P3/usr/include' 
'--mandir=/usr/local/named-jail9.10.2P3/usr/man' 
'build_alias=sparc-sun-solaris2.10' 'host_alias=sparc-sun-solaris2.10'
compiled by GCC 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
compiled with OpenSSL version: OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes 
for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 
CVE-2006-4343 CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 
CVE-2008-7270 CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 
CVE-2011-4576 CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 
CVE-2012-2131 CVE-2012-2333 CVE-2013-0166 CVE-2013-0169 CVE-2014-0224 
CVE-2014-3508 CVE-2014-3511 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 
CVE-2014-3569 CVE-2014-3570 CVE-2014-8275 CVE-2015-0204 CVE-2015-0286 
CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293 
CVE-2015-1789 CVE-2015-1790 CVE-2015-4000)
linked to OpenSSL version: OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: 
CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 
CVE-2006-4343 CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 
CVE-2008-7270 CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 
CVE-2011-4576 CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 
CVE-2012-2131 CVE-2012-2333 CVE-2013-0166 CVE-2013-0169 CVE-2014-0224 
CVE-2014-3508 CVE-2014-3511 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 
CVE-2014-3569 CVE-2014-3570 CVE-2014-8275 CVE-2015-0204 CVE-2015-0286 
CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293 
CVE-2015-1789 CVE-2015-1790 CVE-2015-4000)
compiled with libxml2 version: 2.6.23
linked to libxml2 version: 20623


It seems to me that above both output for Bind9.10.2P3 seem to be correct and 
in sync.

This is what I get when in summary when I run configure with the same options 
on source code for Bind9.9.7P2. As we can see the summary does not say that the 
option -with-libxml2 is enabled even though I have it in the configure.

Is that normal or do I have an issue here?

Should I not see XML statistics enabled in the summary below for BIND9.9.7P2?


Configuration summary:

Optional features enabled:
Multiprocessing support (--enable-threads)
Response Rate Limiting (--enable-rrl)
GSS-API (--with-gssapi)
Allow 'fixed' rrset-order (--enable-fixed-rrset)
Print backtrace on crash (--enable-backtrace)
Use symbol table for backtrace, named only (--enable-symtable)
Dynamically loadable zone (DLZ) drivers:
None

Features disabled or unavailable on this platform:
PKCS#11/Cryptoki support (--with-pkcs11)
New 

Compile Error for Bind 9.9.7P2 on Sparc based Solaris 10

[Bhangui, Sandeep - BLS CTR]

Hi

Just found that ISC has released Bind 9.9.7P2 so downloaded that since I had 
issues yesterday compiling P1 on Sparc based Solaris 10 ( M3000)

Get the same error when I run the make with 9.9.7P2 on sparc based Solaris 10 
(M3000) .

Looks like configure runs ok.

Have done this successfully multiple times on Sparc Based Solaris 10 with the 
previous versions of Bind.

Obviously looks like I am missing something hereor has anything changed ?

Any help would be appreciated as I am at a loss.

Thanks
Sandeep


tbl.pl  -o named-symtbl2.c namedtmp2;  done ;  mv namedtmp2 named;  rm -f 
namedtmp0 namedtmp1 namedtmp2 named-symtbl2.c;  fi
Undefined   first referenced
symbol in file
RSA_generate_key_ex ../../lib/dns/libdns.a(opensslrsa_link.o)
DSA_generate_parameters_ex  ../../lib/dns/libdns.a(openssldsa_link.o)
DH_generate_parameters_ex   ../../lib/dns/libdns.a(openssldh_link.o)
ld: fatal: symbol referencing errors. No output written to namedtmp0
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `named'
Current working directory 
/adminfiles/solaris10/Bind997P1/bind-9.9.7-P1/bin/named
*** Error code 1
The following command caused the error:
for i in named rndc dig dnssec tools tests nsupdate  check confgen python 
nulldir; do \
if [ $i != nulldir -a -d $i ]; then \
echo making all in `pwd`/$i; \
(cd $i; make  DESTDIR= all) || exit 1; \
fi; \
done
make: Fatal error: Command failed for target `subdirs'
Current working directory /adminfiles/solaris10/Bind997P1/bind-9.9.7-P1/bin
*** Error code 1
The following command caused the error:
for i in make unit lib bin doc nulldir; do \
if [ $i != nulldir -a -d $i ]; then \
echo making all in `pwd`/$i; \
(cd $i; make  DESTDIR= all) || exit 1; \
fi; \
done
make: Fatal error: Command failed for target `subdirs'
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Compile Error for Bind 9.9.7P1 on Sparc based Solaris 10

[Bhangui, Sandeep - BLS CTR]

Hi

Just downloaded the source code for Bind 9.9.7P1 and was trying to compile on 
Sparc based Solaris 10but for some reason get the following errors when I 
run make.

Have done this multiple times on Sparc Based Solaris 10 with the previous 
versions of Bind.

Was wondering whether I am missing some setting  on my Solaris 10 server or has 
anything changed?

Any help would be appreciated.

Thanks
Sandeep


tbl.pl  -o named-symtbl2.c namedtmp2;  done ;  mv namedtmp2 named;  rm -f 
namedtmp0 namedtmp1 namedtmp2 named-symtbl2.c;  fi
Undefined   first referenced
symbol in file
RSA_generate_key_ex ../../lib/dns/libdns.a(opensslrsa_link.o)
DSA_generate_parameters_ex  ../../lib/dns/libdns.a(openssldsa_link.o)
DH_generate_parameters_ex   ../../lib/dns/libdns.a(openssldh_link.o)
ld: fatal: symbol referencing errors. No output written to namedtmp0
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `named'
Current working directory 
/adminfiles/solaris10/Bind997P1/bind-9.9.7-P1/bin/named
*** Error code 1
The following command caused the error:
for i in named rndc dig dnssec tools tests nsupdate  check confgen python 
nulldir; do \
if [ $i != nulldir -a -d $i ]; then \
echo making all in `pwd`/$i; \
(cd $i; make  DESTDIR= all) || exit 1; \
fi; \
done
make: Fatal error: Command failed for target `subdirs'
Current working directory /adminfiles/solaris10/Bind997P1/bind-9.9.7-P1/bin
*** Error code 1
The following command caused the error:
for i in make unit lib bin doc nulldir; do \
if [ $i != nulldir -a -d $i ]; then \
echo making all in `pwd`/$i; \
(cd $i; make  DESTDIR= all) || exit 1; \
fi; \
done
make: Fatal error: Command failed for target `subdirs'
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users