Re: DNSTAP overload condition logging

2021-11-19 Thread Chris Buxton 
Hi Carsten,

From our reading of the code, it appears that when the buffer fills up, it 
refuses to accept new entries. Older events are not overwritten, but newer 
events are refused. The fstrm_iothr_submit() function can return success, 
failure, or “fstrm_res_again”, which indicates the queue is full.

BIND stats reports two counters, dnstapSuccess and dnstapDropped. It appears 
that the dropped counter is incremented for either failure condition.

Regards,
Chris

> On Nov 18, 2021, at 9:50 PM, Carsten Strotmann  wrote:
> 
> Hi,
> 
> how can a BIND 9 operator detect an DNSTAP overload condition?
> 
> My understanding is that BIND 9 worker threads write DNSTAP information
> into a circular buffer in memory, which is that read by a different
> thread to write out the data (to file or socket).
> 
> Is there any indication to the user (log message, marker in DNSTAP data)
> in the situation where BIND 9 receives more DNSTAP events than it could
> write out, so that older events get overwritten in the buffer?
> 
> I've read dnstap.c and I could not find a hint, but I've could missed
> it.
> 
> Greetings
> 
> Carsten
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: KSK signing zone records

2021-08-30 Thread Chris Buxton 
I honestly don’t remember the reasoning, only the outcome. Maybe Mark or 
someone else from ISC can shed some light? I couldn’t find the answer to this 
regular (but infrequent) question in the ISC KB.

Regards,
Chris Buxton

> On Aug 30, 2021, at 3:40 PM, raf via bind-users  
> wrote:
> 
> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton 
>  wrote:
> 
>> What algorithm(s) are you using for ZSK and KSK? If they’re not the
>> same algorithm, then both will be used to sign the entire zone.
>> 
>> Regards,
>> Chris Buxton
> 
> Just out of curiosity, why is that?
> Isn't having the KSK sign the ZSK enough?
> What difference does the nature of the thing
> being signed make?
> 
> cheers,
> raf
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: KSK signing zone records

2021-08-30 Thread Chris Buxton 
What algorithm(s) are you using for ZSK and KSK? If they’re not the same 
algorithm, then both will be used to sign the entire zone.

Regards,
Chris Buxton

> On Aug 30, 2021, at 9:08 AM, Timothy A. Holtzen via bind-users 
>  wrote:
> 
> Signed PGP part
> I've had an issue with my key rotation process on a couple of zones.  I
> believe I've resolved that issue but it appears to me in several cases
> the KSKs rather than being used to sign the ZSK are being used to sign
> the zone records directly.
> 
> https://dnsviz.net/d/testmenwu.com/dnssec/?rr=2=all=all=.=
> 
> I've checked the Publication/Activation dates on the KSKs and they seem
> to be right.  The appropriate DS records should be available at the
> parent zone.  The keys in question are clearly type 257 KSKs.  Is there
> some kind of flag or something I need to add to the key to make it sign
> the ZSKs rather than the records directly?
> 
> I'm running bind 9.16.16.
> 
> 
> --
> 
> Timothy A. Holtzen
> Campus Network Administrator
> Nebraska Wesleyan University
> Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D  C7DD DFFB 7662 24E6 
> C30D
> Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9  CCFC 426E 76AF DABC B3D7
> 
> 
> 



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate -g always uses master from SOA to form SPN

2021-08-26 Thread Chris Buxton 
Use of a hidden primary makes some sense for external (public) DNS, but IMO not 
for situations where you would want to use GSS-TSIG. So while I would consider 
this a bug, I don’t think it will be tripped often.

BIND does support multiple SPNs on a single server, but you have to change how 
you configure it.

Regards,
Chris Buxton

> On Aug 26, 2021, at 7:32 AM, Magnus Holmgren  
> wrote:
> 
> When using GSS-TSIG, nsupdate (with the -g flag) always forms the SPN from the
> master server specified in the SOA record, rather than the server specified
> with the server command. Is that really correct behaviour, or should I report
> this as a bug? I've been scouring the Internet, but couldn't find any prior
> discussion about this particular situation.
> 
> The issue arises when employing a hidden primary, and the server in the SOA
> record is actually a secondary, which I though was a rather common setup. In
> this situation, the real primary has to be specified with the server command,
> and I thought the SPN should represent the service and server being
> communicated with.
> 
> I can work around the problem by adding an SPN matching the SOA primary to
> Kerberos, but AFAIU, BIND can only be configured (tkey-gssapi-credential) to
> use a single SPN to look up keys in the keytab, so all the SPNs involved have
> to be aliases of each other, it seems.
> 
> --
> Magnus Holmgren
> MILLNET AB
> 
> 
> 
> 
> 
> 
> 
> --
> Vid e-postkontakt med Millnet är det normalt att åtminstone vissa
> personuppgifter sparas om dig. Du kan läsa mer om vilka uppgifter som
> sparas och hur vi hanterar dem på https://www.millnet.se/integritetspolicy/
> <https://www.millnet.se/integritetspolicy/>.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging statements w.r.t. view in Bind 9.16.18

2021-08-24 Thread Chris Buxton 
The rationale to separate recursive and non-recursive (typically authoritative) 
services as you describe is largely to do with separating logging, exactly as 
in this use case. There are also reasons of performance sometimes, but it 
doesn’t sound like this fits that reason.

You could also see these queries from the outside world with dnstap or similar, 
logging packets possibly without even involving named. You certainly would not 
need a view for that. If your clients are not hitting your public address, you 
could also tell named not to listen on the public address, so that those 
queries to the public address would be ignored by the operating system. Or you 
could use iptables, perhaps, to filter out those queries from the public (and 
even log them…).

As you noted in your initial message, though, logging is global, not per-view. 
You either have to prevent named from seeing them, or perhaps live with the log 
messages from that public view. Perhaps your SIEM (if you use one) could split 
the data based on the view name in the log messages.

Regards,
Chris Buxton

> On Aug 24, 2021, at 7:44 AM, Gaurav Kansal  wrote:
> 
> Hi Ged, 
> 
> Actually recursion is only enabled for selected set of users , using geo ip 
> feature of bind.
> As server is on public IP, i have added PUBLIC view to log the users who are 
> scanning/attempting to connect my server.
> 
> I hope i have explained my use case.
> 
> Thanks.
> 
> - Original Message -
> From: bind-users@lists.isc.org
> To: bind-users@lists.isc.org
> Sent: Tuesday, August 24, 2021 5:37:35 PM
> Subject: Re: Logging statements w.r.t. view in Bind 9.16.18
> 
> Hi there,
> 
> On Tue, 24 Aug 2021, Gaurav Kansal wrote:
> 
>> I want a clarity whether we can have individual logging statement
>> per view basis ? Whatever i found on google, i think we can't.  My
>> use case for separate logging statement is as follows -
>> 
>> In my recursive server, i have 2 views, one for my internal clients
>> and one for Internet ; i am running Internet view just for catch
>> hold of scanning IPs (type of honeypot).
>> 
>> Syntax of 2 views are as follows -
>> 
>> view "INTRANET" {
>> match-clients { PRIVATE.SEGMENTS ; };
>> recursion yes;
>> };
>> 
>> view "PUBLIC" {
>> match-clients { any; };
>> allow-query { none; } ;
>> recursion no;
>> };
> 
> You have recursion turned off for PUBLIC.  As I understand it, the
> conventional wisdom is not to run recursive and non-recursive services
> on the same BIND instance.  Would it make sense then, in your case, to
> run two separate instances of BIND?  Separating logs is then trivial.
> 
> -- 
> 
> 73,
> Ged.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Add DNS records automatically for static IP's

2021-08-05 Thread Chris Buxton 
Windows clients do this with the right settings; often those settings are the 
defaults. For Linux, there’s got to be a script out there that ties into the 
networking code, but I’ve never needed to look for a solution.

The biggest challenges I’ve seen in doing this right are:

  * cryptography: Are you accepting unsigned updates, or are you going to try 
to be secure, using either TSIG or GSS-TSIG? The latter is a real pain to set 
up, and a performance pig, but it can provide good security.
  * access control: If you don’t need unsigned updates, you can use the 
update-policy statement rather than allow-updates to set more granular access 
controls. But update-policy is more complex.
  * performance: How big is the environment? How many updates per second do you 
need to accept? With GSS-TSIG, performance can be an issue in a very large 
enterprise.
  * maintenance: After these devices register themselves, they might get 
decommissioned. Perhaps much later, but eventually upgrades happen and needs 
change. How are you cleaning up the stale records? Your DHCP server will do 
that for you, for DHCP clients.

Regards,
Chris Buxton

> On Aug 5, 2021, at 9:19 AM, Roberto Carna  wrote:
> 
> Dear all, I know DDNS works with a DHCP server and dynamic IP's. When
> IP changes, the hostname in DNS is updated.
> 
> But I have this scenario:
> 
> I have several hosts with static IP's / hostnames and I want to
> register them to our private BIND DNS, and they should be updated if
> the IP or hostname changes.
> 
> Is there any way to do what I need ? Any Linux/Windows client to
> install in the servers in order to register IP and hostname to aour
> provate BIND ???
> 
> Special thanks!
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can we provide recursion for forward zones in response to iterative queries?

2020-04-06 Thread Chris Buxton 
On Apr 3, 2020, at 9:06 AM, bind-li...@iano.org wrote:
> Because the AD domain controllers already own 10.in-addr.arpa, they refuse to 
> allow us to configure conditional forwarding for its subdomains. So we 
> delegated the subdomains to the inbound endpoints. Because they are 
> delegations, the domain controllers set the recursion desired flag to 0 on 
> the queries they send to the endpoints, and we are not getting replies from 
> the endpoints.
> 
> As a workaround we tried delegating to our linux bind caching resolvers but 
> we ran into the same issue, that the domain controllers set recursion desired 
> to 0. As a result, when our linux caching servers have the result in cache, 
> the lookup is successful, but when it would require a fresh lookup it gets a 
> reply with no answers. Hence my question, is there a way to tell our bind 
> caching resolvers to ignore the recursion desired flag and provide recursion 
> anyway?

I've solved this before. You've tried two solutions, and neither worked alone. 
You need to do both.

- Delegate the subzones in question to the forwarders (or anywhere, really).
- Add conditional forwarding for the subzones also, pointing to the forwarders.

Without the delegation, the conditional forwarding won't work -- the MS DNS 
servers will respond authoritatively. But without the conditional forwarding, 
the MS DNS servers will send iterative queries, not recursive queries.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issues with Stub Zone

2019-05-08 Thread Chris Buxton 
Remembering that a stub zone is a cache hint, more information is needed.

 o  What do the two "master" DNS servers say when asked for the SOA record of 
'benlavender.co.uk'?
 o  Are there A or  records in the Additional section? If so, can the 
indicated IP addresses be reached?

It may be that the behavior you're expecting is more in line with type 
"static-stub" than with type "stub".

Regards,
Chris Buxton

> On May 7, 2019, at 4:08 PM, Ben Lavender  wrote:
> 
> Hi,
> 
> I've been trying to configure a stub zone using both BIND 9.8x and 9.9x for 
> some split-brain internal DNS.
> 
> The problem I have is that any client that requests the NS or SOA records for 
> this zone gets SERVFAIL. The BIND server populates the 
> /var/named/slaves/benlavender.co.uk.DB file with the SOA and NS records 
> straight away and can query them over UDP 53 to the masters if need be.
> 
> I've had a look through the logs that are used in this config but the only 
> issues I see are in /lame-servers.log shows some IPv6 failures and that the 
> client is getting a SERVFAIL back in the /default.log:
> 
> 05-May-2019 22:58:32.846 client 192.168.1.4#51612 (benlavender.co.uk): query 
> failed (SERVFAIL) for benlavender.co.uk/IN/NS at query.c:7038
> 
> The config I'm using in /etc/named.conf is:
> 
> //
> // named.conf
> //
> // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
> // server as a caching only nameserver (as a localhost DNS resolver only).
> //
> // See /usr/share/doc/bind*/sample/ for example named configuration files.
> //
> // See the BIND Administrator's Reference Manual (ARM) for details about the
> // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
> 
> options {
> listen-on port 53 { 127.0.0.1; 172.16.4.31;};
> listen-on-v6 port 53 { ::1; };
> directory   "/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> recursing-file  "/var/named/data/named.recursing";
> secroots-file   "/var/named/data/named.secroots";
> allow-query { localhost; 172.16.4.2; 172.16.4.3; 192.168.1.4;};
> 
> /*
>  - If you are building an AUTHORITATIVE DNS server, do NOT enable 
> recursion.
>  - If you are building a RECURSIVE (caching) DNS server, you need to 
> enable
>recursion.
>  - If your recursive DNS server has a public IP address, you MUST 
> enable access
>control to limit queries to your legitimate users. Failing to do 
> so will
>cause your server to become part of large scale DNS amplification
>attacks. Implementing BCP38 within your network would greatly
>reduce such attack surface
> */
> recursion yes;
> 
> dnssec-enable yes;
> dnssec-validation yes;
> 
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
> 
> managed-keys-directory "/var/named/dynamic";
> 
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> };
> 
> logging {
> channel default_file {
> file "/var/named/default.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel general_file {
> file "/var/named/general.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel database_file {
> file "/var/named/database.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel security_file {
> file "/var/named/security.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel config_file {
> file "/var/named/config.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel resolver_file {
> file "/var/named/resolver.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel xfer-in_file {
> file "/var/named/xfer-in.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel xfer-out_file {
> file "/var/named/xfer-out.log" versions 3 size 5m;
> severity debug;
> print-time yes;
> };
> channel

Re: BIND 9.11 no longer respects edns-udp-size?

2019-03-12 Thread Chris Buxton 
On Mar 11, 2019, at 7:12 AM, Tony Finch  wrote:
> 
> Stéphane Bortzmeyer  wrote:
>> 
>> Does minimal-responses make sense for an authoritative name server?
>> (Note there was no glue involved.)
> 
> I think it helps reduce fragmentation if the max-udp-size is larger than
> the MSS, but apart from that it probably doesn't make much difference.
> 
> As far as I can tell, clients and resolvers generally re-query for
> additional records when they are needed, and they already have the
> delegation records which should be the same as the authority records, so
> it seems pointless to me to add records to authoritative responses when
> they aren't used.

Enabling minimal-responses on an authoritative server will break any other 
server with a stub zone declaration with this authoritative server listed as 
master. The implementation of stub zones assumes that an SOA query will 
retrieve all of the required information (SOA, NS, and supporting A/ 
records) to successfully insert the zone apex into the cache.

Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: nsupdate with RPZ

2018-05-23 Thread Chris Buxton 
On May 22, 2018, at 7:35 PM, Blason R <blaso...@gmail.com> wrote:

> Wondering if anyone have a working How-To guide for implementing nsupdate 
> with RPZ? I mean do we need to configure any specific settings in zone of 
> Options?

A response policy zone is a zone like any other. You would normally restrict 
access to query it, but if you want to allow some system to manage the content 
of that zone dynamically, go ahead and set up an allow-update (or 
update-policy, if that's what you need) on that zone. Just make sure the 
updater is also allowed to query the zone.

If that's not your use case, tell us what your use case is in more detail and 
perhaps the list can help.

Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Use case for "." queries

2018-05-07 Thread Chris Buxton 
> On May 7, 2018, at 7:07 AM, John Miller JR <johnmillerj...@gmail.com> wrote:
> 
> Hello,
> On bind recursive server I am seeing lots of queries for "." with type ANY.
> Is there any use case which requires devices to send queries for "." with 
> type ANY ?

There could be a legitimate use case. But the most common use of such queries 
is to conduct an amplification attack.

What are the apparent source addresses of these queries? Are they consistent? 
If so, that would point to the target of such an attack, not the source.

Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Suggestions for a distributed DNS zone hosting solution I'm designing

2018-03-07 Thread Chris Buxton 
I work for BlueCat, a competitor to Infoblox. Our solution gives you BIND on 
Linux, with root access to the servers when you need it, as well as a robust 
management and monitoring solution. Our servers can be deployed in cloud and 
hosted environments.

That said, you don’t need a commercial product to do what you’ve described. 
BIND on Linux will do everything you’ve described, if properly set up. You 
could set up some simple scripting to give you secure DDNS so that you can 
update the data from anywhere.

I hope that helps.
Chris Buxton

Sent from my iPhone

> On Mar 6, 2018, at 10:10 PM, Latitude <arlendelcasti...@gmail.com> wrote:
> 
> I would like to solicit constructive feedback in regards to a distributed DNS
> zone hosting proof of concept I'd like to design and establish. 
> 
> I must deploy a DNS system with the following requirements:
> - single master server, multiple slave servers
> - minimal time for name resolving for Americas, Europe and Asia
> - up to millions records in a domain zone
> - changes propagate in real time (master -> slaves), 2 sec max delay
> - automatic slave data re-syncing on master link restore after disconnect
> - API for zone records manipulation (insert, update, delete)
> 
> So far I am considering using (free) DC/OS on Amazon Web Services with the
> latest version of BIND containerized using docker on a Linux or Unix OS. Dyn
> and Infoblox are also on my list of items to research but I have never used
> either and I enjoy working with BIND on Linux. After all this is the BIND
> Users group, but I would be interested to know if someone can make a case
> for using Dyn or Infoblox in this case. 
> 
> Considerations/questions I have about this deployment for this Bind-Users
> forum are:
> 
> 1. How can I examine DNS resolution times using this platform (or other
> platforms to compare with) in different geographic areas of the world
> without first deploying it? I will need to have benchmark data to test
> against to verify I am getting the fastest speeds possible on name
> resolutions. 
> 
> 2. How to handle millions of records in a DNS zone, and how common is it to
> have millions of records in a DNS zone?
> 
> 3. What API solutions for DNS zone edits currently exist or should I be
> lookin into?
> 
> I will research more in the next day but so far I know I can manually
> configure named.conf to propagate zone changes to slave servers rapidly
> (aiming for 2 seconds or less) using NOTIFY messages and zone transfers, and
> also configure slave servers to automatically re-synch zone data with the
> master server upon reestablishing a connection. That should satisfy two of
> my requirements above. 
> 
> Any additional advice, hints, or tips for my proof of concept would be
> greatly appreciated! Thanks in advance. This will be a very fun project to
> design and hopefully implement. 
> 
> 
> 
> 
> --
> Sent from: http://bind-users-forum.2342410.n4.nabble.com/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME usage?

2017-11-17 Thread Chris Buxton 
A DNAME is a CNAME generator for subdomains of the DNAME record itself. That is:

example.com <http://example.com/>.  DNAME   example.net 
<http://example.net/>.

will result in any query for "foo.example.com <http://foo.example.com/>" to be 
answered with a dynamically-generated CNAME record like this:

foo.example.com <http://foo.example.com/>.  DNAME   foo.example.net 
<http://foo.example.net/>.

It has no effect on the name of the DNAME record itself -- it is not a CNAME 
record for example.com <http://example.com/>, and doesn't do the same job. The 
use case you describe cannot be solved by RFC-compliant DNS -- the name of a 
zone cannot be an alias of some other name. Creating the parent zone and 
putting the CNAME in there will create more problems for you.

Regards,
Chris Buxton

> On Nov 17, 2017, at 9:19 AM, Jeff Sadowski <jeff.sadow...@gmail.com> wrote:
> 
> I am a bit confused by DNAME's
> I had used them before but I may have used them wrong.
> 
> On windows 2008r2 I have some zone's where I create a DNAME for the
> root and point it to an A record.
> 
> IE:
> 
> zone bla.bla
> SOA 
> NS 
> DNAME www.bla.com
> 
> where www.bla.com is an A record.
> 
> the reason I was doing this is because www.bla.com has a dhcp assigned address
> 
> and I want bla.bla to always point to it.
> windows dns does not allow a cname at the root of a zone.
> 
> as of 2012r2 with updates this no longer works.
> 
> So I decided to see what bind would do with DNAME If I tried a similar
> experiment
> I have a db.self file I used when I want certain outside addresses to
> point back to my inside addresses.
> 
> my db.self file looks like so
> 
> 
> $TTL 3D
> @  1D  IN  SOA ns jeffsadowski.gmail.com. (
>  2017081201 ;
>  3H ;
>  15 ;
>  1w ;
>  3h ;
> )
> @ IN NS ns
> ns IN A 192.168.1.252
> @ IN A 192.168.1.252
> 
> And I wand similar for my DNAME so I created db.dname that looks like so
> 
> $TTL 3D
> @  1D  IN  SOA ns jeffsadowski.gmail.com. (
>  2017081201 ;
>  3H ;
>  15 ;
>  1w ;
>  3h ;
> )
> @ IN NS ns
> ns IN A 192.168.1.252
> @ IN DNAME methanemaker.mooo.com
> 
> then when I try and start bind I get error messages like so
> 
> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: NS
> 'ns.bla.bla' is below a DNAME 'bla.bla' (illegal)
> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: not loaded
> due to errors.
> 
> I tried without the NS likes and I get this message
> 
> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: has no NS records
> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: not loaded
> due to errors.
> 
> If anyone has a better idea how to map to a dhcp addressed machine
> from a zone I'd like to know?
> 
> I don't want to recreate the entire superdomain for just one record
> that needs changed
> IE:
> the super domain is managed by an outside service. I don't want to
> keep a second copy inside that has a few with different records.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named-compilezone errors

2017-05-30 Thread Chris Buxton 
Thanks for the response, Tony. Responses in-line.

On May 30, 2017, at 5:51 AM, Tony Finch <d...@dotat.at> wrote:

> Chris Buxton <cli...@buxtonfamily.us> wrote:
> 
>> dns_master_load: example.com.dns:6785: bad escape
>> dns_master_load: example.com.dns:6789: bad escape
>> 
>> mhtswfw-dellfi01\342\200\223mgmt A   10.152.224.231
>> mhtswfw-dellfi02\342\200\223mgmt A   10.152.224.232
> 
> Snigger. That's an en dash (U+2013, UTF-8 E2 80 93) encoded as
> octal escapes. Master file binary escapes are decimal :-)
> (Extra irony that Mockapetris was working on a PDP-10 which
> loved octal.)

That's amazing. The escapes come from Microsoft DNS, of course, so this seems 
like a bug in Microsoft's implementation.

>> There are NS records pointing to these names. The names belong to the
>> zone I'm trying to compile. But the names are not defined. I would have
>> expected that '-i none' would have allowed it to skip these errors. but
>> it doesn't.
> 
> Yes, BIND insists very strongly that name servers have addresses.

But it didn't used to do so. This seems like a bug to me, even if it is working 
as designed. The design is faulty. Any comment from ISC?

The purpose of this workflow is to standardize how data from Microsoft DNS 
exports are migrated into a BIND server. This problem is making the job harder.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named-compilezone errors

2017-05-22 Thread Chris Buxton 
I'm having trouble using named-compilezone on a zone, and I was wondering if 
I'm doing something wrong or if perhaps I've found a bug (or two). I apologize 
in advance for the sanitizing of the zone name, but it's not my zone and I 
can't share it.

named-compilezone -i none -k ignore -o example.com.txt example.com 
example.com.dns
dns_master_load: example.com.dns:6785: bad escape
dns_master_load: example.com.dns:6789: bad escape

Those lines are:

mhtswfw-dellfi01\342\200\223mgmt A  10.152.224.231
mhtswfw-dellfi02\342\200\223mgmt A  10.152.224.232

After pruning out those lines:

named-compilezone -i none -k ignore -o example.com.txt example.com 
example.com.dns
example.com.dns:6: no TTL specified; using SOA MINTTL instead
example.com.dns:3556: TTL set to prior TTL (600)
zone example.com/IN: NS 'ausdc2k8amer21.example.com' has no address records (A 
or )
zone example.com/IN: NS 'ausdcx64amer07.example.com' has no address records (A 
or )
zone example.com/IN: NS 'ausdcx64amer08.example.com' has no address records (A 
or )
zone example.com/IN: NS 'ausdcx64amer09.example.com' has no address records (A 
or )
zone example.com/IN: NS 'ausdcx64amer10.example.com' has no address records (A 
or )
zone example.com/IN: not loaded due to errors.

There are NS records pointing to these names. The names belong to the zone I'm 
trying to compile. But the names are not defined. I would have expected that 
'-i none' would have allowed it to skip these errors. but it doesn't.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: global server load balancing with the domain name

2017-04-14 Thread Chris Buxton 
On Apr 14, 2017, at 2:40 PM, McDonald, Daniel (Dan) 
<dan.mcdon...@austinenergy.com> wrote:
> 
> Setting up global server load balancing seems easy enough – just add ns 
> records pointing at the load balancer and away you go:
>  
> example.com. 38400INSOAns20.example.net. 
> dan\.mcdonald.example.com. 2017011107 10800 3600 604800 3600
> example.com. 38400INNS   ns1.example.com.
> example.com. 38400INNS   ns2.example.com.
> test.example.com. 900 INNS   
> gslb1.example.com.
> test.example.com. 900 INNS   
> gslb2.example.com.
>  
> That works fine for test.example.com.  But when I go to production, I need to 
> do it for example.com and www.example.com.  How do I delegate just the A 
> record and not the SOA, TXT, MX, SPF, and NS records, nor any of the other 
> entries in the zone.  As I recall, I can’t just delegate , as an example,  
> www.example.com, then use a CNAME for example.com.

You can't do this for example.com. Obviously, www.example.com is not a problem. 
Your GSLB device should have a work-around for the zone apex (example.com 
itself), such as a simple webserver (right on each GSLB, perhaps) that takes 
those web requests and redirects them to www.example.com. Then in your main 
zone (not on the GSLB), you would have a record set pointing that zone apex to 
each of those web servers.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Allow dns queries for specific subdomain x.domain.com and block rest of the queries for *.domain.com

2017-04-11 Thread Chris Buxton 
> On Apr 11, 2017, at 2:19 AM, Manuel Ramírez  
> wrote:
> 
> Hi,
> 
> I would like to allow queries for specific blogspot.com 
>  subdomains and block the rest of the queries.
> I have a file with several zones configured, one of those zones is  the 
> specific subdomain type "forward":
> 
> zone "w.blogspot.com " IN { type forward; forwarders 
> { 213.0.184.85; 213.0.184.88; };};
> 
> and below i have the zone blogspot.com  as master 
> resolving an internal ip:
> 
> zone "blogspot.com " IN { type master; file 
> "/var/named/data/db.sinkhole"; };
> 
> 
> But is not working, always resolves the internal ip address, i thought it 
> evaluates the zones in order and first should forward the query for 
> w.blogspot.com  but is always matching the other zone.
> Any idea about how can i achieve my goal?

No, order is not considered. Rather, there are two separate searches:

- Is there an authoritative answer available from local data? In this case, 
yes, because you have a sinkhole zone named "blogspot.com 
", from which an authoritative negative answer can be 
derived.
- If the first search does not return an answer, then use the recursion 
algorithm, including checking the cache and checking for the most specific 
forwarding configuration (if any) that would apply.

Doing what you want is better solved using RPZ, as Tony Finch mentioned. To do 
this, do not define these two zone statements. Instead, define a response 
policy zone that says that *.blogspot.com  should be 
blocked, but that specific names (e.g. w.blogspot.com ) 
should be whitelisted. Read the BIND v9 ARM for details on how to accomplish 
this.

Regards,
Chris Buxton___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarder (YES/NO)

2016-09-21 Thread Chris Buxton 
Funny email address.

I could be wrong, but it looks like you might have a firewall problem. The one 
really slow response is the one over 512 bytes. Is it possible you have a 
firewall that examines the contents of DNS messages?

Regards,
Chris

Sent from my iPhone

> On Sep 21, 2016, at 12:34 PM, Pol Hallen  wrote:
> 
> hello again!
> 
>> try running dig +trace  and see how fast it runs. It should return
>> in about same time as BIND does (when it doesn't have anything in cache).
> 
> ; <<>> DiG 9.10.3-P4-Debian <<>> +trace @192.168.1.212 yahoo.it
> ; (1 server found)
> ;; global options: +cmd
> .   518367  IN  NS  d.root-servers.net.
> .   518367  IN  NS  g.root-servers.net.
> .   518367  IN  NS  e.root-servers.net.
> .   518367  IN  NS  h.root-servers.net.
> .   518367  IN  NS  b.root-servers.net.
> .   518367  IN  NS  c.root-servers.net.
> .   518367  IN  NS  a.root-servers.net.
> .   518367  IN  NS  l.root-servers.net.
> .   518367  IN  NS  i.root-servers.net.
> .   518367  IN  NS  m.root-servers.net.
> .   518367  IN  NS  k.root-servers.net.
> .   518367  IN  NS  j.root-servers.net.
> .   518367  IN  NS  f.root-servers.net.
> .   518396  IN  RRSIG   NS 8 0 518400 2016100417 
> 2016092116 46551 . 
> tZptpyBClVtkAbyo4NOR2MgHDoq67TlImcBVzZORhn7C2c557prmG42J 
> sSPD8aZmisk3bbUJbmqFVFB/M2y/O4zjw3jBf42ujHce99VD3xCeJuk7 
> boGW356J6c7JaApB02GRf3SGQIv7x6MVyBmGeKxAosEePlbfjg/8NPEY +y0=
> ;; Received 397 bytes from 192.168.1.212#53(192.168.1.212) in 2 ms
> 
> it. 172800  IN  NS  a.dns.it.
> it. 172800  IN  NS  m.dns.it.
> it. 172800  IN  NS  r.dns.it.
> it. 172800  IN  NS  dns.nic.it.
> it. 172800  IN  NS  nameserver.cnr.it.
> it. 86400   IN  NSECitau. NS RRSIG NSEC
> it. 86400   IN  RRSIG   NSEC 8 1 86400 2016100417 
> 2016092116 46551 . 
> LL0eXWf22Lhhi5C0P+PX446JQH+GwCFhxU7tkUUF9wyG+pQ0eDCnpTu0 
> vm0ww/3YycmNJwlF3IHJmLIh2l7htSW6G/o2/ozNbZU6RF9pMhKxQNrJ 
> aE6hf4L+Ka1N5uNstgJzrE6pV9ouXOJmL0Epoa3gUnbSZcFHH5QrKbu6 AfQ=
> ;; Received 545 bytes from 192.58.128.30#53(j.root-servers.net) in 577 ms
> 
> yahoo.it.   10800   IN  NS  ns2.yahoo.com.
> yahoo.it.   10800   IN  NS  ns1.yahoo.com.
> yahoo.it.   10800   IN  NS  ns5.yahoo.com.
> yahoo.it.   10800   IN  NS  ns7.yahoo.com.
> yahoo.it.   10800   IN  NS  ns3.yahoo.com.
> ;; Received 136 bytes from 194.0.16.215#53(a.dns.it) in 136 ms
> 
> yahoo.it.   300 IN  A   106.10.212.24
> yahoo.it.   300 IN  A   98.137.236.24
> yahoo.it.   300 IN  A   77.238.184.24
> yahoo.it.   300 IN  A   212.82.102.24
> yahoo.it.   300 IN  A   74.6.50.24
> yahoo.it.   86400   IN  NS  ns3.yahoo.com.
> yahoo.it.   86400   IN  NS  ns2.yahoo.com.
> yahoo.it.   86400   IN  NS  ns1.yahoo.com.
> yahoo.it.   86400   IN  NS  ns4.yahoo.com.
> yahoo.it.   86400   IN  NS  ns5.yahoo.com.
> ;; Received 380 bytes from 68.180.131.16#53(ns1.yahoo.com) in 173 ms
> 
> same problem... bind is too slow...
> 
> the situation change (very fast) if I use bind like resolver
> 
> forwarders {
> 8.8.8.8;
> }
> 
> I don't understand why without resolver my bind is so slow... how I can audit 
> the problem?
> 
> thanks! :-)
> 
>>> but testing 127.0.0.1, bind keep also 4000/5000ms to resolve a query
>> 
>> 
>>> forwarders {
>>> 127.0.0.1;
>>> }
>> 
>> do you forward to yourself???
> 
> unfortunately looking for bind on internet there're many wrong howto :-/
> 
> Pol
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective forwarding from an internal only name server

2016-08-17 Thread Chris Buxton 
Try it without "+trace".

Regards,
Chris

> On Aug 17, 2016, at 2:59 AM, anup albal  wrote:
> 
> Hi
> 
> First up apologies if this is not the right list to email and for a long 
> email. I am hoping you can give me a clue as to what I am doing wrong here? 
> Or may be this is not supposed to work at all.
> 
> We have an internal only DNS server (dns1) with fake root zone. i.e a fake 
> file for the zone "."  This serves all internal clients.
> We are running 9.6-ESV-R11-P2 for this.
> 
> And we also have an external only DNS (ns1) which can talk to the internet 
> for DNS queries and serves external clients.
> 
> Now we have a requirement to have certain domains (e.g sharepoint.com 
> ) resolved on clients being served by dns1. 
> 
> On dns1 I have setup a forward only zone called 'sharepoint.com 
> ' with ns1 set as the forwarder.
> And on the fake root zone file, I have added an entry for sharepoint like 
> below
> sharepoint.com .  NS 
> ns1.org.domain.name.au .
> 
> when i run a dig +trace sharepoint.com  from dns1 I 
> can resolve sharepoint.com  
> But when i run it from an internal client it gets a Non-authoritative: No 
> answer 
> 
> Below are my snippets of my named.conf on dns1 (internal)
> 
> options {
> directory "/var/dns";
> forwarders { ip.of.ns1; };
> listen-on  { ip.of.dns1; 127.0.0.1; };
> query-source address ip.of.dns1;
> notify-source ip.of.dns1;
> transfer-source ip.of.dns1;
> allow-transfer { xxx.xxx/16; }; 
> transfer-format one-answer;// BIND9 (deal with Windows Server 
> 2003)
> 
> };
> 
> <.>
> zone "." in {
> type master;
> file "fake/root";
> };
> 
> zone "." in {
> type hint;
> file "/var/dns/fake/named.root";
> };
> zone "sharepoint.com ." in {
> type forward;
> forward only;
> forwarders {ip.of.ns1;};
> };
> 
> The file fake/root has entries like below (ip and domain names changed for 
> security)
> 
> $TTL 86400
> ; NOTE:  TTL based on from Bind8 SOA record
> ;
> ; This file contains *fake* DNS Resource Records for the root domain (.)
> ;
> 
> .   IN  SOA dns1.org.domain.name.au 
> .xxx.dns1.org.domain.name.au 
> .  (
>  2016081608  ; serial
>  10800   ; refresh
>  3600; retry
>  360 ; expire
>  86400 ) ; minimum
> 
> .   NS  dns1.org.domain.name.au 
> .
> ;.  NS  dns2.org.domain.name.au 
> .
> 
> com.au . NS  dns1.org.domain.name.au 
> .
> sharepoint.com . NS  
> ns1.org.domain.name.au .
> difforg.diffdomain.au . NS  
> dns1.org.domain.name.au .
> 
> 0.0.127.in-addr.arpa.   NS  dns1.org.domain.name.au 
> .
> 
> xxx.xxx.in-addr.arpa.   NS  dns1.org.domain.name.au 
> .
> 
> localhost.  A   127.0.0.1
> 
> ; Glue
> dns1.org.domain.name.au . A  ip.of.dns1
> ns1.org.domain.name.au .  A  ip.of.ns1
> ;dns2.org.domain.name.au . A  
> xxx.xxx.xxx.xxx
> 
> The root hints file (named.root) has below 
> 
> .   3600IN NS   dns1.org.domain.name.au 
> 
> dns13600A   ip.of.dns1
> 
> 
> nslookup on a client returns this
> nslookup sharepoint.com 
> Server: ip.of.dns1
> Address:ip.of.dns1#53
> 
> Non-authoritative answer:
> *** Can't find sharepoint.com : No answer
> 
> And running dig on a client returns this
>  dig +trace sharepoint.com 
> 
> ; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com 
> ;; global options:  printcmd
> .   86400   IN  NS  dns1.org.domain.name.au 
> .
> ;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms
> 
> sharepoint.com . 86400   IN  NS  
> ns1.org.domain.name.au .
> ;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au 
> ) in 0 ms
> 
> ;; connection timed out; no servers could be reached
> 
> 
>

Re: Delegation questions

2016-08-12 Thread Chris Buxton 
Forwarding is more similar to how some other systems work. But it's not how DNS 
naturally works. I think the biggest source of "forwarding = natural" is 
perhaps from admins coming from other parts of IT, rather than any regional 
difference. But I could be wrong.

From a technical perspective, in addition to the performance factor that Kevin 
described, there is the fact that forwarding is inherently brittle. (So are 
stub zones, for different reasons.) So the more you forward, the harder it 
becomes to troubleshoot the inevitable problems that will arise, because you 
have more systems to check and more ways for things to go wrong.

Regards,
Chris

Sent from my iPhone

> On Aug 12, 2016, at 5:11 PM, Darcy Kevin (FCA)  
> wrote:
> 
> True, strictly from a per-hop latency standpoint, there shouldn't be much 
> difference between forwarding a packet or forwarding a DNS query.
> 
> Having said that -- and I'm sure the BIND developers could elaborate further 
> on this -- I know that there's big difference between processing *packets*, 
> from, say, a routing standpoint, which customized ASIC-level hardware can do 
> to the tune of millions per second, and processing *queries*, which are much 
> higher-level constructs, with a lot more variation, more levels of parsing, 
> disassembly, re-assembly, validation, etc. When you have multi-hop DNS 
> forwarding, you're using up significant resources on multiple computing 
> devices at once, in ways that don't necessarily lend themselves to 
> optimization in hardware. It ends up being the opposite of parallelism, i.e. 
> using the resources of multiple devices to accomplish something that could, 
> with only configuration changes, be accomplished with the resources of only 
> one device.
> 
> At the risk of sounding xenophobic, there seems to be a mindset among certain 
> cultures that forwarding is "natural", and, in contrast, having DNS instances 
> talk to each other directly is somehow "artificial". I've had this 
> conversation many times with many of my European counterparts over the years, 
> and we just seem to view things differently. One could speculate on the 
> difference in world view -- submission to higher authority, perhaps? 
> Hierarchical social organization? I don't know -- I don't claim any expertise 
> whatsoever in sociology, cognitive psychology, or related fields. But for me, 
> and I think most people in my (North American) culture -- possibly because we 
> tend more towards individualism and/or egalitarianism? -- having DNS 
> instances talk *directly* to each other, as "equals" or "peers", is much more 
> natural than one DNS instance relying upon another to handle all of its 
> resolution needs (thus making the first instance subservient, in a sense, to 
> the second), which then relies on another, and to another, and so on, in a 
> daisy chain.
> 
> Again, maybe it's just a different mindset/world-view. Or, perhaps I'm 
> over-generalizing a cultural difference from a relatively-small sample of 
> conversations. But, as I touched on in my second paragraph, there may be some 
> objective reasons to eschew forwarding, particularly multi-hop forwarding.
> 
>- Kevin
> 
> 
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
> Willmann, Robert
> Sent: Friday, August 12, 2016 1:33 AM
> To: bind-users@lists.isc.org
> Subject: RE: Delegation questions
> 
> Kevin Darcy wrote:
>> 
>> In any case, multi-hop forwarding is always the least-preferred option.
> 
> I wonder for which reason do you think this.
> 
> Of course, any forwarding adds a additional hop and therefore additional 
> delay and an additional possible point of failure.
> But this is true for any network-connection.
> 
> So, what do you think are the DNS-specific downsides of forwarding?
> The only thing that comes to mind if I think about downsides of forwarding is 
> that, if something goes wrong, the client only gets a generic SERVFAIL as 
> errormessage instead of a specific explanation what exactly went wrong.
> 
> Do you see other downsides to forwarding?
> 
> 
> Mit freundlichen Grüßen
> Robert Willmann
> 
> --
> Commerzbank AG
> Group Information Technology
> GS-IT 8.2.3 Core Services
> 
> Postanschrift: 60261 Frankfurt am Main
> Geschäftsräume: Mainzer Landstr. 151, 60327 Frankfurt am Main
> Tel.:+49 69 136 - 290 71
> Fax:+49 69 136 - 590 71 
> robert.willm...@commerzbank.com
> 
> Commerzbank AG, Frankfurt am Main http://www.commerzbank.de Pflichtangaben 
> http://www.commerzbank.de/pflichtangaben
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit

Re: Multiple AD domains

2016-07-28 Thread Chris Buxton 
Absolutely agreed.

Regards,
Chris

Sent from my iPhone

> On Jul 28, 2016, at 12:40 PM, Darcy Kevin (FCA) <kevin.da...@fcagroup.com> 
> wrote:
> 
> Yes, I did misread the original post; thanks for clarifying.
>  
> But, the gist of the question seemed to be about mitigating the effects of 
> caching, for dynamically-changing data. At a high level, whether the zones 
> are AD zones or not, whether the “master” is BIND or Microsoft DNS, doesn’t 
> have a whole lot of bearing on that challenge. As should be obvious from what 
> I proposed, I prefer the slaving+NOTIFY approach over setting up fragile 
> forwarding arrangements.
>  
> The other sledgehammer approach, of course, is to set the TTLs really low, 
> but that can have a disastrous effect on performance/capacity, according to 
> how frequently the dynamically-changing names are being queried. Of course, 
> no amount of named.conf tweaking will help to mitigate the effects of caching 
> that occurs on the clients themselves (e.g. “nscd” on some *nix platforms, 
> Windows resolver cache for Windows). The only standards-based solution for 
> that is to lower the TTLs. (Non-standards-based solutions include ugly stuff 
> like running a script on every client to flush the cache every minute, ugh). 
> But, as always, lowering TTLs, should be done, if at all, with one’s eyes 
> open to the performance/capacity impact.
>  
>   
>   
>  - Kevin
>  
>  
>  
> 
> --
> Kevin Darcy
> NAFTA Information Security Projects
>  
> FCA US LLC
> 1075 W Entrance Dr,
> Auburn Hills, MI 48326
> USA
>  
> Telephone: +1 (248) 838-6601 
> Mobile: +1 (810) 397-0103
> Email: kevin.da...@fcagroup.com
>  
> From: Chris Buxton [mailto:cli...@buxtonfamily.us] 
> Sent: Thursday, July 28, 2016 12:52 PM
> To: Darcy Kevin (FCA)
> Cc: bind-users@lists.isc.org
> Subject: Re: Multiple AD domains
>  
> The OP's question was about setting up BIND, not MS DNS, related to using 
> Samba, not Windows, as the domain controller.
>  
> Regards,
> Chris
> 
> Sent from my iPhone
> 
> On Jul 27, 2016, at 12:36 PM, Darcy Kevin (FCA) <kevin.da...@fcagroup.com> 
> wrote:
> 
> My preference? Have all your clients use BIND to resolve DNS (this gives 
> access to more advanced features like sortlisting, good query logging, 
> blacklisting/redirection through the RPZ mechanism, Anycast, etc.). Set up 
> the BIND instances as slaves for the AD zones, and have the AD folks add the 
> BIND instances to the apex NS records so that the DCs will trigger fast 
> replication to BIND via the NOTIFY extension to the protocol.
>  
> I’d never let a regular PC client use Microsoft DNS for resolving DNS. Perish 
> the thought!
>  
> Note that this approach, if implemented simply, doesn’t scale to large 
> numbers of BIND instances (because you don’t want to add dozens or hundreds 
> of apex NS records to the zone). Beyond a certain threshold, you’d want to 
> set up a multi-level slaving/NOTIFY hierarchy on the BIND side…
>  
>   
>   
>  - Kevin
>  
>  
>  
> 
> --
> Kevin Darcy
> NAFTA Information Security Projects
>  
> FCA US LLC
> 1075 W Entrance Dr,
> Auburn Hills, MI 48326
> USA
>  
> Telephone: +1 (248) 838-6601 
> Mobile: +1 (810) 397-0103
> Email: kevin.da...@fcagroup.com
>  
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jeff 
> Sadowski
> Sent: Wednesday, July 27, 2016 3:00 PM
> To: bind-users@lists.isc.org
> Subject: Re: Multiple AD domains
>  
> should I setup 192.168.1.1 as slaves to these two domains would that fix it?
>  
> On Wed, Jul 27, 2016 at 12:56 PM, Jeff Sadowski <jeff.sadow...@gmail.com> 
> wrote:
> On the samba mailing list they described setting up the DC as the NS and 
> forward to another machine for more rules.
> This will work fine for one domain. Now lets say I have 2 domains.
>  
> If I setup forwarders like so on 192.168.1.1
>  
> zone "domainA" IN { type forward; forward only; forwarders { 192.168.2.1; }; 
> };
> zone "domainB" IN { type forward; forward only; forwarders { 192.168.3.1; }; 
> };
>  
> It will cache entries for

Re: BIND 9 API & GUI

2016-07-28 Thread Chris Buxton 
Kirk,

Have a look at the commercial offerings. All of them offer a GUI and an API for 
managing BIND servers, including managing zones and records. Some of them are 
limited to managing their own appliances. Some of them do offer the ability to 
overlay on existing BIND servers, too, though.

BlueCat
Men & Mice
Infoblox
EfficientIP
Vital QIP
DiamondIP

I'm sure there are more that I'm forgetting.

Please note: I am a current and former employee of two of these vendors.

Regards,
Chris

Sent from my iPhone

> On Jul 25, 2016, at 2:36 PM, Kirk  wrote:
> 
> I have been looking for a way to provide both an API and a GUI interface for 
> my multi-master/slave BIND infrastructure.
> 
> There are obviously many GUI options, but finding a solution that will allow 
> for external programs to add/change/delete records (API), and allow 
> administrators to manually make the same kinds of changes (GUI) without each 
> process interfering with each other has proven more difficult than I expected.
> 
> This seems like it would be a common need, and I can't be the only one in 
> this "bind".
> 
> Has anyone else solved this problem?
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple AD domains

2016-07-28 Thread Chris Buxton 
The OP's question was about setting up BIND, not MS DNS, related to using 
Samba, not Windows, as the domain controller.

Regards,
Chris

Sent from my iPhone

> On Jul 27, 2016, at 12:36 PM, Darcy Kevin (FCA)  
> wrote:
> 
> My preference? Have all your clients use BIND to resolve DNS (this gives 
> access to more advanced features like sortlisting, good query logging, 
> blacklisting/redirection through the RPZ mechanism, Anycast, etc.). Set up 
> the BIND instances as slaves for the AD zones, and have the AD folks add the 
> BIND instances to the apex NS records so that the DCs will trigger fast 
> replication to BIND via the NOTIFY extension to the protocol.
>  
> I’d never let a regular PC client use Microsoft DNS for resolving DNS. Perish 
> the thought!
>  
> Note that this approach, if implemented simply, doesn’t scale to large 
> numbers of BIND instances (because you don’t want to add dozens or hundreds 
> of apex NS records to the zone). Beyond a certain threshold, you’d want to 
> set up a multi-level slaving/NOTIFY hierarchy on the BIND side…
>  
>   
>   
>  - Kevin
>  
>  
>  
> 
> --
> Kevin Darcy
> NAFTA Information Security Projects
>  
> FCA US LLC
> 1075 W Entrance Dr,
> Auburn Hills, MI 48326
> USA
>  
> Telephone: +1 (248) 838-6601 
> Mobile: +1 (810) 397-0103
> Email: kevin.da...@fcagroup.com
>  
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jeff 
> Sadowski
> Sent: Wednesday, July 27, 2016 3:00 PM
> To: bind-users@lists.isc.org
> Subject: Re: Multiple AD domains
>  
> should I setup 192.168.1.1 as slaves to these two domains would that fix it?
>  
> On Wed, Jul 27, 2016 at 12:56 PM, Jeff Sadowski  
> wrote:
> On the samba mailing list they described setting up the DC as the NS and 
> forward to another machine for more rules.
> This will work fine for one domain. Now lets say I have 2 domains.
>  
> If I setup forwarders like so on 192.168.1.1
>  
> zone "domainA" IN { type forward; forward only; forwarders { 192.168.2.1; }; 
> };
> zone "domainB" IN { type forward; forward only; forwarders { 192.168.3.1; }; 
> };
>  
> It will cache entries for each domain and if a computer gets a different 
> address for dhcp it will update on the domain's DNS but the dns on 
> 192.168.1.1 will have a cached entry untill it expires.
>  
> 192.168.2.1 and 192.168.3.1 are setup to forward all other zones than their 
> domain names to 192.168.1.1
>  
> if I have DNS server set for all machines in domainA to 192.168.2.1 all 
> machines on domainA see any DNS changes to domainA imediately machines on 
> domainB are cached and can take time to clear out.
> And
> if I have DNS server set for all machines in domainB to 192.168.3.1 all 
> machines on domainB see any DNS changes to domainB imediately machines on 
> domainA are cached and can take time to clear out.
>  
> What is the best way to resolve this issue?
>  
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Resolving issue on specific domain

2016-07-15 Thread Chris Buxton 
On Jul 15, 2016, at 8:48 AM, Matus UHLAR - fantomas  wrote:
> 
> On 15.07.16 14:05, Daniel Dawalibi wrote:
>> Dig domainname -> Server failed
> 
> please show us output of it.
> when 127.0.0.1 is first in /etc/resolv.conf, dig should contact localhost
> first, and the result should be the same as dig @localhost domainname.

You should not rely on the order of entries in resolv.conf. Servers will not 
always be queried in the listed order. This is implementation-specific.

If you have two servers that will answer differently to the same query, then 
you shouldn't have those two servers in resolv.conf. Aim for a consistent (and 
consistently useful) result.

Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: separation of authoritative and recursive functions on internal networks

2016-01-31 Thread Chris Buxton 
> On Jan 29, 2016, at 3:58 PM, Darcy Kevin (FCA)  
> wrote:
> 
> Data obtained from the recursive function will never outrank authoritative 
> data of a master or a slave.

Kevin,

That's true, but authoritative servers also sometimes serve up referrals, 
sometimes including glue records. This data is not authoritative, and I have 
seen it outranked by cached data. That can lead to odd failures, especially if 
the querier is denied access to the cache.

Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Newbie's BIND Questions on DNSSEC, HA and SD

2016-01-19 Thread Chris Buxton 
On Jan 16, 2016, at 9:33 PM, David Li <dlipub...@gmail.com> wrote:
> 
> Hi,
> 
> I am new to BIND. I am researching for a DNS server that can meet a
> list of requirements to be used in  a distributed system. They are:
> 
> 1. Security (DNSSEC)
> 2. High Availability (HA)
> 3. Service Discovery (DNS-SD)


Hello David,

I think you’ll find 1 and 3 are easy to find. For 2, it depends on what you 
mean. Tony Finch has already given you several excellent options covering most 
of the use cases.

The one thing that is most difficult is HA for the primary master name server, 
which is the target for dynamic updates and is therefore fairly important; even 
a few minutes of downtime of this server might cause outages for DHCP service, 
for example. There are several commercial offerings that include this sort of 
HA. I work for one of these vendors, BlueCat.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

2015-12-30 Thread Chris Buxton 
> On Dec 29, 2015, at 5:36 PM, Michelangelo De Simone  wrote:
> 
> also, in order to avoid
> unecessary polling, you may think of enabling the "notify" options from
> your master toward your slaves.

No, that's not what that does.

The notify mechanism is enabled by default, although it probably needs some 
tweaking using also-notify in an anycast scenario.

The notify mechanism allows the master server to notify slave servers (or other 
hosts) when a zone changes. This speeds up the synchronization process between 
master and slaves, but does not preclude the regular scheduled SOA queries.

If for some reason you were concerned about zone refresh traffic (typically 1 
query per zone every several hours), you can tune it in a few ways, including 
adjusting your refresh timer upward to, say, a day or even two. This is safer 
to do when you know that the notify mechanism is working properly. Is that 
perhaps what you meant?

Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: does bind depends on system DNS settings for lookup?

2015-11-23 Thread Chris Buxton 
Kevin,

I appreciate the thorough response. The usage you describe is somewhat at odds 
with the usage I’ve been using, which is why I asked the question.

One thing that seems to be confusing matters is the use of the word “resolver" 
in the text you quote, seeming to refer to the stub resolver in a client 
device. This makes it sound like a name server offering recursion is not a 
resolver, which is definitely counter to the usage in the RFCs and therefore 
wrong. I think this might stem from the usage in Cricket’s O’Reilly books; I 
used to work with Cricket, and had this debate with him, and he was unable to 
logically justify his usage. (Saying, “This is what’s in my book, and I’m not 
changing my book, so I must be right” does not form a logical argument.)

Anyway, I just want to have agreed-upon terminology. If my historical usage is 
deemed inaccurate or outmoded, I’m willing to adjust. To my thinking, we need 
solid definitions of the following items:

- Stub resolver
- Resolver (encompassing both a stub resolver and a recursive [or is it 
iterative?] resolver)
- Recursive name server (or is it iterative?) (because not all resolvers 
capable of recursion are name servers)

I have found when teaching this material that helping someone understand the 
distinctions also helps them understand DNS itself. Not having consistent 
usage, at least among those of us who know this stuff as well as you and I (and 
plenty of others on this list), leads to confusion among the neophytes.

I will be reading the IETF terminology draft closely. Thanks for pointing it 
out.

Regards,
Chris

> On Nov 19, 2015, at 1:11 PM, Darcy Kevin (FCA) <kevin.da...@fcagroup.com> 
> wrote:
> 
> Chris,
>   The terms "iterative resolution" and "recursive resolution" appear to 
> be in fairly common use, but they are not "classic" DNS lingo (e.g. don't 
> appear in RFC 1034 or 1035, or any of the major RFCs which followed). RFC 
> 4697, from 2006, is not a "major" DNS RFC, but it defined "iterative 
> resolver" (as part of the composite term "iterative resolver component") via 
> the text "the name server component of a recursive name server receives DNS 
> queries and the iterative resolver component sends queries". That RFC also 
> uses the term "recursive resolution algorithm", but, it appears, only as an 
> umbrella term to include *both* the "name server component" and "iterative 
> resolver component", in the previously-quoted text. So, it's not talking 
> about the client, or the client/server interface, only the algorithm that the 
> server side follows.
> 
> The latest "terminology clarification" attempt 
> (https://tools.ietf.org/html/draft-ietf-dnsop-dns-terminology-05) is informed 
> by the iterative/recursive distinction, inasmuch as it defines the terms 
> "recursive mode", "recursive resolver", "recursive server", "iterative mode" 
> and "iterative resolver". But I think those definitions are still confusing, 
> because they don't squarely address the provider/consumer distinction -- an 
> entity which *provides* resolution for incoming RD=1 queries typically uses 
> (on its *consumer* side) RD=0 queries to get the answer; so, is it 
> "recursive" or "iterative" or *both*? RFC 4697's definition of an "iterative 
> resolver" purely in *consumer* terms ("sends queries"), is distinguished in 
> this new draft only in terms of the *provider* interface ("responds with a 
> referral to another server"). Also, the attempt, in that draft, to clarify 
> "recursive server" talks about it having a "name server side" and a "resolver 
> side", but the term "name server" is never actually defined in the document 
> (amazingly!). I think I'll raise these as problems with the draft.
> 
> Although it may seem like an oversimplification, the easy way to understand 
> and communicate this is that "iterative resolution" uses RD=0 queries and 
> "recursive resolution" uses RD=1 queries. (Whether the resolution attempt is 
> *successful* is another question, of course: sending an RD=1 query to a node 
> that doesn't honor recursion is likely to result in failure, but it can still 
> be said that the client *tried* to use "recursive resolution").
> 
>   
> - Kevin
> 
> 
> -Original Message-
> From: Chris Buxton [mailto:cli...@buxtonfamily.us] 
> Sent: Thursday, November 19, 2015 11:33 AM
> To: Darcy Kevin (FCA)
> Cc: BIND Users
> Subject: Re: does bind depends on system DNS sett

Re: refresh: retry limit for master 10.133.253.128#53 exceeded (source 0.0.0.0#0)

2015-11-14 Thread Chris Buxton 
Lawrence,

I've seen this where a firewall blocks UDP packets between slave and master, 
typically because it doesn't understand EDNS. The refresh query fails, so at 
expiry time, it just initiates a zone transfer anyway, and that succeeds (over 
TCP).

Checkpoint firewalls are the most common offenders in my experience.

Regards,
Chris Buxton

Sent from my iPhone

> On Nov 13, 2015, at 10:12 PM, Lawrence K. Chen, P.Eng. <lkc...@ksu.edu> wrote:
> 
> So, the last couple of days I've been banging my head on this problem
> 
> Where I'm seeing this strangeness.
> 
> 13-Nov-2015 18:00:27.896 general: info: zone salina.k-state.edu/IN/internal: 
> refresh: retry limit for master 10.133.253.128#53 exceeded (source 0.0.0.0#0)
> 13-Nov-2015 18:00:27.896 general: info: zone salina.k-state.edu/IN/internal: 
> Transfer started.
> 13-Nov-2015 18:00:27.900 xfer-in: info: transfer of 
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using 
> 129.130.254.21#65439
> 
> Among the things I tried, included setting 'transfer-source'.
> 
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal: 
> refresh: retry limit for master 10.133.253.128#53 exceeded (source 
> 129.130.254.21#0)
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal: 
> Transfer started.
> 13-Nov-2015 23:03:42.393 xfer-in: info: transfer of 
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using 
> 129.130.254.21#34391
> 
> No help.
> 
> Also disabled the host's firewall though it was wide open for tcp/udp 
> involving port 53
> 
> The fuller logs context is:
> 
> 13-Nov-2015 23:03:03.298 notify: info: client 10.133.253.128#17589: view 
> internal: received notify for zone 'salina.k-state.edu'
> 13-Nov-2015 23:03:03.298 notify: info: client 10.133.253.128#17589: view 
> internal: received notify for zone '178.130.129.in-addr.arpa'
> 13-Nov-2015 23:03:03.298 general: info: zone salina.k-state.edu/IN/internal: 
> notify from 10.133.253.128#17589: refresh in progress, refresh check queued
> 13-Nov-2015 23:03:03.298 general: info: zone 
> 178.130.129.in-addr.arpa/IN/internal: notify from 10.133.253.128#17589: 
> refresh in progress, refresh check queued
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal: 
> refresh: retry limit for master 10.133.253.128#53 exceeded (source 
> 129.130.254.21#0)
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal: 
> Transfer started.
> 13-Nov-2015 23:03:42.393 xfer-in: info: transfer of 
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using 
> 129.130.254.21#34391
> 13-Nov-2015 23:03:42.443 general: info: zone salina.k-state.edu/IN/internal: 
> transferred serial 2015113475
> 13-Nov-2015 23:03:42.443 xfer-in: info: transfer of 
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: Transfer completed: 
> 9 messages, 654 records, 17889 bytes, 0.049 secs (365081 bytes/sec)
> 13-Nov-2015 23:03:42.443 notify: info: zone salina.k-state.edu/IN/internal: 
> sending notifies (serial 2015113475)
> 13-Nov-2015 23:03:43.395 general: info: zone 
> 178.130.129.in-addr.arpa/IN/internal: refresh: retry limit for master 
> 10.133.253.128#53 exceeded (source 129.130.254.21#0)
> 13-Nov-2015 23:03:43.396 general: info: zone 
> 178.130.129.in-addr.arpa/IN/internal: Transfer started.
> 13-Nov-2015 23:03:43.400 xfer-in: info: transfer of 
> '178.130.129.in-addr.arpa/IN/internal' from 10.133.253.128#53: connected 
> using 129.130.254.21#34392
> 13-Nov-2015 23:03:43.438 general: info: zone 
> 178.130.129.in-addr.arpa/IN/internal: transferred serial 2015113421
> 13-Nov-2015 23:03:43.439 xfer-in: info: transfer of 
> '178.130.129.in-addr.arpa/IN/internal' from 10.133.253.128#53: Transfer 
> completed: 5 messages, 223 records, 6184 bytes, 0.038 secs (162736 bytes/sec)
> 13-Nov-2015 23:03:43.439 notify: info: zone 
> 178.130.129.in-addr.arpa/IN/internal: sending notifies (serial 2015113421)
> 
> zone "salina.k-state.edu" {
>type slave;
>file "sec/internal/zone.salina.k-state.edu";
>masters {
>10.133.253.128;
>10.133.253.129;
>129.130.254.20 key "int-tsig";
>}
>also-notify { 129.130.254.20 key "int-tsig"; };
>transfer-source 129.130.254.21;
> };
> 
> I have 4 nameservers...one stealth master and 3 exposed secondariesthis 
> is the zone on 'ns-1.ksu.edu', and where I've just given away the IP of our 
> stealth master...
> 
> The intent (temporary at the time) was so delegated zones sending to 
> 'ns-1.ksu.edu' would workby having that server send it to stealth master, 
> wh

Re: SRV Request to DNS

2015-10-13 Thread Chris Buxton 
On Oct 5, 2015, at 11:51 PM, Harshith Mulky  wrote:
> Let us say we are having a FQDN and we need to Resolve it. It goes through 
> the procedure of determining the IP and Port using NAPTR/SRV/A query 
> mechanisms
> 
> The question I have is if I have a FQDN with a Port Number already 
> determined, will it go through the Procedure of NAPTR/SRV/A query (or) simply 
> do a A query (or) Is this left to the client to apply the Logic?

The client must supply the logic. DNS is conceptually a simple database service 
— ask a question, get an answer. The logic of using NAPTR records, SRV records, 
A records,  records, and CNAME records is mostly handled by the client. 
(CNAME and DNAME records are the primary exception, triggering extra processing 
on the recursive name server.)

Chris___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Negative Caching

2015-08-31 Thread Chris Buxton 
On Aug 28, 2015, at 5:27 PM, Barry Margolin  wrote:

> Note that if a server is authoritative-only, caching is mostly 
> irrelevant, so the negative cache TTL doesn't much apply. In this case, 
> the SOA Minimum is just being used as the default TTL.

No, that is not correct. When responding negatively, the authoritative server 
uses the negative caching TTL (the Minimum field) as the TTL of the SOA record 
in the authority section.

Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Negative Caching

2015-08-28 Thread Chris Buxton 
 Is that really still true? I thought that use of the Minimum field went 
 away when it was changed to be the negative cache TTL.

Barry,

Yes, it’s still true. If you don’t set a default TTL, then the last field of 
the SOA record does double duty as both a default TTL and a negative caching 
TTL. And no RFC has ever updated its name.

Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ and client matching

2015-05-09 Thread Chris Buxton 
 On May 9, 2015, at 9:34 AM, Job j...@colliniconsulting.it wrote:
 
 Hello,
 
 i noticed i can write a RPZ file for blocking some websites resolution, as 
 example, and excluse come Client IP from this policy.
 
 I would like to do exactly the opposite: i want to define some blocking 
 resolution policy and ASSIGN only to specific client.
 
 Is it possible with RPZ?

Create a new view, with match-clients set to the client in question. Define the 
response policy in that view.

Have that view forward to the main view, using any of a variety of methods. For 
example, forward to the loopback address, which doesn't match the new view's 
match-clients ACL.

Chris

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Basic info on interfaces file

2015-04-01 Thread Chris Buxton 
This is not really a BIND question; this mailing list is for BIND questions. 
RTM. Start with this command:

man 5 interfaces

You can use the 'q' key to exit from the manual page.

The BIND name server will not read /etc/resolv.conf (which is what that 
dns-nameserver line refers to), so set it to '::1'. Or whatever makes sense to 
you.

The 'address' line sets the local address for the interface, on the server 
itself.

Good luck. The following may also be of some help:
https://help.ubuntu.com/community/BIND9ServerHowto

Regards,
Chris

 On Mar 31, 2015, at 11:33 PM, STEPHEN EYRE sce...@btinternet.com wrote:
 
 For educational interest i am setting up an authoritative only DNS server at 
 home and after a few failures i am starting at the beginning again.
 
 I am using Bind9 with Ubuntu 14.04 server software. 
 
 Todays question revoles around the /etc/network/interfaces file.
 
 In the line starting with 'address' i have inserted the internal IP address 
 of the machine running the bind software. I presume that is correct?
 
 In the line starting with 'dns-nameserver' i am unsure whether it should be 
 the same the 'address' as above or whether it should be my static public IP 
 address. Which should it be?
 
 Thanks for any assistance you may wish to give
 
 Stephen Eyre
 
 Sent from Yahoo Mail on Android
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable DNSSEC Validation for selected Domains

2015-01-13 Thread Chris Buxton 
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:

 I know that BIND has no feature to disable DNSSEC validation for selected 
 Zones/Domains (when working as a recursor).
 One can only enable/disable DNSSEC validation globally per view (as a boolean 
 on/off).

[...]

 I'm just wondering, is an option like unbound's domain-insecure 
 intentionally not implemented in in BIND? Or did just nobody care enough to 
 implement it yet?

While you wait for this to become generally available, you can do what I like 
to do for my customers: Use two layers of recursive DNS servers. The first 
layer takes queries from clients, knows about your insecure domains (through 
stub zones, slave zones, or conditional forwarding), and does not perform 
DNSSEC validation. The first layer globally forwards to the second layer, which 
does DNSSEC validation and recursion. This second layer can also have a few 
other features:

- Placed in the DMZ, outside the internal firewall
- No access to internal namespace, internal devices, etc.
- RPZ filtering, if you're going to use this

You can also achieve much of this within a single named instance using two 
views, with forwarding from one view to the other.

Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ipv6 AAAA register and ipv4 NS register with the same name

2014-12-15 Thread Chris Buxton 

 On Dec 15, 2014, at 12:38 AM, Manuel Ramírez manuel.rami...@grupoica.com 
 wrote:
 
 Hello,
 
 We have bind 9.8.4. P2 with many registers delegated to Link load
 balancer (we have two public ip´s range and linkproof acts as a dns
 balancer).
 Now we need to add the ipv6  register for all those registers that
 are in ipv4 delegated to the link balancer but this balancer doesn´t
 support ipv6.
 
 So we have the ipv4 register as NS and the same register in ipv6 as
 .I thought that when i ask for the ipv4 register the link balancer
 should show the two public ip´s and when i ask for the  register,
 the dns shows the ipv6 ip, but is not like this.Doesn´t matter i ask
 for ipv4(ns) or ipv6(), always obtent the ipv4 ip delegated to the
 link balancer.
 
 Is there any way to achieve the ipv6 register, despite the same
 regiter is created in ipv4 and delegated to the load balancer,resolves
 the  record type?

It's not entirely clear what you're trying to do, but perhaps if you tell us an 
example name that isn't behaving how you want, we (the list membership) can 
take a look.

It sounds like you might want different addresses in the additional section of 
the response depending on whether the request for for an A record or a  
record. If so, that's not possible.

Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward vs Authoritative traffic

2014-11-07 Thread Chris Buxton 
On Nov 7, 2014, at 11:35 AM, Nex6|Bill n6gh...@yahoo.com wrote:
 
 I am going to be adding a type forward zone for an important zone.  how can i 
 test that the forward is working correctly? if i do a dig against the NS the 
 record will return no matter if its auth or fwd zone. 

Will your server be receiving recursive or iterative queries (rd=1 or rd=0) for 
the zone? Forwarding zones like this don't work for iterative queries.

Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward vs Authoritative traffic

2014-11-07 Thread Chris Buxton 
On Nov 7, 2014, at 1:29 PM, Nex6|Bill n6gh...@yahoo.com wrote:
 
 our parent org, owns the  parent zone, and this zone is delegated from there 
 to a load balancer onsite. which is authoritative.  but, the query path for a 
 normal query crosses the internet gateway because thats where the parent
 is. ( very short TTL ).
 
 any internet connection issue causes issues, so i am going to put a forward 
 zone directly from my NS to the load balancer which is auth for the zone. 
 that way, if the internet gateway is down or has issues the application will 
 still function.

I suspect a static-stub zone is more what you want, but yes, that sounds like 
it should work.

Chris

 On Nov 7, 2014, at 1:04 PM, Chris Buxton cli...@buxtonfamily.us wrote:
 
 On Nov 7, 2014, at 11:35 AM, Nex6|Bill n6gh...@yahoo.com wrote:
 
 I am going to be adding a type forward zone for an important zone.  how can 
 i test that the forward is working correctly? if i do a dig against the NS 
 the record will return no matter if its auth or fwd zone. 
 
 Will your server be receiving recursive or iterative queries (rd=1 or rd=0) 
 for the zone? Forwarding zones like this don't work for iterative queries.
 
 Chris
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward vs Authoritative traffic

2014-11-07 Thread Chris Buxton 
On Nov 7, 2014, at 1:32 PM, Nex6|Bill n6gh...@yahoo.com wrote:
 
 5 sec TTL, with a lot of  load balancer based rules. on a lot of servers…..

I'm not sure what difference that makes. You said the load balancer is 
authoritative for a child zone. Therefore, don't forward to it, send it 
iterative queries. You do that using a zone of any of the following types on 
your server: slave, stub (may not work with a LB), or static-stub.

Slave: You would slave the parent zone from your parent org. This way, your 
server has the delegation on hand to use when answering queries for the child 
zone on the LB. There are several potential pitfalls with this approach, such 
as not being able to slave the zone from the parent org.

Stub: You would stub the delegated subzone from the LB. May not work. You would 
be telling your server, Ask this server (the LB) what servers are 
authoritative for this zone (the zone on the LB), and then when you get a query 
for this zone, if you don't have the answer in cache, send an iterative query 
to one of the indicated servers in order to resolve it. The LB may not support 
SOA and NS records, in which case the stub zone would fail.

Static-stub: You would be telling your server, When you get a query for this 
zone (the zone on the LB), if you don't have the answer in cache, send an 
iterative query to the LB in order to resolve it. That sounds to me like it's 
exactly what you want.

Type forward is virtually identical to type static-stub, except it sends 
recursive queries instead of iterative queries. This is generally bad practice 
(it might work fine, or it might have unintended consequences or otherwise 
fail, in a hard-to-diagnose way) unless the forwarder accepts recursive 
queries. So type static-stub is probably what you want.

Chris

 On Nov 7, 2014, at 1:31 PM, Chris Buxton cli...@buxtonfamily.us wrote:
 
 On Nov 7, 2014, at 1:29 PM, Nex6|Bill n6gh...@yahoo.com wrote:
 
 our parent org, owns the  parent zone, and this zone is delegated from 
 there to a load balancer onsite. which is authoritative.  but, the query 
 path for a normal query crosses the internet gateway because thats where 
 the parent
 is. ( very short TTL ).
 
 any internet connection issue causes issues, so i am going to put a forward 
 zone directly from my NS to the load balancer which is auth for the zone. 
 that way, if the internet gateway is down or has issues the application 
 will still function.
 
 I suspect a static-stub zone is more what you want, but yes, that sounds 
 like it should work.
 
 Chris
 
 On Nov 7, 2014, at 1:04 PM, Chris Buxton cli...@buxtonfamily.us wrote:
 
 On Nov 7, 2014, at 11:35 AM, Nex6|Bill n6gh...@yahoo.com wrote:
 
 I am going to be adding a type forward zone for an important zone.  how 
 can i test that the forward is working correctly? if i do a dig against 
 the NS the record will return no matter if its auth or fwd zone. 
 
 Will your server be receiving recursive or iterative queries (rd=1 or 
 rd=0) for the zone? Forwarding zones like this don't work for iterative 
 queries.
 
 Chris
 
 
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

2014-04-30 Thread Chris Buxton 
Either do as Kevin Darcy said or else use separate names:

company.com
office1.company.com
office2.company.com

The admin in office 2 updates the office2 zone. The dynamic updates in office 1 
go to the office1 zone. The company.com zone delegates both. Everyone can find 
everything via that delegation, but each office has its own zone. Everyone is 
happy.

Chris

On Apr 30, 2014, at 4:36 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote:

 DNS1 with dynamic update and DNS2 with manually update
 
 
 On Wed, Apr 30, 2014 at 8:11 PM, Kevin Darcy k...@chrysler.com wrote:
 I'm still not understanding your constraints. If *all* updates come in 
 through Dynamic Update, then you don't need freeze/unfreeze.
 
 - 
 Kevin
 
 
 On 4/30/2014 6:47 PM, Jeronimo L. Cabral wrote:
 In office #1, the company.com master zone is updated automatically from 
 some Windows machines inn DNS1 and in office #2 the same zone is updated 
 manually in DNS2 by the administrator who shouldn't update (using freeze and 
 unfreeze) the master zone from office #1. This is the scenario, and we need 
 that a simple query to DNS1 be responded with any record from both zones.
 
 Thanks again
 
 
 On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy k...@chrysler.com wrote:
 Oh, I thought this was an external-versus-internal scenario. But, this is 
 even easier.
  
 A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the 
 stealth variety, if you want) of the other
 B) People use nsupdate to maintain the zone
 
 For security, TSIG-sign the updates. For fast change propagation, set up 
 NOTIFY if and as necessary.
 
  
- Kevin
 
 
 On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:
 Dear John, this is my scenario:
 
 1) Office 1: people work with some machines and fill up a local master zone 
 company.com with records in DNS1
 2) Office 2: people works with some others machines and fill up a local 
 master zone company.com with another records in DNS2
 
 So both office have a different master zone.
 
 Both offices belong to the same company, so I need that any client PC can 
 resolve a hostname from company.com domain, independently if this record 
 is in DNS1 or DNS2. 
 
 Thanks again, regards.
 
 JeLo
 
 
 
 On Wed, Apr 30, 2014 at 5:21 PM, John Miller johnm...@brandeis.edu wrote:
 Hi Jeronimo,
 
 First of all, please just tell us the real domain.  Yes, we could try and 
 talk about a fictitious example.com or company.com, but having the real 
 domain name lets us actually query your nameservers.
 
 Let me be sure I understand: you have two DNS servers.  Each of them is 
 authoritative for the same domain.  Are both set as master?
 
 The two servers have different copies of the zone--what's your reason for 
 that?
 
 If both servers think they are authoritative for a zone, then they will 
 answer recursive queries for those zones themselves.  From the manual: 
 
 Forwarding occurs only on those queries for which the server is not 
 authoritative and does not have the answer in its cache.
 
 What exactly are you trying to achieve?
 
 John
 
 
 
 On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral jelocab...@gmail.com 
 wrote:
 Dear, I would like to ask for solution related with DNS (bind) 
 configuration to allow forward requests to another DNS but related with the 
 same domain.
 
 I'm asking about two authoritative name servers serving the same domain but 
 with different zone file info on each and have one of them forward 
 recursive queries to another one if first one cannot find some particular 
 subdomain record that is missing in his version of zone file.
 
 My named.conf.local is as follow, but it doesn't work:
 
 zone company.com {
 type master;
 file /etc/bind/zones/company.com.db;
 allow-transfer { key company; };
 check-names ignore;
 forward first;
 forwarders { 172.16.1.1; };
 };
 
 Thanks a lot, 
 
 JeLo
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 -- 
 John Miller
 Systems Engineer
 Brandeis University
 johnm...@brandeis.edu
 (781) 736-4619
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 ___

Re: Enterprise IPAM/DNS Solutions

2014-04-28 Thread Chris Buxton 
On Apr 28, 2014, at 9:31 AM, Baird, Josh jba...@follett.com wrote:

 Hi,
 
 We currently use the Men  Mice DNS/IPAM/DHCP suite which is essentially a 
 front-end wrapper for BIND.  We deploy our own BIND boxes and simply 
 install the Men  Mice agent on them which allows us to centrally manage the 
 zones from a GUI (or CLI) based interface.
 
 I'm curious about the other enterprise solutions that are on the market.  
 Bluecat is the first one that comes to mind, but I'm completely unfamiliar 
 with their product.  Does their product run alongside native BIND (like MM) 
 or do I need to purchase their own appliances and place them all over my 
 network?  

Josh,

You probably remember me from my days at Men  Mice. I've been at BlueCat 
Networks now for more than four years. If you have any questions about 
BlueCat's product line, I'd be happy to help. If you prefer, you can contact me 
directly at my company email address, cbux...@bluecatnetworks.com.

To answer one question you posed here, we offer an appliance-based solution. 
They are hardened Linux systems that offer DNSSEC and anycast support out of 
the box, just as others have hinted in this thread. And unlike some of our 
competitors, we do allow ssh access if you need it.

Best regards,
Chris

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What if no root servers?

2014-04-09 Thread Chris Buxton 
On Apr 9, 2014, at 12:02 AM, Dean Gibson (DNS Administrator) 
i...@ultimeth.com wrote:

 I'm interested in a special use-case, where (say, in an emergency), access to 
 most of the Internet (and hence the root servers) is cut off.  In this 
 situation, there is an emergency connected network consisting of several 
 domains, each with known nameserver IP addresses.   The hosts in domain 
 aaa.com know (typically, via DHCP) about the nameservers for their domain, 
 but nothing about domain bbb.com.
 
 At first I thought that one should place glue NS records for domain bbb.com 
 in the zone for aaa.com, so that hosts in aaa.com that use the aaa.com 
 nameservers, will be able to refer to the hostnames in domain bbb.com.
 
 I understand that one can do this for subdomains.  However, a bit of research 
 seems to suggest that a stub zone is the proper way to do this.  Is this what 
 a stub zone is for?

Yes, put the stub zone(s) on your recursive name servers so that they know 
where to find your authoritative zones or those outside zones to which you 
cannot lose contact. Use static-stub zones in place of stub zones where 
appropriate.

Then you have to maintain your masters statements as those zones move around.

Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Update Security

2014-03-17 Thread Chris Buxton 
On Mar 16, 2014, at 3:32 AM, Bob McDonald bmcdonal...@gmail.com wrote:

 Ok so it's not painless.  Do the updates still get forwarded to the master by 
 the slaves or do I need to have all Windows devices needing update capability 
 to point at the master?
 
 TIA,
 
 Bob

I don't believe it works with update forwarding. I've certainly never gotten it 
to work. However, Microsoft will send the updates tot he master listed in the 
SOA record, so as long as that shows your otherwise-hidden master, and firewall 
access is set up for it, everything should work fine.

Regards,
Chris Buxton


 On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton cli...@buxtonfamily.us wrote:
 On Mar 14, 2014, at 10:50 AM, Bob McDonald bmcdonal...@gmail.com wrote:
 
  I agree that TSIG or SIG(0) signed updates are certainly a more desirable 
  approach than allowing updates via address.  My DHCP server is setup to 
  sign all of it's updates this way.  However, I have AD domain controllers 
  in the environment that don't currently use signed updates.  Is there a 
  fairly painless way to convert all the AD machines to signed updates?
 
 You would need to set up GSS-TSIG, which is not painless. (It's certainly 
 doable, but there are plenty of pitfalls to overcome.) Windows doesn't 
 support TSIG, just GSS-TSIG.
 
 AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the 
 master.
 
 Regards,
 Chris Buxton.
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Update Security

2014-03-14 Thread Chris Buxton 
On Mar 14, 2014, at 10:50 AM, Bob McDonald bmcdonal...@gmail.com wrote:

 I agree that TSIG or SIG(0) signed updates are certainly a more desirable 
 approach than allowing updates via address.  My DHCP server is setup to sign 
 all of it's updates this way.  However, I have AD domain controllers in the 
 environment that don't currently use signed updates.  Is there a fairly 
 painless way to convert all the AD machines to signed updates?

You would need to set up GSS-TSIG, which is not painless. (It's certainly 
doable, but there are plenty of pitfalls to overcome.) Windows doesn't support 
TSIG, just GSS-TSIG.

AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the 
master.

Regards,
Chris Buxton.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv6 PTR Records

2014-03-10 Thread Chris Buxton 
On Mar 10, 2014, at 8:28 AM, Maechler Philippe pmaechler...@glattnet.ch wrote:
 Let´s assume that we have a /32 IPv6 subnet for our needs and that we only 
 publish PTR records where they are needed like for mail servers and maybe DNS 
 and web servers. 
  
  
 Our Network is: 2001:db8::/32
 This would give us a Zone named 8.b.d.0.1.0.0.2.ip6.arpa

You could do that, or you could create one reverse zone per /64, or break it at 
any label you like.

 Our DNS has the ip 2001:db8:193:192::20/64 and the other one has 
 2001:db8:193:193::20/64
  
 1) Would you create an entry in 8.b.d.0.1.0.0.2.ip6.arpa like:
  
 20.2.9.1.0.3.9.1.0  IN A  dns1.example.org.
 20.3.9.1.0.3.9.1.0  IN A  dns2.example.org.

The correct answer is:

$ORIGIN 8.b.d.0.1.0.0.2.ip6.arpa.
0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.9.1.0.3.9.1.0 PTR dns1.example.com.
0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.9.1.0.3.9.1.0 PTR dns1.example.com.

Again, you can delegate subzones at any arbitrary label.

 2) In the near future we will have a lot more entries in the reverse Zone 
 and, so I guess, some parts of it will be delegated to other servers. When 
 would you start delegating parts of Zone 8.b.d.0.1.0.0.2.ip6.arpa into other 
 Zone-Files?
 How far down the tree would you go for de delegation?

Personally, I would create a reverse zone for each /64 subnet.

 3) Will a recursive resolver have problems if I only have a SOA for 
 8.b.d.0.1.0.0.2.ip6.arpa and no SOA for the zones below like 
 1.0.3.9.1.0.8.b.d.0.1.0.0.2.ip6.arpa?

There's a difference between zones and domains. A zone is equal to a domain 
minus any delegated subzones. You are permitted to delegated a subzone several 
labels down the tree from its parent zone. In other words, it's perfectly 
legitimate to have a zone at the /32 level and then child zones at the /64 
level, with no delegated subzones in between (at the /36, /40, /44, etc. 
levels).

 The reason I ask is:
 We had generic A records for our IPv4 space: 
 dynamic.001-002.003-004.catv.example.org IN A 1.2.3.4 and some mailservers 
 complained that there was no zone for 001-002.003-004.catv.example.org. nor 
 003-0004.catv.example.org. and no entry for catv.example.org. (we only had 
 the example.org Zone with host a host dynamic.001-002.003-004.catv)

That's a different question, for the names of your A records. I don't know why 
a mail server would complain about this, but perhaps others with recent mail 
server admin experience can comment here.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

2014-02-28 Thread Chris Buxton 
On Feb 28, 2014, at 2:12 AM, Jason Brown jason.br...@kcom.com wrote:

 But, it will respond with a valid response (your choice) and therefore not 
 create a servfail due to trying.. that’s my point.

Nope. RPZ only alters responses as they're on their way back to the requestor. 
The query is still resolved normally first. It does not short-circuit recursion.

Chris Buxton




 From: bind-users-bounces+jason.brown=kcom@lists.isc.org 
 [mailto:bind-users-bounces+jason.brown=kcom@lists.isc.org] On Behalf Of 
 Ivo
 Sent: 28 February 2014 10:10
 To: bind-users@lists.isc.org
 Subject: Re: Bind vs flood
  
 RPZ cannot rewrite servfail, it is designed to replace a valid response.
 
 On 2/28/14 11:42 AM, Jason Brown wrote:
 Isn’t this where RPZ comes in? Using RPZ means it is quicker and easier to 
 null amplification, also easier to remove if you do all this with nsupdate, 
 you can also create a webpage for TS to query any fault against.
  
 From: bind-users-bounces+jason.brown=kcom@lists.isc.org 
 [mailto:bind-users-bounces+jason.brown=kcom@lists.isc.org] On Behalf Of 
 Peter Andreev
 Sent: 28 February 2014 09:36
 To: Dmitry Rybin
 Cc: BIND Users Mailing List
 Subject: Re: Bind vs flood
  
 Well, at first glance it looks like malicious activity, so the best action is 
 to call all users, suspected in sending such requests, and warn them.
 The fast and very (very-very-very) dirty solution is to set up zone 
 84822258.com on your resolver. This should supress outgoing queries and thus 
 minimize resolving time.
  
 2014-02-28 12:06 GMT+04:00 Dmitry Rybin kirg...@corbina.net:
 On 27.02.2014 09:59, Dmitry Rybin wrote:
 
 Bind answers with Server failure. On high load (4 qps) all normal
 client can get Servfail on good query. Or query can execute more 2-3
 second.
  
 I have an a mistake, 4'000 QPS.
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 -- 
 Is there any problem Exterminatus cannot solve? I have not found one yet.
 
 
 
 
 
 This email has been scanned for all viruses.
 
 Please consider the environment before printing this email.
 
 The content of this email and any attachment is private and may be 
 privileged. If you are not the intended recipient, any use, disclosure, 
 copying or forwarding of this email and/or its attachments is unauthorised. 
 If you have received this email in error please notify the sender by email 
 and delete this message and any attachments immediately. Nothing in this 
 email shall bind the Company or any of its subsidiaries or businesses in any 
 contract or obligation, unless we have specifically agreed to be bound.
 
 KCOM Group PLC is a public limited company incorporated in England and Wales, 
 company number 02150618 and whose registered office is at 37 Carr Lane, Hull, 
 HU1 3RE.
 
 118288 - KCOM Group UK Directory Enquiries. Calls will cost no more than 
 £2.58 connection + £1.79p per minute following the first 60 seconds, 
 including VAT from a KC or BT landline. Call charges from mobiles and other 
 networks may vary. If you are calling from a mobile you will now receive your 
 requested number via text message. You will not be charged for the text 
 message.
 
 
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
  
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
  
 
 
 
 
 This email has been scanned for all viruses.
 
 Please consider the environment before printing this email.
 
 The content of this email and any attachment is private and may be 
 privileged. If you are not the intended recipient, any use, disclosure, 
 copying or forwarding of this email and/or its attachments is unauthorised. 
 If you have received this email in error please notify the sender by email 
 and delete this message and any attachments immediately. Nothing in this 
 email shall bind the Company or any of its subsidiaries or businesses in any 
 contract or obligation, unless we have specifically agreed to be bound.
 
 KCOM Group PLC is a public limited company incorporated in England and Wales, 
 company number 02150618 and whose registered office is at 37 Carr Lane, Hull, 
 HU1 3RE.
 
 118288 - KCOM Group UK Directory Enquiries. Calls will cost no more than 
 £2.58 connection + £1.79p per minute following the first 60 seconds, 
 including VAT from a KC or BT landline. Call charges from mobiles and other 
 networks may vary. If you are calling from a mobile you will now receive your 
 requested number via text message. You will not be charged for the text 
 message.
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

Re: Non-responsive name servers when started during boot on OS X Mavericks 10.9

2014-01-20 Thread Chris Buxton 
On Jan 17, 2014, at 6:45 PM, Larry Stone lston...@stonejongleux.com wrote:

 Background: I have been using my Macintosh as a server…

[…]

 Problem: This morning, by happenstance, both were rebooted a few minutes 
 apart and suddenly, nobody could access anything. Finally figured out that 
 named on both was not responding (queries timed out). Killed named (which was 
 immediately restarted by Apple’s launchd) and all was well. Rebooted the 
 secondary to see if it was repeatable and same thing. Nothing of interest in 
 the log - both the initial startup at boot time and restart log identically 
 (and it does log the RFC 1918 empty zones warning so it gets that far). I’m 
 guessing there’s some resource not available at boot time that’s causing 
 named to hang but that really just a will guess.

I remember fixing this problem way back when Apple first switched to launchd 
(10.4 or so). Basically, Apple patches (or used to patch) named to make it 
register with the system to be told when a network interface is added. Their 
patch allowed named to start up before the network is up, and then essentially 
get a SIGHUP or something like it every time a network interface comes up or 
goes down.

The problem is that launchd starts named before the network is up. The solution 
is to have it wait a few seconds before starting. The way we did it back then 
was to have launchd start a script instead of starting named directly. The 
script would simply sleep 3 seconds (or something like that) before starting 
named. It would then stay open.

I’d bet that the package from Men  Mice includes this script or an equivalent 
workaround. When I wrote the original script I wrote about above, I worked at 
Men  Mice.

Regards,
Chris Buxton

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: additional section policy

2014-01-20 Thread Chris Buxton 
On Jan 19, 2014, at 7:30 PM, houguanghua houguang...@hotmail.com wrote:
 Would you please tell me which RFC depicts the policy of 'additional 
 section'? and how bind server deals with 'additional section'? 
  
 Sometimes the number of 'additional section' is more than numbe of  
 'authority section'. I don't know how local bind server will do when 
 receiving  these additional sections. 
 Local Bind server may:
-- pick one name server randomly
-- or use sophisticated policies that score name servers and pick more 
 often the ones that replied faster
 
 Which is right?

The additional section is filled in by the responding name server with whatever 
records it feels would help the querier in the near future. This could be, for 
example, the addresses of name servers listed in NS records. It appears you’re 
asking about specifically this case. This behavior is described in RFC 1034 or 
1035, I believe.

As for responding to this data by following up on a referral and asking a 
listed name server, the BIND name server uses the RTT (round trip time) 
algorithm. Basically, it tries to guess which remote server would respond 
fastest and queries that server.

Regards,
Chris Buxton

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: When Updates Fail

2014-01-07 Thread Chris Buxton 
On Jan 7, 2014, at 2:05 PM, Martin McCormick mar...@dc.cis.okstate.edu wrote:

   Is there any way to tell what is actually being sent to
 bind when attempting a dynamic update?
 
   I have a perl script which is obviously broken because
 every forward update it tries to send fails.
 
 07-Jan-2014 15:38:09.458 client 192.168.1.5#17352: request has invalid 
 signature: TSIG ns: tsig verify failure (BADKEY)

Are you using Net::DNS to send your updates? If so, what version? There is a 
bug in 0.73 with regard to TSIG. One solution, for the time being, is to 
downgrade to 0.72. Or there’s a release candidate for 0.74 that apparently 
fixes it, but I haven’t tested it.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error logs in bind resolving

2014-01-02 Thread Chris Buxton 

On Dec 31, 2013, at 11:25 PM, Gaurav Kansal gaurav.kan...@nic.in wrote:

 Thanks Chris for your useful comments.
  
 On Dec 30, 2013, at 9:46 PM, Gaurav Kansal gaurav.kan...@nic.in wrote:
 I am getting the error message for lot of domains.
  
 Log of error entries are attached.
  
 All the ones I checked were caused by broken implementations.
 
 Is this a broken implementation of IPv6 or something else. As this DNS Server 
 is running IPv6 only.

Broken implementations of name servers. They’re probably mostly load balancers.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error logs in bind resolving

2013-12-31 Thread Chris Buxton 
On Dec 30, 2013, at 9:46 PM, Gaurav Kansal gaurav.kan...@nic.in wrote:
 I am getting the error message for lot of domains.
  
 Log of error entries are attached.

All the ones I checked were caused by broken implementations.

 Is it possible to configure bind so that error message should not be 
 generated in logs file.

They’re logged as errors. I’m not sure I’d want to suppress these errors. Maybe 
your log service can be configured to filter them out more specifically than 
what can be done with named’s own logging capability.

Regards,
Chris Buxton___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Error logs in bind resolving

2013-12-30 Thread Chris Buxton 
On Dec 30, 2013, at 2:29 AM, Gaurav Kansal gaurav.kan...@nic.in wrote:

 Dear All,
  
 In my bind server logs, I am getting too much error logs of below mentioned 
 type.
 Can anyone pl. explain me why I am getting these logs and how to get rid of 
 those.
  
 Although when I am doing dig for the domain (for which I am getting the 
 error), I am getting the valid output.
  
 Thanks.
  
 Dec 30 15:54:18 IPV6-NKN-DNS named[13123]: error (FORMERR) resolving 
 'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53

I see an incorrect negative response. Could this be the problem? Here is the 
end of a dig trace:

geoadnxs.com.   172800  IN  NS  01.auth.nym1.appnexus.net.
geoadnxs.com.   172800  IN  NS  01.auth.nym2.appnexus.net.
geoadnxs.com.   172800  IN  NS  01.auth.lax1.appnexus.net.
geoadnxs.com.   172800  IN  NS  01.auth.ams1.appnexus.net.
;; Received 222 bytes from 192.33.14.30#53(192.33.14.30) in 123 ms

sin1.geoadnxs.com.  86400   IN  NS  ns2.apac.gslb-ns.net.
sin1.geoadnxs.com.  86400   IN  NS  ns1.apac.gslb-ns.net.
;; Received 122 bytes from 68.67.133.169#53(68.67.133.169) in 67 ms

geoadnxs.com.   30  IN  SOA ns1.gslb.com. 
support.appnexus.net. 1 86400 30 86400 30
;; Received 103 bytes from 64.208.141.10#53(64.208.141.10) in 187 ms
___

My resolving name server complains as follows:

Dec 30 10:19:45 ubuntu named[1299]: DNS format error from 64.208.141.10#53 
resolving ib.sin1.geoadnxs.com/ for client ::1#60014: invalid response
Dec 30 10:19:45 ubuntu named[1299]: error (FORMERR) resolving 
'ib.sin1.geoadnxs.com//IN': 64.208.141.10#53
Dec 30 10:19:45 ubuntu named[1299]: DNS format error from 64.208.141.11#53 
resolving ib.sin1.geoadnxs.com/ for client ::1#60014: invalid response
Dec 30 10:19:45 ubuntu named[1299]: error (FORMERR) resolving 
'ib.sin1.geoadnxs.com//IN': 64.208.141.11#53
___

I believe the problem is that when asked for an  record, the load balancer 
gives an otherwise-proper-looking negative response that claims to be from the 
wrong zone.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ help on BIND

2013-12-28 Thread Chris Buxton 
Babu Dheen,

The stanza you quoted will get you the zone. It appears to be correct syntax. 
If you’re using views, put this inside a view; otherwise, put it at the global 
level.

It will not create a response policy based on the zone. You have to do that 
yourself. Examples are in the BIND v9 Administrator Reference Manual, assuming 
your copy of the ARM is up to date and you’re using a relatively recent version 
of BIND.

The file ‘dbx.rpz.spamhaus.org' will contain a copy of the response policy 
zone. Again, configuring named to use this as the basis for a response policy 
requires extra configuration. I don’t know the purpose of this RPZ, so I can’t 
give you the exact syntax. Perhaps someone from Spamhaus can help you with that.

I don’t have enough context to answer your question about a whitelist. Perhaps 
someone else can help you with that.

Regards,
Chris Buxton

On Dec 23, 2013, at 5:11 AM, babu dheen babudh...@yahoo.co.in wrote:

 Dear All,
 
  My BIND DNS server is authorized to use spamhaus RPZ service and spamhaus 
 official team requested me to paste below configuration line in 
 /etc/named.conf file. Since i am new to RPZ and BIND, kindly help me to 
 enable this feature.
 
 
 zone rpz.spamhaus.org {
   type slave;
   file dbx.rpz.spamhaus.org;
masters { 199.168.90.51; 199.168.90.52; 199.168.90.53; };
   allow-transfer { none; };
allow-query { none; };
 };
 
 My question is:
 
 1. If i paste the above line alone in /etc/named.conf file will work?
 
 2. What will be the content of dbx.rpz.spamhaus.org file ?
 
 3. How to maintain the local whitelist policy?
 
 
 Regards
 Babudheen
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)

2013-09-23 Thread Chris Buxton 

On Sep 23, 2013, at 7:59 AM, Vernon Schryver v...@rhyolite.com wrote:

 From: Eliezer Croitoru elie...@ngtech.co.il
 
 I was looking for something like that but I am sure a dynamic DB is
 needed for the task right?
 
 Large DNSBLs are not very dynamic, because they have relatively few
 changes per day.  From another perspective, with the popularity of
 dynamically updating forward and reverse DNS zones as end-user IP
 addresses changes, why isn't the the machinery in any full featured
 DNS implementation a dyanamic DB?  The term database should not
 imply sql or even relational.

Indeed, a DNS server is a type of database server. The DNS is a large 
distributed database.

Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 9.9.4 Bug Fixes - RT #34583

2013-09-23 Thread Chris Buxton 
On Sep 21, 2013, at 8:35 AM, Steve Arntzen i...@arntzen.us wrote:

 Good morning/day/evening.
 
 What exactly does beneath mean in the following line from the 9.9.4
 bug fixes?
 
 Fix forwarding for  forward only zones beneath automatic empty zones.
 [RT #34583]

Beneath in this case refers to the namespace tree diagram. Think of an 
upside-down tree structure, with the root at the top. Then 10.in-addr.arpa is 
beneath in-addr.arpa, and (more importantly in this case, as Evan pointed 
out) 100.10.in-addr.arpa is beneath 10.in-addr.arpa.

Regards,
Chris

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with authoritative answer

2013-09-13 Thread Chris Buxton 
On Sep 11, 2013, at 8:11 AM, Brian Cuttler br...@wadsworth.org wrote:
 We have remapped some of our DNS clients to point to another
 DNS resolver, one that we do not control, but that has forwarder
 records in place to point our domain's address resolution requests
 back to an authoritative server in our domain.
 
 Dig is showing authoritative answer when I query my domain's server
 for an address that I own.
 
 Dig is NOT showing authoritative when I query the other domain's server.
 
 I'd have thought that the forwarded request, coming from my server,
 would have resulted in an authoritative reply.

When you query a non-authoritative server, such as one configured to forward 
the query to another server, the result is supposed to be marked 
non-authoritative. That's the point of the 'aa' flag. Not all name servers 
behave this way, but they are supposed to. BIND 9 behaves correctly.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: the location of dig and named

2013-08-28 Thread Chris Buxton 
On Aug 28, 2013, at 2:35 PM, Nidal Shater ngiw2...@hotmail.com wrote:
 when I typed dig  or named ,,, what is the location of the executable program 
 dig and named is ?

Your answer can be found with this command, available on many operating systems:

which dig

or:

which named

Regards,
Chris Buxton

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.8.1-P1: 'make test' fails

2013-08-20 Thread Chris Buxton 

On Aug 20, 2013, at 5:11 AM, Niall O'Reilly niall.orei...@ucd.ie wrote:

 On 22 Nov 2011, at 11:24, Niall O'Reilly wrote:
 
 Since quite a few years, I habitually run 'make test' after building BIND
 from sources.  I'me seiing a failure with 9.8.1-P1, and wonder whether
 anyone else is also.
 
   [By way of putting this to bed, at last ...]
 
   Updating the Perl module Net::DNS to a recent version seems to be 
   what is needed to make the test which was failing (labelled 'xfer') 
   run successfully.
 
   I don't know the cut-off point between 'old' and 'recent' version
   of Net::DNS.  I've had success with 0.65 and 0.66; current is 0.72.
   An 'old' version will cause the 'xfer' test to fail in BIND releases
   subsequent to 9.8.1-P1, including current releases.

There is a mailing list for Net::DNS.

List-Subscribe: https://www.nlnetlabs.nl/mailman/listinfo/net-dns-users, 
mailto:net-dns-users-requ...@nlnetlabs.nl?subject=subscribe

That said, there was a discussion last December about what has changed since 
Net::DNS was taken over by a new maintainer, meaning post-0.68. A small number 
of quite disruptive changes were made in 0.69.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind9 and logrotation

2013-07-29 Thread Chris Buxton 
On Jul 29, 2013, at 3:09 PM, Christoph Anton Mitterer cales...@scientia.net 
wrote:
 Is there a clean way to have bind9 reopening it's logfiles, in order to
 allow clean log rotation?

No.

 If not, could that be implemented?

Send a feature request to ISC, or write it in yourself and maintain a patch.

Of course you know logrotate can truncate files rather than renaming them, 
after first copying their contents, but this leaves a small window for lost log 
messages.

You can also configure logrotate to work with the inactive log files created by 
BIND's own logging facility. That is, let BIND write and rotate log files, but 
then process them with logrotate afterward.

Another option is to send all log messages through syslog, which allows for:

- asynchronous (batched) file writing
- all kinds of other, more advanced features that BIND doesn't support natively

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New warning message...

2013-07-22 Thread Chris Buxton 
On Jul 22, 2013, at 1:24 PM, Barry S. Finkel bsfin...@att.net wrote:

 On 7/22/2013 11:17 AM, bind-users-requ...@lists.isc.org wrote:
 This was discussed here already, and imho this is anti-spf bullshit like
 all those spf breaks forwarding FUD. The SPF RR is already here and is
 preferred over TXT that is generik RR type, unlike SPF.
 On 22.07.13 08:50, Barry S. Finkel wrote:
 It is not Fear, Uncertainty, and Doubt that SPF breaks forwarding.
 SPF*DOES*  break forwarding.
 
 No, it does not. If a mail gets delivered to address, which is sending it
 further (forwarding it), the envelope sender has to be changed, because
 it's not the original sender who sends the another mail.  Forwarding without
 changing envelope address is already broken, it's just people don't care
 without SPF.
 
   I have a case I am researching right now
 where forwarded mail is undeliverable due to SPF checking at the
 new destination.
 Rewrite the sender's address. You have more choices, SRS is one of them.
 
 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 
 I have no control over what my Mail User Agent does. And a quick reading
 of section 3.6.6 of RFC 5322 does not tell me what is the correct action
 on a forwarded message:
 
 1) Change the From: address, or
 
 2) Keep the From: address.
 
 My MUA, Thunderbird, does 1).  And I do not see any configuration
 option.  I am not sure which action is correct.
 
 I do not know what implications for forwarding SMTP (RFC 5321) has.

Do not be confused by the From: address shown by your mail client. That is not 
the envelope sender.

Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Performance with Huge RPZ

2013-07-12 Thread Chris Buxton 
On Jul 12, 2013, at 3:11 AM, Arie L. Putra ari...@smartfren.com wrote:
 We are building a server for recursive DNS Server, this server will be acted 
 as a cache for our network. (several user-side DNS Server will forward to 
 this server)
 Using Ubuntu Server with latest BIND version, we are trying to have RPZ 
 incuded in this BIND, with around 800k blacklisted sites.
 
 Has anyone have experience, how RPZ with huge list will impact BIND 
 performance, will it reduce DNS response time? we have six DNS server that 
 will point to this server, each server is serving about 15Mbps of DNS Traffic 
 on peak hour. 
 
 this server is a Ubuntu box with 2 Xeon (total of 12 core, 24 if include HT), 
 16GB RAM. 

I've seen well over 1 million entries in an RPZ. The performance impact with 
BIND 9.8 was noticeable but not horrible. The memory requirements were roughly 
300 MB for this one zone, compared to over 3 GB for the equivalent in the form 
of somewhere north of 500 thousand individual zones (two A records each, for 
the zone apex and a wildcard, all loading from the same file).

I'm not used to considering DNS traffic in terms of Mb/s (nor MB/s). I'm more 
used to considering q/s. The servers with the aforementioned RPZ each handled a 
relatively large number of queries, possibly as high as 20Kq/s. In my 
experience, it's impossible to know how a given server will perform without 
seeing all of the configuration, as lots of configuration settings can impact 
performance. Once such example is query logging to file (instead of to syslog), 
which can completely gut performance.

Regards,
Chris Buxton
BLUECAT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Service Hung

2013-07-03 Thread Chris Buxton 
On Jul 2, 2013, at 7:33 PM, Arie Lendra Putra ari...@smartfren.com wrote:
 PS: sometimes this happens when our upstream is down, many unanswered DNS 
 request sometimes trigger named not responding.

Stop forwarding. Do your own recursion.

Regards,
Chris Buxton___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Answers from cache or authority section?

2013-06-25 Thread Chris Buxton 
On Jun 25, 2013, at 7:32 AM, John Horne john.ho...@plymouth.ac.uk wrote:

 Hello,
 
 I am having a bit of trouble understanding what happens when, in this
 instance, a DNS reverse lookup occurs. Our site has the class-C
 141.163.0.0 address range. If I perform reverse lookups from inside or
 outside our site, then they seem to work fine. However, we are currently
 investigating a problem an external site has with reverse lookups of our
 IP addresses.
 
 If I run (externally):
 
dig 141.in-addr.arpa ns
 
 then 6 NS records are returned. If I query any one of those using:
 
   dig +norecurse 163.141.in-addr.arpa ns @tinnie.arin.net
 
 (using 'tinnie' in this example) then I get our 4 NS records relating to
 our local and remote name servers:
 
 ==
 ;; AUTHORITY SECTION:
 163.141.in-addr.arpa.   172800  IN  NS  dns2.cis.strath.ac.uk.
 163.141.in-addr.arpa.   172800  IN  NS  dns1.cis.strath.ac.uk.
 163.141.in-addr.arpa.   172800  IN  NS  dns1.plymouth.ac.uk.
 163.141.in-addr.arpa.   172800  IN  NS  dns0.plymouth.ac.uk.
 ==
 
 There is no ANSWER section, but a referral to the servers listed in the
 AUTHORITY section.
 
 So, I assume that at this point the name server used by a resolver will
 now cache those NS records. As such, any subsequent reverse lookup for a
 141.163.x.x address should use one of the above cached name servers and
 get an answer.

Your assumption is incorrect. The delegation will only be cached until a more 
reliable rrset is found -- the NS records returned by your servers (more 
reliable because of the 'aa' flag).

You already know the solution. Don't publish internal-only name servers to the 
public. You can do any of the following to fix this:

- Turn on minimal responses on all 4 name servers listed in the referral from 
ARIN (but this can have undesirable side effects)
- Use two views (but this can cause lots of extra work)
- Publish your external name servers internally (but this can require firewall 
changes)
- Make your internal name servers reachable from the Internet

Regards,
Chris Buxton
BLUECAT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 2.1a3 on centos 6.4

2013-06-24 Thread Chris Buxton 
On Jun 22, 2013, at 12:50 PM, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote:

 Or don't use nslint?

+1

Use 'named-checkconf -z' instead. Or run it without '-z', and then use 
'named-checkzone' against each zone file, with suitable options to tweak the 
tests to meet your needs.

Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 2.1a3 on centos 6.4

2013-06-24 Thread Chris Buxton 
On Jun 24, 2013, at 10:09 AM, Brian Cuttler br...@wadsworth.org wrote:
 On Mon, Jun 24, 2013 at 09:40:36AM -0700, Chris Buxton wrote:
 On Jun 22, 2013, at 12:50 PM, Lawrence K. Chen, P.Eng. lkc...@ksu.edu 
 wrote:
 
 Or don't use nslint?
 
 +1
 
 Use 'named-checkconf -z' instead. Or run it without '-z', and then use 
 'named-checkzone' against each zone file, with suitable options to tweak the 
 tests to meet your needs.
 
 Used that a bit on one of my Solaris boxes, I recall it was very
 handy for pinning down a syntax issue I had and couldn't find, but
 I didn't discover a way to use it check for A/PTR record pairs.

Ah, yes, that is an uncommon requirement and is not covered by the BIND tools. 
(Underscores in names are covered.)

If you can't get nslint to work, it's pretty simple to write a perl script to 
check A/PTR (and /PTR) correlation and also run named-checkzone against 
each zone.

Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF record with include:

2013-06-21 Thread Chris Buxton 
On Jun 20, 2013, at 7:30 PM, Julie Xu j...@uws.edu.au wrote:

 Hi Steven, Jason, Ged and Bind expert
 
 Thanks for the reply. It is great help.
 
 However, I need ask more.
 
 For this include clause to be added in, I have also need to add DKIM records. 

SPF and DKIM are unrelated. There is no way to reference DKIM records inside 
your SPF records.

Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stub zones vs minimal responses

2013-06-12 Thread Chris Buxton 
On Jun 12, 2013, at 5:23 AM, Tony Finch d...@dotat.at wrote:
 Chris Buxton cli...@buxtonfamily.us wrote:
 
 If an authoritative server is configured to send minimal responses, will
 a stub zone get all the necessary data from that server? What I'm seeing
 is, the recursive server sends an SOA query; the response contains only
 the SOA record, and no NS or A records. The recursive server doesn't
 follow up with an NS record query, and therefore the stub zone fails.
 Queries to the recursive server for data in that zone get a SERVFAIL
 response.
 
 Does the authoritative server answer queries over TCP? After making the
 SOA query to refresh a stub zone, BIND calls ns_query() in lib/dns/zone.c
 which always uses TCP.

Interesting. I'll look into that. Thanks, Tony.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What happens when one out of three NSs are down?

2013-06-12 Thread Chris Buxton 
On Jun 11, 2013, at 4:12 PM, Gary Wallis wgg1...@gmail.com wrote:
 DNS experts:
 
 What really happens in the real world when 1 out of three authoritative NSs 
 are down for 30 minutes due to a datacenter outage?
 
 For example, we have 3 NSs:
 
 ns1.someisp.net 12.23.34.45
 ns2.someisp.net 23.34.45.56
 ns3.someisp.net 34.45.56.67
 
 All in different datacenters.
 All are authoritative for a given zone.
 All have the same zone data and SOA serial number for the zone.
 
 Where the datacenter handling ns3 broke routing (mistake in new router 
 configuration) for 34.45.56.0/24 and ns3 is no longer reachable.
 
 I think I have a grasp on the basic theory here, but in practice, the 
 unreachable ns3 nameserver creates problems for a small group of customers 
 trying to reach web sites with zones hosted by these three authoritative NSs.
 
 Will round robin glue NS records help?
 
 Can quick or automated changes at the registrar of the NS3 IP help? For 
 example to change to a hot spare in some other datacenter? In this case would 
 the running NSs have to have the changed NS A record also match?
 
 Any comments and best practice solution info very welcome.

You might consider using anycast to route around the problem.

In practice, though, your best bet is to find out why that small group of 
customers are having problems. Are they querying the servers directly?

Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Stub zones vs minimal responses

2013-06-10 Thread Chris Buxton 
I'm seeing something I didn't expect in BIND's behavior, and I wanted to get 
confirmation from someone that this is expected, or at least a known limitation.

If an authoritative server is configured to send minimal responses, will a stub 
zone get all the necessary data from that server? What I'm seeing is, the 
recursive server sends an SOA query; the response contains only the SOA record, 
and no NS or A records. The recursive server doesn't follow up with an NS 
record query, and therefore the stub zone fails. Queries to the recursive 
server for data in that zone get a SERVFAIL response.

Am I understanding the evidence correctly?

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: any requests

2013-06-05 Thread Chris Buxton 
On Jun 5, 2013, at 11:59 AM, Doug Barton do...@dougbarton.us wrote:
 On 06/05/2013 11:33 AM, Tony Finch wrote:
 I believe the ANY hack on mail servers was a Sendmailism 20ish years ago.
 
 s/Send/q/

That makes even more sense. DJB always thinks he knows best.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: any requests

2013-06-03 Thread Chris Buxton 
If you have mail relays acting this way, you'd better give them a dedicated DNS 
server to use for recursive lookups, because otherwise that's going to 
periodically fail.

If a host has both an MX record and an A record, and if the A record is in 
cache, the ANY lookup will just get the A record, not the MX record. And that 
represents a failure of the SMTP protocol implementation.

Chris Buxton

On Jun 3, 2013, at 3:42 PM, Leonard Mills l...@yahoo.com wrote:

 If your some of your clients are SMTP relays, then ANY is the default lookup 
 for an MX and is perfectly normal.
 
 Much better from the point of view of the mail servers to do one lookup 
 instead of several.
 
 Len
 
 
 From: hugo hugoo hugo...@hotmail.com
 To: Vernon Schryver v...@rhyolite.com; bind-users@lists.isc.org 
 bind-users@lists.isc.org 
 Sent: Monday, June 3, 2013 12:26 PM
 Subject: RE: any requests
 
 Hello,
  
 Thanks for your answer.
 I see ANY queries from my clients (we do not use open resolvers)
  
 I do not see why these kind of queries are present.
 Moreover, the cache servers only anbswer with its cache content.
 Is this normal or must the cache query the authoritztive server to fetch all 
 the records?
  
 Hugo,
  
  Date: Sun, 2 Jun 2013 22:13:33 +
  From: v...@rhyolite.com
  To: bind-users@lists.isc.org
  Subject: Re: any requests
  
   From: Matus UHLAR - fantomas uh...@fantomas.sk
  
   On 02.06.13 20:28, hugo hugoo wrote:
  
   I plan to block these kind of requests on the dns cache servers in order 
   to
avoid any amplification attack.
  
   hard to say, but as I stated before: don't do that.
  
  Instead, use RRL to mitigate many kinds of amplification attacks instead
  of only those using ANY. See http://www.redbarn.org/dns/ratelimits
  
  Blocking DNS ANY requests is to DNS amplification DoS mitigation as
  blocking SMTP envelope Mail_From values of  is to spam filtering.
  In early spam days, people who either knew far less than they pretended
  or had special agendas prescribed blocking the  sender as almost the
  FUSSP, and never mind RFCs that require accepting mail from , the
  value of mail from , and the vast floods of spam that don't and
  never did involve the  sender.
  
  Blocking DNS ANY or SMTP  fit the old saying by H. L. Mencken:
  For every complex problem there is an answer that is clear,
  simple, and wrong.
  
  
  Vernon Schryver v...@rhyolite.com
  ___
  Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
  unsubscribe from this list
  
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Negative zones; NXDOMAIN responses

2013-05-20 Thread Chris Buxton 
On May 20, 2013, at 12:51 AM, Narcis Garcia informat...@actiu.net wrote:

 - Yes, I thought about not using DNS from the same internet provider,
 but wanted to know if there is a way to patch only the .local response.
 
 - This is the configuration I use in one of the LANs:
 
 view local-nets {
match-clients { acl_local-nets; };
recursion yes;
forwarders {
62.151.2.8;
};
include /etc/bind/named.conf.default-zones;
 }
 
 - These are the tests to be done from a client:
 $ host -t SOA local.
 $ host -t SOA local. 62.151.2.8
 
 - I've tried to create an empty zone, or lacking of A or SOA records,
 but then BIND9 doesn't load it:
 zone local/IN: has 0 SOA records
 zone local/IN: has no NS records
 zone local/IN: not loaded due to errors.
 
 - I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
 to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
 But I'm not sure if it's useful for SOA records.

For the time being, .local is not delegated from the root. So just not using 
your ISP's resolvers will do what you want -- recurse directly to the Internet.

There is no way to create an empty .local zone that won't have even an SOA 
record. I'm not sure if you could do this via RPZ -- probably -- but why bother 
when you could just remove your ISP's servers from the equation?

Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list reply-to setting

2013-05-09 Thread Chris Buxton 
On May 9, 2013, at 4:02 PM, Carlos M. martinez wrote:

 My mail setup is as limited as my eyesight. As I mentioned, I have
 emails in my inbox and filter afterwards in order to keep mbox size at
 reasonable levels. In this way I don't forget to check this or that folder.

I'm sorry, but I have to ask. Does your mail client not download all your mail 
and show you which mailboxes have new messages? I can't conceive of using a 
mail client that doesn't do this -- without it, automated filtering is useless, 
because as you said you would have to check every folder to see if there are 
new messages in it.

My mail client shows the number of unread messages next to each mail folder, 
except for those that have no unread messages. I do not have to click on each 
folder to cause this to happen.

Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NS geo-distribution

2013-04-29 Thread Chris Buxton 

On Apr 29, 2013, at 9:01 PM, Dave Warren wrote:
 With the vast majority of our customers being in North America (probably 75% 
 of users are in Canada), would it make sense to add a Europe based NS or 
 would this tend to return slower results on average since a potential user 
 would have a 1/3 chance of hitting a NS with a higher latency?

RTT means almost always hitting the fastest server.

Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Courses

2013-04-27 Thread Chris Buxton 
On Apr 27, 2013, at 4:18 AM, Alan Clegg wrote:
 On Apr 27, 2013, at 11:36 AM, SUNDAY A. OLUTAYO olut...@sadeeb.com wrote:
 
 ISC should consider online training too, same linux foundation has done.
 
 As one of the ISC instructors, I will say that our classes are highly 
 interactive, both student-to-instructor and in the lab experience provided.
 
 I have yet to find any online training that comes close to what we provide in 
 person.

Agreed. Having given training both live and online, I can say that the online 
version was highly inferior to the live class. When I taught DNS and BIND 
courses for Men  Mice, the live interaction was a key component of the value 
of the class. You just don't get that remotely.

Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mirror Masters

2013-04-24 Thread Chris Buxton 
On Apr 24, 2013, at 2:21 PM, Manson, John wrote:

 Works great. Got the conf file down to about 12 lines (only transferring 1 
 zone file for test).
 Only problem is the file is in slave format.
 Is the master going to have a problem sending the db.x.bak to slaves?
 When a slave receives the transferred file, will it do the slave conversion 
 to the file which is already in slave format?

Please explain what you mean by slave format. Do you mean binary (raw) 
format, or just formatted differently as a text file? (Different versions of 
BIND behave differently.)

Please keep in mind that a zone transfer between DNS servers is not a file 
transfer. The master does not send a file to the slaves. It sends DNS records, 
in binary (DNS protocol) format.

Chris Buxton___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mirror Masters

2013-04-23 Thread Chris Buxton 

On Apr 23, 2013, at 2:01 PM, Manson, John wrote:

 We have a second master at a different location and I was wondering if there 
 is any way to have the first master send db file updates to it using file 
 transfers like it does to the slaves.
 We currently do db file transfers between masters with sftp and would like to 
 stop using OS processes and have it done within named, if possible.
 The second master is exactly like the first master including front-side IP, 
 dns traffic router-separated from the first master, and the script we use for 
 DB maintenance in a fail-over scenario.
 Both masters file transfer IPs are different and are listed in all slaves so 
 they get notifies from both.
 I’m guessing it has to do with being master for a zone and not acting on 
 notifies it may receive.

Make it a slave, using text format instead of raw format. Then in the event of 
a disaster, change all the zone statements from slave to master. That way, you 
won't be dependent on OS processes for transferring and synchronizing the data 
between the two masters.

Your other choice is to use rsync to synchronize files between the two masters, 
perhaps as a cron job.

Chris Buxton

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.4.x and check-names

2013-04-17 Thread Chris Buxton 

On Apr 17, 2013, at 8:58 AM, Matus UHLAR - fantomas wrote:

 On 17.04.13 06:39, Ben-Eliezer, Tal (ITS) wrote:
 default.log:12-Apr-2013 00:45:37.447 general: warning: zone 
 /IN: gc._msdcs./A: bad owner name (check-names)
 default.log:12-Apr-2013 00:45:37.447 general: warning: zone 
 /IN: gc._msdcs./A: bad owner name (check-names)
 
 Hmm, aren't those supposed to be SRV records?

No, they are the addresses of the global catalog servers. If they were SRV 
records, check-names would not complain.

Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ and negative answers

2013-04-04 Thread Chris Buxton 
On Apr 4, 2013, at 1:42 AM, Phil Mayers wrote:
 On 04/04/2013 12:50 AM, Chris Buxton wrote:
 
 Thanks for the explanation. It seems to me this is a gap in coverage
 of RPZ -- the algorithm should be updated, in my opinion, to cover
 the case of a negative answer.
 
 AIUI it's a deliberately limited mechanism aimed at preventing resolution of 
 harmful domains; NODATA/NXDOMAIN rewriting has caused enough controversy in 
 the recent past that I can understand there being reluctance to extend RPZ to 
 do it.
 
 Can you comment on the use-case?

Sure. Here's an example.

A company wants to halt the spread of a piece of malware that uses DNS lookups 
to find its CC. The malware is known to try computed domain names successively 
until one resolves, and then connect to the resolved address. The company has 
set up a honeypot server to control the malware and keep it quiescent.

The company has determined the first N domains of the sequence, but does not 
know how to calculate the complete set of domains. Therefore, the company wants 
to put the known domains into an RPZ. Normal, individual zones would also work, 
but this would require mixing them with other data in their management system. 
The customer wants to keep these domains separate from other managed data.

Unfortunately, because RPZ doesn't return a policy-based answer when there is 
no positive answer to be found out on the Internet, RPZ is not a suitable 
solution. Therefore, the customer is forced to create the individual zones 
normally, mixing them with other data in their management solution, rather than 
using RPZ to trap the malware into contacting the honeypot server.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ and negative answers

2013-04-03 Thread Chris Buxton 
On Apr 3, 2013, at 4:13 PM, Vernon Schryver wrote:
 From: Chris Buxton cli...@buxtonfamily.us
 
 If a name exists in the response policy, and also exists in the real
 Internet namespace, the value from the policy is returned. But if it
 doesn't exist out on the Internet, then the value is not returned --
 an NXDOMAIN (or SERVFAIL, or whatever) is returned instead.
 
 I've known this for a while but haven't understood why it is thus.
 Today, it has become a problem for me. If I set a policy of this
 name gets response X, I expect that policy to be used rather than
 this name gets response X unless it doesn't exist out on the
 Internet or can't be resolved due to an error.
 
 RPZ stands for response policy zone and concerns rewriting responses
 instead of queries.  The answer section of an NXDOMAIN or SERFVAIL
 response does not contain a domain name that could trigger rewriting.
 
 Rewriting queries instead of responses would fail to rewrite CNAME
 chains.

Thanks for the explanation. It seems to me this is a gap in coverage of RPZ -- 
the algorithm should be updated, in my opinion, to cover the case of a negative 
answer.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic Update Policy.....

2013-03-30 Thread Chris Buxton 
On Mar 28, 2013, at 4:03 PM, Gary Greene wrote:

 I'm trying to get bind to use ddns updates for our environment, however I'm 
 getting errors in the logs on the system that the host is being denied from 
 making the changes.
 
 Currently, I'm only allowing certain hosts to update their records, as a test.
 
 The stanza for update-policy follows:
 
 zone minervanetworks.com {
 type master;
 notify yes;
 update-policy {
 grant ggreene-imac$@MINERVANETWORKS.COM ms-self * A;
 grant cvallejo-w7-lt$@MINERVANETWORKS.COM ms-self * A;
 grant cvallejo-test-w7-lt$@MINERVANETWORKS.COM ms-self * A;
 };
 file /etc/named.d/minervanetworks.zone;
 check-names ignore;
 };
 
 The error I see in the logs:
 Mar 28 15:57:29 ns1 named[11482]: client 10.5.1.11#52418: view internal: 
 update 'minervanetworks.com/IN' denied

That log message is normal.

If you want to use GSS-TSIG, that's not going to work. I don't have a complete 
step-by-step of what's required, but at a minimum:

- Don't use ms-self.
- Do create a user account in AD with a service principal name that matches the 
hostname of the master name server as advertised in the SOA and NS records, 
prefixed by DNS/. For example, 
DNS/ns1.minervanetworks@minervanetworks.com. Without this, GSS-TSIG will 
not be attempted.
- Do not be concerned by the denied update. Every attempt to update will go 
something like this:

1. SOA query for name to be updated, to recursion server.
2. Address lookup for server listed in SOA record, to recursion server.
3. Insecure DDNS update message to server listed in SOA record. [denied]
4. TKEY query to server listed in SOA record, to establish a single-use shared 
key.
5. Signed update message to server listed in SOA record. [approved or denied, 
according to policy]

 The reverse zones work, as they are setup to allow dhcpd to make the changes 
 (and they work correctly), however the forward zone does not.

At a guess, you're not using GSS-TSIG for reverse record updates, correct?

Is there a reason not to have DHCP update the host records as well as the 
reverse?

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable logging for a view

2013-03-30 Thread Chris Buxton 
On Mar 29, 2013, at 1:46 AM, Francesco wrote:

 Hello,
 i need to log queries into bind.log for all views except only one view (i
 call it the deafult view, where it logs all attacks, flood, ecc.).
 
 But i noticed i can not insert logging clause into a view.
 
 Is there a way?

No.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Understanding rndc referral statistics

2013-03-30 Thread Chris Buxton 
On Mar 29, 2013, at 8:13 AM, M. Meadows wrote:
 Thinking about this ... perhaps this is more to do with the behavior of BIND 
 9.3 versus BIND 9.7. Did the referral mechanism change? Here are my thoughts 
 on the subject:
 
 Nameserver A is the authority for zone1.com and it is the authority for 
 sub.zone1.com. Sub.zone1.com is delegated from zone1.com. If a query comes to 
 nameserver A from a resolver asking for info about host.sub.zone1.com and the 
 namserver looks in zone1.com and sees the delegation of sub.zone1.com an 
 inefficient method of handling the query would be to pass back a referral to 
 sub.zone1.com (which just points back at itself). But that would work and 
 would result in a referral. In a more efficient application ... the 
 nameserver would recognize that the delegated authority for sub.zone1.com is 
 ... itself. It would complete the query of host.sub.zone1.com and return an 
 answer instead of a referral. Am I on the right track with this or just 
 wasting my time with wild and inaccurate speculation?

Yeah, that's not it.

I can't answer the original question, but the responses to queries in the 
scenario outlined are the same. BIND always returns the best answer it can. If 
it worked the way you were speculating (for 9.3), the BIND name server would 
not know that the second query was a follow up to the referral, and would 
process it in the same way. Responses in this scenario would be the same (at 
least as far as the answer section of the response is concerned) coming from 
BIND 9.9, 9.3, 9.1, 8.2, or 4.9. (I can't speak for 4.8.)

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion issue

2013-03-28 Thread Chris Buxton 
On Mar 28, 2013, at 7:56 AM, Manson, John wrote:
 My external authoritative dns does not allow recursion.
 We have vanity names like speaker.gov.
 When we add an entry like:
 www.speaker.gov   CNAMEwww.house.gov
 it fails because of the recursion statement even though the external dns is 
 authoritative for house.gov.
 Anyone know of a way to modify the recursion behavior since house.gov is 
 already in the outhouse-view along with the vanity .gov names.?
 Currently we have to use A records with the www.house.gov IP.
 Web staff and others would like to see the House server name displayed in the 
 browser url bar and in dig results.

If you want the browser URL bar to change from what the user typed to 
www.house.gov, you have to use an HTTP redirect. You cannot do that with DNS.

Other than that issue, what part of your current environment is not working? In 
your public data, I see:

www.speaker.gov.300 IN  CNAME   wc.house.gov.edgekey.net.
wc.house.gov.edgekey.net. 17789 IN  CNAME   e4776.g.akamaiedge.net.
e4776.g.akamaiedge.net. 20  IN  A   184.26.83.91

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion issue

2013-03-28 Thread Chris Buxton 
On Mar 28, 2013, at 8:27 AM, Manson, John wrote:

 From the internet:
 Answer records
 
 name  class   typedatatime to live
 test.gopleader.govIN  CNAME   testwww.house.gov
 
 Testwww from the internet:
 Answer records
 
 name  class   typedatatime to live
 testwww.house.gov IN  A   12.13.14.15 900s(00:15:00)
 
 So the first lookup does not fully resolve due to recursion.
 Does this help?

Yes it does. It just doesn't all get answered from the one zone. Both of your 
public servers, chyron and mercury, contain both zones. A non-recursive query 
to either of them gets both records in an authoritative answer.

$ dig test.gopleader.gov +norec @mercury.house.gov

;  DiG 9.7.6-P1  test.gopleader.gov +norec @mercury.house.gov
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 26756
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.gopleader.gov.IN  A

;; ANSWER SECTION:
test.gopleader.gov. 300 IN  CNAME   testwww.house.gov.
testwww.house.gov.  900 IN  A   12.13.14.15

;; Query time: 100 msec
;; SERVER: 143.231.1.67#53(143.231.1.67)
;; WHEN: Thu Mar 28 08:45:23 2013
;; MSG SIZE  rcvd: 80

There is no need to configure recursion on your external authoritative name 
servers. Other name servers will not query them recursively anyway.

I continue to fail to see the problem that you're trying to solve.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion issue

2013-03-28 Thread Chris Buxton 
On Mar 28, 2013, at 9:05 AM, Manson, John wrote:
 I disagree with your statement about recursion.
 What stops an authoritative server from doing recursion if you do not have 
 the recursion statement?
 I guess the bind default is recursion yes.

OK, bad choice of words on my part. I did not mean to say that you should not 
set any configuration options to disable recursion, because as you said, it is 
on by default (but restricted, by default, to localnets and localhost). What I 
meant was that there is no reason to permit recursive queries to your 
authoritative servers. Therefore, I would recommend turning it off using 
'recursion no;' in your options or view statement.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recursion Issue

2013-03-28 Thread Chris Buxton 
On Mar 28, 2013, at 10:51 AM, Manson, John wrote:
 http://www.digwebinterface.com/?  Is one of the internet sites I use.

http://www.digwebinterface.com/?hostnames=test.gopleader.govtype=Ashowcommand=oncolorize=onstats=onnorecursive=onuseresolver=8.8.4.4ns=authnameservers=
__

test.gopleader@chyron.house.gov.:
dig A +norec test.gopleader.gov. @chyron.house.gov.
;  DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.1  A +norec 
test.gopleader.gov. @chyron.house.gov.
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 48126
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.gopleader.gov.IN  A

;; ANSWER SECTION:

test.gopleader.gov. 300 IN  CNAME   www.house.gov.
www.house.gov.  900 IN  CNAME   house.gov.edgesuite.net.


;; Query time: 26 msec
;; SERVER: 143.228.129.38#53(143.228.129.38)
;; WHEN: Thu Mar 28 18:55:49 2013
;; MSG SIZE  rcvd: 97

test.gopleader@mercury.house.gov.:
dig A +norec test.gopleader.gov. @mercury.house.gov.
;  DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.1  A +norec 
test.gopleader.gov. @mercury.house.gov.
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 63565
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.gopleader.gov.IN  A

;; ANSWER SECTION:

test.gopleader.gov. 300 IN  CNAME   www.house.gov.
www.house.gov.  900 IN  CNAME   house.gov.edgesuite.net.


;; Query time: 23 msec
;; SERVER: 143.231.1.67#53(143.231.1.67)
;; WHEN: Thu Mar 28 18:55:49 2013
;; MSG SIZE  rcvd: 97
__

You've changed the record test.gopleader.gov since last I looked at it -- it's 
now going to Akamai. The result shown here shows what's called a dangling 
CNAME -- your CNAME record, pointing to an outside resource. A resolving name 
server (one with recursion enabled) will then follow that to Akamai, giving 
this result:

test.gopleader.gov. 300 IN  CNAME   www.house.gov.
www.house.gov.  552 IN  CNAME   house.gov.edgesuite.net.
house.gov.edgesuite.net. 12640  IN  CNAME   a1164.g.akamai.net.
a1164.g.akamai.net. 19  IN  A   165.254.47.115
a1164.g.akamai.net. 19  IN  A   165.254.47.112

Everything is as it should be.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Blocking private addresses with a optionq

2013-03-14 Thread Chris Buxton 
On Mar 14, 2013, at 3:29 AM, Tony Finch wrote:

 King, Harold Clyde (Hal) h...@utk.edu wrote:
 
 Is there an option for bind like the allow-recursion { network-acl }
 For blocking out going records of 10.0.0.0/8 and 192.168.0.0/16 so I could 
 do a view like:
 
 I'm not sure what you mean by blocking out going records but there are a
 couple of options that might do what you want:
 
 There is the blackhole acl which makes named ignore all requests and
 never send queries to a particular address range.
 
 There is the server ... { bogus yes; }; clause which stops named from
 sending queries to a particular address range.

No, I'm pretty sure the OP wants to strip records from responses if the records 
are A records referring to private address space (RFC 1918).

I've no idea how you would do this.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Blocking private addresses with a optionq

2013-03-14 Thread Chris Buxton 

On Mar 14, 2013, at 9:07 AM, Niall O'Reilly wrote:

 
 On 14 Mar 2013, at 15:57, Chris Buxton wrote:
 
 No, I'm pretty sure the OP wants to strip records from responses if the 
 records are A records referring to private address space (RFC 1918).
 
 I've no idea how you would do this.
 
   Other than separate views, with a trimmed zone in the external view?

Well, yes, if the server in question is authoritative for all the data in 
question. But if it's just a resolver, that may be more difficult.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 3rd party CNAMEs and open recursion

2013-03-05 Thread Chris Buxton 
On Mar 4, 2013, at 10:43 AM, Verne Britton wrote:
 
 I have been testing and testing and either just don't see what I'm doing 
 wrong, or have a learning block  :-)
 
 current thinking is that a open recursion DNS server is bad, so we want to 
 implement an allow-recursion clause; perhaps even make some views so our 
 local users still recurse while the general public cannot ...
 
 but I am running into a roadblock with our Google Apps cname:
 
   gmail.wvstateu.edu is a cname to ghs.google.com
 
 and bind wants recursion turned on in order to translate it.

Your client machines need recursive service. So give them a recursive server 
that can find both your internal data and Internet data. If you must do this on 
the same machine as hosts your authoritative data, you have a couple of choices:

1. Don't use views:

options {
allow-recursion { your-nets-go-here; };
[...]
};

zone your.zone {
[...]
};

2. Or, use views:

options {
[...]
};

view recursion {
match-recursive-only yes;
allow-recursion { your-nets-go-here; };
[ ...other recursion settings... ]
};

view authority {
recursion no;
zone your.zone {
[...]
};
};

While it may seem more complex to use views, there are advantages in terms of 
flexibility. However, ultimately either way will probably work, at least until 
you start rolling out DNSSEC (at which point you will probably need to use 
either views or separate servers).

Chris Buxton
BlueCat Networks

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stop of logging of No Valid Signature Found

2013-02-26 Thread Chris Buxton 
On Feb 25, 2013, at 8:25 PM, Robert Moskowitz wrote:
 So should I change this to an include and put dnssec-validation back to yes?

No. dnssec-validation auto; is correct for 90% of cases. An Internet 
validating resolver should almost certainly use this. Mark is simply being 
precise and complete in his explanation.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Building a fresh named.root

2013-02-15 Thread Chris Buxton 

On Feb 14, 2013, at 8:49 AM, Shawn Bakhtiar wrote:

 
 Running bind rooted on FC 16 using the standard package.
 
 The ca file is located in /var/named/chroot/var/named/named.ca
 
 The hints are not built in. 
 [shawn@www ~]$ strings /usr/sbin/named | grep A.ROOT-SERVERS.NET
 returns nothing.

Yes they are. All versions of BIND since 9.3 or so have had the root hints 
built in. Even Red Hat's version. Unfortunately, Warren missed a trick of some 
sort -- I suspect that if you strip the binary, the 'strings' command won't 
find the values. But they're still there. Adam Tkac would not remove this from 
the Red Hat SRPM.

Root hints, as somebody pointed out, are just hints. There is no reason to 
focus on making sure they're 100% accurate. There's also no point in stripping 
the IPv6 addresses out of the root hints zone if you don't have IPv6 -- the 
real list will be fetched (by DNS query) from the servers in the hints file, 
including all of their IPv6 addresses.

If your DNS server doesn't have IPv6 connectivity, I have two comments for you:

- Why not? It's easy to get a tunnel, if nothing else is available.

- Start named with the -4 argument to prevent it from trying to contact IPv6 
addresses.

Chris Buxton
BlueCat Networks___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Export / Import all zone data

2013-02-15 Thread Chris Buxton 
On Feb 14, 2013, at 11:46 AM, Mailinglists wrote:
 I'm looking to migrate all of the zone data from one installation of Bind to 
 another...hardware move. One machine is very old but running a pretty modern 
 version of Bind 9.6-ESV-R8. The other server is running Bind 9.8.2 and is in 
 use, so I'm merging existing zone data with new data, although none of the 
 zones will overlap.
 
 The problem I see is that the actual zone files, the way they are structured, 
 are in an old format. Bind 9.6 must still understand them, but I don't think 
 they are structured the proper way. I was hopeful there was an export / 
 import procedure whereby that process would sanitize the zone info and log 
 any errors for manual fixing.
 
 Either this process is dead simple and so nobody documents it or it is all 
 but impossible so nobody documents it...I'm not sure. But an hour of web 
 searches hasn't turned up much, just lots of info about migrating to or from 
 a Windows based DNS to BIND.

named-compilezone is your friend here.

I use this 3 line script to sanitize inputs when I'm migrating customers from 
their old platform to our appliances:

#!/bin/bash
mv $2{,.orig}
named-compilezone -i none -k ignore -o $2 $1 $2.orig

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slaving from DNS masters behind LVS

2013-02-13 Thread Chris Buxton 
On Feb 12, 2013, at 7:00 PM, Nick Urbanik wrote:
 We have a pair of DNS servers running BIND behind a direct routing LVS
 director pair running keepalived.  Let's call these two DNS servers A
 and B, and the VIP V.
 
 They slave from a hidden master; let's call it M.
 
 I want to allow another machine S to slave from A and B, the pair of
 DNS servers that are behind LVS.
 
 Another machine F will forward to the DNS servers behind the load
 balancer, A and B.
 
 [There is another similar setup at another location, so there will
 be a V1 and V2, A1, A2, B1, B2; all of A1, A2, B1, B2 slave from M.]
 
 1. Should the machine in the SOA be V, or A or B?
 2. Should the NS records for the zones be A, B and V, or just V?
 3, Should S slave from A and B, or should it slave from V?
 4. Should F forward to V, or to both A and B?

Generally speaking, if you're going to use a load balancer, use it. Don't go 
around it. I assume your VIP will actually float between two load balancers, 
for redundancy.

Why is forwarding involved? Forwarding is a recursive server behavior, but your 
other questions relate to authoritative service. Mixing the two, especially in 
a high-traffic environment, is a recipe for disaster. (Not that I haven't 
implemented that for even very large customers -- the customer is always right 
unless you can convince them otherwise. Use of multiple views, with 
match-recursive-only enabled in one of them, can somewhat alleviate the 
problem.)

1. Your choice. Mine would be M. My second choice would be either V1 or V2, if 
there was some need to truly conceal the identity of M.
2. V1 and V2.
3. V1 and V2.
4. V1 and V2.

But as others have pointed out, unless you're getting huge numbers of queries, 
I wouldn't bother with load balancers for authoritative service. I would only 
start looking for this type of solution if 6 individual name servers were 
insufficient to handle the load. And in that case, my first choice would be 
anycast, because that also gives you geographic redundancy, routing redundancy, 
etc. That's how the root server clusters are set up, for the most part.

For recursive service, where clients can't be relied upon to effectively use 
any server beyond the first one they query, load balancers make good sense. But 
in that case, you (ideally) shouldn't have any zones configured on the name 
servers other than (possibly) RPZs, stub zones, and (if you really must) 
conditional forwarding zones.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SOA issue

2013-02-13 Thread Chris Buxton 
On Feb 13, 2013, at 9:22 AM, Paul A wrote:

 Can anyone tell help me figure out why this SOA is not changing no matter 
 what I do. The zone was edited and has a new SOA but no matter what I do bind 
 doesn’t reload the zone with the new SOA. I tried rndc freeze/unfreeze and 
 still nothing. Short of reloading bind what else can I do.
  
 TIA, Paul
  
 named-compilezone -o - sturdymemorial.org db.sturdymemorial
 zone sturdymemorial.org/IN: loaded serial 2013021307
 sturdymemorial.org.   86400 IN SOA  
 reuben.meganet.net. postmaster.naisp.net. 2013021307 10800 3600 604800 600
 OK

Your zone only has an SOA record. A zone without NS records will not load.

If that's not really the issue, because you've edited the output above, a 
couple of hints:

- rndc reload zone is unnecessary if rndc freeze zone executes correctly. A 
dynamic zone (one that you would freeze and thaw) cannot be reloaded. Thawing 
the zone effectively reloads it.

- Do not edit a dynamic zone's zone file without first freezing it. Otherwise, 
when you freeze it, the data in memory will be written to disk, overwriting 
your changes.

- Are you sure you're editing the right file?

Chris Buxton
BlueCat Networks

 rndc reload sturdymemorial.org
 zone reload up-to-date
  
  
 dig @localhost  sturdymemorial.org soa
  
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 57470
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
  
 ;; QUESTION SECTION:
 ;sturdymemorial.org.IN  SOA
  
 ;; ANSWER SECTION:
 sturdymemorial.org. 600 IN  SOA reuben.meganet.net. 
 postmaster.naisp.net. 2012011801 10800 3600 604800 600
  
 from the log file
  
 named[26675]: received control channel command 'reload sturdymemorial.org'
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: private trust anchor

2013-02-11 Thread Chris Buxton 
On Feb 10, 2013, at 3:26 PM, Evan Hunt wrote:

 Then configure the
 zones as type forward, with forwarders pointing to the authoritative
 server(s) for your zones.  The resolver will then forward queries for those
 names to the authoritative servers, and validate the responses.

Type forward? Really? I didn't expect that to come from someone at ISC.

Use 'type stub' instead, with a masters statement rather than a forwarders 
statement.

Chris Buxton

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Transfers-out

2013-01-08 Thread Chris Buxton 
On Jan 8, 2013, at 1:24 PM, Manson, John wrote:

 Can this option be used in a ‘slave’ config to prevent out-bound transfers?
 Transfers-out 0;
 The 9.9.2 ARM is ambiguous.

Wouldn't it be simpler to just write this instead, in your options statement?

allow-transfer { none; };

Chris Buxton
BlueCat Networks


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Duplicate records?

2012-12-21 Thread Chris Buxton 
On Dec 21, 2012, at 8:45 AM, Marek Kozlowski wrote:
 As I can see BIND allows duplicate A:
 
 pikusIN A 192.168.1.1
 pikusIN A 192.168.1.2

Those aren't duplicates. They are a record set of two records. If they had the 
same data, we would call them duplicates.

A record set is a set of records that all have the same name, class, and type. 
Also called an rrset, short for resource record set.

 and PTR:
 
 192.168.1.1.IN PTR pikus.somedomain.com.
 192.168.1.1.IN PTR filemon.somedomain.com.

Again, an rrset of PTR records.

 and disallows duplicate CNAMEs in the same way.

CNAME is a singleton type. Each rrset of type CNAME must have exactly one 
record, no more. Furthermore, a CNAME record cannot coexist with any other 
record type of the same name, except for a couple of DNSSEC record types (RRSIG 
and NSEC).

 For A and PTR both
 records are returned. My questions are:
 
 1. Is using duplicate A and PTR a standard (RFC...?) supported by all
 named implementations?

Yes.

 2. Is using this duplicate A / PTR a good practice?

That depends on the use case. Multiple PTR records in an rrset is typically a 
bad idea (won't achieve the desired effect), but that is not always the case. 
Putting multiple A records in an rrset is common.

 3. If A can be duplicated and CNAME cannot -- what's the reason for
 using CNAMEs (A-s are better).

A CNAME record creates an alias. If the target of that alias changes (gets a 
new address, gets a new MX record, or whatever), the alias need not change to 
gain the same benefit. Deciding when to use a CNAME record in place of one or 
more other records is a matter of taste, management tools, and use cases.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Requesting tips on setting TTLs so that expired RRSIG data doesn't stay in the zone

2012-12-14 Thread Chris Buxton 
On Dec 14, 2012, at 2:48 AM, GS Bryan wrote:
 Reference: http://dnssec-debugger.verisignlabs.com/imouto.my
 
 How to configure named (version BIND 9.9.2-P1-RedHat-9.9.2-2.P1.el5)
 so that expired RRSIG data doesn't stay in the zone? I heard it has
 omething to do with the TTL of the zone (the expiry timer in that
 zone's SOA).

In DNS, it's important to correctly understand the terminology and use it with 
precision. Failure to do so leads to misunderstandings like the one displayed 
above.

A zone doesn't have a TTL. It might have a default TTL expressed in the master 
copy of the zone, but this only has an effect on the way the zone is loaded by 
the primary master name server. As far as all other name servers are concerned, 
there is no default TTL, and every record has an explicit TTL.

The expire timer value in the zone's SOA record is not a TTL. Its only effect 
is on slave servers that fail to successfully refresh the zone from their 
master server(s) within that period.

The existence of records in an authoritative zone is not affected by TTLs. 
However, the caching of records by other name servers is affected by TTLs. 
Perhaps you were really trying to ask how to make sure stale RRSIG records are 
removed from the caches of other name servers in a timely manner; in that case, 
the TTLs of the specific records could come into play.

However, expired RRSIGs are discarded by validating resolvers. The validating 
resolver, on encountering a stale RRSIG, would typically query one of the 
zone's authoritative servers directly (in the absence of forwarding 
configuration) to get a current RRSIG record. Therefore, the only problem these 
expired RRSIGs might cause is a little bit of wasted bandwidth.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: With the announcement that: “Advisory — D-root is changing its IPv4 address on the 3rd of January.”

2012-12-14 Thread Chris Buxton 

On Dec 14, 2012, at 6:59 AM, Hayward, Bruce wrote:

 Hi
  
 With the announcement that: “Advisory — D-root is changing its IPv4 address 
 on the 3rd of January.”
  
 https://lists.dns-oarc.net/pipermail/dns-operations/2012-December/009428.html
  
 We are running 9.7.3-P3 on the Auths, and 9.8.1-P1 on the resolvers.
  
 We currently do not use a root hints file – If we put a hints file in 
 named.conf, then will named will use it, rather than the compiled in hints?

Yes.

Chris Buxton
BlueCat Networks___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

  1   2   3   4   >