Re: Testing DNS security

2017-02-21 Thread Emil Natan 
There is a difference between security policy check and performance check.
If you want to check policies, you can do it manually issuing different sorts 
of queries from different locations making sure what should be answered is 
answered and what should not be answered is not.
If you want to test performance, there are multiple tools that could 
generate/replay queries at high volume, just search the list, the topic was 
discussed multiple times.

Emil






 Original Message 
Subject: Testing DNS security
Local Time: February 21, 2017 2:05 PM
UTC Time: February 21, 2017 12:05 PM
From: kaoutharcheti...@gmail.com
To: bind-users 



Hi,


I have created a DNS server by using BIND and I have established security 
policies

Now I want to test its performance before hosting it

Can you recommend me network simulators that allow to check its security ??


Thank you in advance.

--___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec smart signing

2017-01-12 Thread Emil Natan 
Hello,

I'm using dnssec-signzone to sign a zonefile. I have 3 keys stored on a HSM, 
here is the meta data for the keys:

; This is a key-signing key, keyid 15464, for example.com.
; Created: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Publish: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Activate: 20170112162324 (Thu Jan 12 18:23:24 2017)

; This is a zone-signing key, keyid 49480, for example.com.
; Created: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Publish: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Activate: 20170211162324 (Sat Feb 11 18:23:24 2017)



; This is a zone-signing key, keyid 60436, for example.com.
; Created: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Publish: 20170112162324 (Thu Jan 12 18:23:24 2017)
; Activate: 20170112162324 (Thu Jan 12 18:23:24 2017)

Using dnssec-signzone -S -d  ...
new signed zonefile is created and both ZSKs are used to sign all RRsets but 
thr DNSKEY. What I'm expecting to happen is that ZSK (keyid 49480) is 
published, but not used for signing (the activation time is a month in the 
future).
I'm using BIND 9.9.9-P5.
Am I missing something?
Thank you in advance.

Emil___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc addzone type forward

2016-11-16 Thread Emil Natan 
 Original Message 
Subject: Re: rndc addzone type forward
Local Time: November 16, 2016 5:50 PM
UTC Time: November 16, 2016 3:50 PM
From: e...@foowatch.com
To: bind-users@lists.isc.org <bind-users@lists.isc.org>








 Original Message 
Subject: Re: rndc addzone type forward
Local Time: November 16, 2016 5:12 PM
UTC Time: November 16, 2016 3:12 PM
From: d...@dotat.at
To: Emil Natan <e...@foowatch.com>
bind-users@lists.isc.org <bind-users@lists.isc.org>

Emil Natan <e...@foowatch.com> wrote:
>
> I'm trying to add zone of type "forward" with rndc addzone, but it fails with:
>
> rndc addzone zone.org '{type forward; forward only; forwarders { 
> 192.168.20.115; }; };'
> rndc: 'addzone' failed: not found

I think this happens if you are using a version before 9.11 (which has a
more verbose error) and you get the view name wrong. The view name can be
wrong if you have multiple views and you don't specify which one.

e.g. on a 9.10 server with views:

$ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; 
};'
rndc: 'addzone' failed: not found
$

And on a 9.11 server with views:

$ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; 
};'
rndc: 'addzone' failed: not found
no matching view found for '_default'
$

You can get a similar error if you specify an incorrect view:

$ rndc addzone google in error '{ type forward; forward only; forwarders { 
8.8.8.8; }; };'
rndc: 'addzone' failed: not found
no matching view found for 'error'
$

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Shannon: West 6 to gale 8, perhaps severe gale 9 later. Rough or very rough,
becoming mainly high. Thundery showers. Good, occasionally poor.

Thank you for your response.
I'm not using and not specifying view, which is optional anyway. I also 
compiled BIND 9.11.0rc3, but nothing changed, no more verbosity, only the name 
of the .nzf file created changed from hash to plain text.
Another finding is that the failure .nzf file is created, but it's empty and 
the next run of rndc addzone fails with "already exists".

root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf"
root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward 
only; forwarders { 8.8.8.8; }; };'
rndc: 'addzone' failed: not found
root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf"
/chroot/named/var/named/_default.nzf
root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward 
only; forwarders { 8.8.8.8; }; };'
rndc: 'addzone' failed: already exists
configure_zone failed: already exists
ls -l /chroot/named/var/named/_default.nzf -rw-r--r-- 1 named named 0 Nov 16 
17:39 /chroot/named/var/named/_default.nzf

Emil

Update: despite the errors, the forwarding takes effect, checked with tcpdump.
But now I can't remove the forwarding zone:
After:
root@debugtzc:/usr/local/stow# rndc addzone google.com '{ type forward; forward 
only; forwarders { 8.8.4.4; }; };
'rndc: 'addzone' failed: not found

Here forwarding works:
18:04:36.703150 IP debugtzc.isoc.org.il.55531 > 8.8.4.4.domain: 20892+% [1au] 
A? google.com. (51)

But then:
root@debugtzc:/usr/local/stow# rndc delzone google.com
rndc: 'delzone' failed: not found
no matching zone 'google.com' in any view

And the queries for google.com are still forwarded to 8.8.4.4.

Emil___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc addzone type forward

2016-11-16 Thread Emil Natan 
 Original Message 
Subject: Re: rndc addzone type forward
Local Time: November 16, 2016 5:12 PM
UTC Time: November 16, 2016 3:12 PM
From: d...@dotat.at
To: Emil Natan <e...@foowatch.com>
bind-users@lists.isc.org <bind-users@lists.isc.org>

Emil Natan <e...@foowatch.com> wrote:
>
> I'm trying to add zone of type "forward" with rndc addzone, but it fails with:
>
> rndc addzone zone.org '{type forward; forward only; forwarders { 
> 192.168.20.115; }; };'
> rndc: 'addzone' failed: not found

I think this happens if you are using a version before 9.11 (which has a
more verbose error) and you get the view name wrong. The view name can be
wrong if you have multiple views and you don't specify which one.

e.g. on a 9.10 server with views:

$ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; 
};'
rndc: 'addzone' failed: not found
$

And on a 9.11 server with views:

$ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; 
};'
rndc: 'addzone' failed: not found
no matching view found for '_default'
$

You can get a similar error if you specify an incorrect view:

$ rndc addzone google in error '{ type forward; forward only; forwarders { 
8.8.8.8; }; };'
rndc: 'addzone' failed: not found
no matching view found for 'error'
$

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Shannon: West 6 to gale 8, perhaps severe gale 9 later. Rough or very rough,
becoming mainly high. Thundery showers. Good, occasionally poor.

Thank you for your response.
I'm not using and not specifying view, which is optional anyway. I also 
compiled BIND 9.11.0rc3, but nothing changed, no more verbosity, only the name 
of the .nzf file created changed from hash to plain text.
Another finding is that the failure .nzf file is created, but it's empty and 
the next run of rndc addzone fails with "already exists".

root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf"
root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward 
only; forwarders { 8.8.8.8; }; };'
rndc: 'addzone' failed: not found
root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf"
/chroot/named/var/named/_default.nzf
root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward 
only; forwarders { 8.8.8.8; }; };'
rndc: 'addzone' failed: already exists
configure_zone failed: already exists
ls -l /chroot/named/var/named/_default.nzf -rw-r--r-- 1 named named 0 Nov 16 
17:39 /chroot/named/var/named/_default.nzf

Emil___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

rndc addzone type forward

2016-11-16 Thread Emil Natan 
Hello,

I'm trying to add zone of type "forward" with rndc addzone, but it fails with:


rndc addzone zone.org '{type forward; forward only; forwarders { 
192.168.20.115; }; };'
rndc: 'addzone' failed: not found

I have allow-new-zones set to yes in named.conf. Loading zones of type master 
works fine. All I see in the logs is:
Nov 16 16:12:33 debugtzs named[1018]: general: info: received control channel 
command 'addzone'

Am I missing something?

Emil___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: R: Minimal responses and speeding up queries

2016-09-22 Thread Emil Natan 
minimal-responses affects the size and not the number of responses.

On Sep 22, 2016 23:44, "Job"  wrote:

> Hi Matus,
>
> >>If you want to avoid additional queries, turn minimal_responses off.
>
> I thought setting minimal_responses = yes should lower the number of
> queries
> Do you think it is the opposite?
>
> Thank you again!
> Francesco
>
> 
> Da: bind-users [bind-users-boun...@lists.isc.org] per conto di Matus
> UHLAR - fantomas [uh...@fantomas.sk]
> Inviato: giovedì 22 settembre 2016 17.07
> A: bind-users@lists.isc.org
> Oggetto: Re: Minimal responses and speeding up queries
>
> On 22.09.16 16:41, Job wrote:
> >in Bind 9.10 we tried minimal-responses = yes to limit "additional
> queries" when resolving.
> >
> >I notice that resolution is faster.
> >Actually, dig @host some_url still shows an additional query, maybe not
> needed for a caching-only resolver:
> >
> >; (1 server found)
> >;; global options: +cmd
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54581
> >;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> >
> >Is there a way to improve limiting of "additional queries" after
> minimal-responses = yes?
>
> using minimal responses often results into additional queries needed, by
> definition.  If you want to avoid additional queries, turn
> minimal_responses
> off.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
> "So does syphillis. Good thing we have penicillin." - Matthew Alton
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can anyone tell me a good DNS server testing program

2016-06-22 Thread Emil Natan 
queryperf, supplied with BIND, found under contrib.
What we usually do is "record" some real traffic, then run queryperf on
multiple machines against a server. If I'm not mistaken similar topic was
discussed here recently so you can search the archives.

Emil

On Wed, Jun 22, 2016 at 3:34 PM, King, Harold Clyde (Hal) 
wrote:

> I have a new DNS BIND setup that I need to stress test. There are many
> test for hitting a web server to simulate traffic, but I can’t find a one
> for doing the same thing to a DNS server. Does anyone have any
> recommendations?
>
>
> --
> Hal King  - h...@utk.edu
> Systems Administrator
> Office of Information Technology
> Shared Systems Services
>
> The University of Tennessee
> 103C5 Kingston Pike Building
> 2309 Kingston Pk. Knoxville, TN 37996
> Phone : 974-1599
> Helpdesk 24/7 : 974-9900
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Changelog details

2015-08-23 Thread Emil Natan 
Hello,

I'm investigating an issue which started after upgrading to the latest
version of BIND (bind-9.9.7-P2). I started with checking the changelog and
I read a line saying:

4061.   [bug]   Handle timeout in legacy system test. [RT #38573]

Where can I find more details about bug 4061 or RT #38573. My issue can or
cannot be related to bug 4061, but I use it here mainly as an example.

Thanks.

Emil
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Suppress log entry...

2015-04-13 Thread Emil Natan 
I think showing this line on start is a good thing. I'm updating our DNS
servers regularly and debugging a problem and checking the old logs it's
useful to find which version was running at the time and how it was built.

Emil

On Mon, Apr 13, 2015 at 8:19 PM, Alan Clegg a...@clegg.com wrote:



 On 4/13/15 1:18 PM, Reindl Harald wrote:

  Am 13.04.2015 um 19:14 schrieb SH Development:
  For me, it’s in the interest of keeping clean easy to read log files.
  Seems like this info should be available to turn on and off when
  needed for debugging, not every time the config is changed.
 
  this line appears only when named is started
 
  in other words: if you everytime you change the config hard restart
  named instead a reload you are doing it terrible wrong with a ton of bad
  side effects

 Yep.  rndc reconfig does the loading of configuration changes and does
 not put the how this binary was built message into the log file.

 AlanC


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using a HSM card to sign zone

2014-02-16 Thread Emil Natan 
Hi,

I have tested Safenet's Luna SA (the network appliance and not the card) a
year ago. It did not work using the openssl patch provided with BIND, but
at the end with some assistance from the Safenet's engineers and a
proprietary engine provided by them we made it work. I presume it'll work
also with the PCI card because the appliance is generally the same card in
a box. I had very similar issues, the pkcs11-* commands worked and the
dnssec-* ones did not.
I had no issues with the HSMs from Utimaco, AEP and ARX.

ena


On Fri, Feb 14, 2014 at 9:43 PM, Sergio Ramirez srami...@seciu.edu.uywrote:

 Hi,

 We want to sign zones with bind using an HSM Luna PCI Safenet card.

 The command 'dnssec- keyfromlabel' fails:

 # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l
 KSK1-testdnssec -f KSK testdnssec.
 dnssec-keyfromlabel: warning: ENGINE_load_private_key failed
 dnssec-keyfromlabel: info: error:2609707D:engine
 routines:ENGINE_load_public_key:no load function:eng_pkey.c:155:
 dnssec-keyfromlabel: info: error:2609607D:engine
 routines:ENGINE_load_private_key:no load function:eng_pkey.c:119:
 dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found

 It was installed on Debian 4 Linux 2.6.18-6-686 server with:
   - openssl-1.0.0e
   - patch provided by vendor of the HSM
 (openssl-lunaca3-patch-1.0.0e.tar.gz)
   - bind 9.9.2 -P1

 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed
 with bind, are working OK. **

 The key 'KSK1-testdnssec' was generated with pkcs11-keygen command.

 We would like to know if anyone are using this HSM or similar.

 Furthermore we would like to get some guidance to solve this problem.

 Thanks in advance.
 --
 Sergio Ramírez



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple masters for slave zone

2013-03-18 Thread Emil Natan 
It does not matter where the notify comes from (it well can be sent from a
slave too), named will try to transfer the zone from the first master
listed in the masters list. At least it's how it works in 9.7.x, though I
do not believe it's something that changed between the releases.

ena

On Mon, Mar 18, 2013 at 3:08 PM, eliran shlomo eliranshl...@gmail.comwrote:

 Hi,
 I need help with understanding how multiple masters work.
 i set for a slave zone few masters
 zone example.com in {
 type slave;
 file secondary/db.example.com;
 masters { 192.168.112.10; 192.168.112.12; 192.168.112.13;
 192.168.112.14; 192.168.112.15; };
 };

 Each master is standalone and there's no handshake between them

 Now my question is if i change the serial on 192.168.112.13 master, after
 the notify from which one the zone transfer will occur?

 bind version is Version: 9.5.0-P2


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec keys and multiple slots

2013-02-05 Thread Emil Natan 
Hi all,

I'm trying to implement DNSSEC using BIND and SoftHSM. I'm using the
pkcs11-* and dnssec-* tools to manage the keys in the HSM and sign the
zones. When I store both KSK and ZSK under single slot there is no problem
to create local key files with dnssec-keyfromlabel and sign the zone. What
I want to achieve is to store the KSK and the ZSK under separate slots
protected with different PINs (there are 3 slots currently, 0,1 and 2, all
three with different PINs), save the PIN for the KSK slot in a local file
for automatic use and the PIN for the KSK slot I want to enter manually
when needed. The pkcs11-keygen command accepts the -s parameter so I'm
able to create the ZSK under slot 1 and the KSK under slot 2. When I try to
create the local key files with dnssec-keyfromlabel command it fails to
find the key objects in the HSM, it's not possible to specify slot option,
so it searches for the keys only in slot 0 and of course does not find
them.
Is there a way to achieve that with BIND?

Thanks,
Emil
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective resolution in a corporate environment

2013-02-05 Thread Emil Natan 
Look for my answer below.

On Tue, Feb 5, 2013 at 5:16 PM, funky monkey wongsky.mon...@gmail.comwrote:

 One of my responsibilities has been general DNS (across platform)
 expertise in the organisation I currently work for. Over a fair amount of
 time, one thing that's repeatedly cropped up, has been the (ideally
 selective) subversion of DNS resolution of certain internet DNS domains.

 Sometimes that has been for DNS namespaces used purely by the company (but
 say subverting the odd name on an internal network, but in general, using
 the remaining records in external DNS) other times it's been for internal,
 but managed, use of things like social media (eg facebook, twitter, and
 other things...)

 My understanding is that at least with current DNS capabilities, that's
 largely all, or nothing - you either do the split brain thing, and have
 internal authority for the domain (and as a consequence, have to provide
 all the DNS entries required - probably perfectly OK for your own DNS
 domains, but possibly problematic or time consuming for alien DNS domains).

 I suppose, if you're doing it already and have the infrastructure, you
 could host such owned DNS namespaces, by using bind views, and use network
 DACLs to respond to internet DNS names, and internal DNS names with a
 different set of zone files - but in the environment I look after, that's
 not currently tenable - the environment is something of a hybrid, with
 largely Windows / Active Directory integrated DNS, internally, plus some
 areas of BIND (old versions 8.x.x and some 9.x.x instances).

 I did hear talk about some device (whether it was part of Microsoft's ISA,
 or more recent offerings like TMG) that could sit in the middle, kind of
 subvert certificate usage (for secure website access) and redirect internal
 access to a public / internet website, tactically. All I read were comments
 by a colleague, who was more involved in IT security, so didn't really
 glean much in the way of true details about how that would work.

 But to get back to what I'm often asked for, more as a tactical solution,
 is there any way of being able to subvert specific DNS names with alternate
 responses, whilst leaving the rest of the resolution to be obtained in the
 normal way - I know that doesn't follow the normal looking for authority
 for a domain name, then asking the correct question there.


I did something similar using Unbound, check the local-zone: and
local-data: declarations.

Emil


 I'm just thinking that many corporate DNS environments are already caching
 most of what they're resolving from elsewhere, and whilst it may present
 issues if abused, for corporate scenarios where there's more likelihood of
 security and authority not being subverted, surely it would be something of
 a boon for DNS administrators and save a lot of tedium with split-brain DNS
 implementations.

 Am I just spouting crazy talk, or is there something that could more
 easily address this, that I'm currently unaware of?

 Any comments welcome...

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

rndc status number of zones

2012-03-01 Thread Emil Natan 
Hi list,

I have a test environment with 3 VMs running different versions of BIND -
9.7.3-P3, 9.8.1-P1 and 9.9.0rc1. On all 3 machines rndc status reports
unrealistic number of zones:. For example, when the zones configured at
named.conf are 3, the number reported is number of zones: 18 and when the
zones are 7, then I get number of zones: 41. Here is mine named.zones
configuration file, part of named.conf (included into it). There are no
other zone statements in named.conf:

== named.zones ===
zone . {
type hint;
file /etc/root.hints;
};

zone net.ttt {
type master;
file net.ttt.zone;
};

zone vvv.ttt {
type master;
file vvv.ttt.zone;
notify explicit;
also-notify { 10.0.130.118; };
allow-transfer { 10.0.130.118; };
};

=

If I comment the zone . { ... }; part and then reconfig/reload/restart,
the number reported by rndc status remains unchanged. If I comment any
other zone statement, the number reported decrease accordingly, when all
commented, the number reported is 16.
Do any of you experience the same issue? Any ideas what I'm missing or
what's wrong?

Thanks,

ena
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc status number of zones

2012-03-01 Thread Emil Natan 
On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman 
m.sea...@infracaninophile.co.uk wrote:

 On 01/03/2012 11:20, Emil Natan wrote:
  Do any of you experience the same issue? Any ideas what I'm missing or
  what's wrong?

 Automatic empty zones?


Thanks for the input. It seems you are right, adding recursion no; to
named.conf which disables the automatic empty zones, reduces the number of
zones to what I expect +1, which means named.conf with no zone
statements, rndc status returns number of zones: 1, when I have 7 zone
statements, the number returned is 8. So I'm still missing something. Any
ideas?

ena


Cheers,

Matthew

 --
 Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc status number of zones

2012-03-01 Thread Emil Natan 
It's really more elegant way to disable the empty zones, Thanks.

On Thu, Mar 1, 2012 at 2:14 PM, Flex Banana flex.ban...@bluewin.ch wrote:

 I think you want to use

 options {
 empty-zones-enable no;
 };

 in your named.conf configuration file to disable all empty zones.

 Look at the DNS and BIND reference from Cricket Liu

 ciao!
 Banana

 On Mar 1, 2012, at 1:10 PM, Emil Natan wrote:



 On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman 
 m.sea...@infracaninophile.co.uk wrote:

 On 01/03/2012 11:20, Emil Natan wrote:
  Do any of you experience the same issue? Any ideas what I'm missing or
  what's wrong?

 Automatic empty zones?


 Thanks for the input. It seems you are right, adding recursion no; to
 named.conf which disables the automatic empty zones, reduces the number of
 zones to what I expect +1, which means named.conf with no zone
 statements, rndc status returns number of zones: 1, when I have 7 zone
 statements, the number returned is 8. So I'm still missing something. Any
 ideas?

 ena


Cheers,

Matthew

 --
 Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc status number of zones

2012-03-01 Thread Emil Natan 
On Thu, Mar 1, 2012 at 2:27 PM, Matthew Seaman 
m.sea...@infracaninophile.co.uk wrote:

 On 01/03/2012 12:10, Emil Natan wrote:
  On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman 
  m.sea...@infracaninophile.co.uk wrote:
 
   On 01/03/2012 11:20, Emil Natan wrote:
Do any of you experience the same issue? Any ideas what I'm
 missing or
what's wrong?
  
   Automatic empty zones?
  
  
  Thanks for the input. It seems you are right, adding recursion no; to
  named.conf which disables the automatic empty zones, reduces the number
 of
  zones to what I expect +1, which means named.conf with no zone
  statements, rndc status returns number of zones: 1, when I have 7
 zone
  statements, the number returned is 8. So I'm still missing something. Any
  ideas?

 Try:

   zone-statistics yes;

 and then dumping statistics, or looking at the XML statistics output.
 In fact, there are 4 extra zones in the _bind view I'd expect you to see
 as well as your configured zones:

 [version.bind (view: _bind)]
 [hostname.bind (view: _bind)]
 [authors.bind (view: _bind)]
 [id.server (view: _bind)]

 I always add  hostname none; and  version none;, so I believe that's
the reason I do not see what you have expected. Here is the statistics file:

+++ Statistics Dump +++ (1330605355)
++ Incoming Requests ++
++ Incoming Queries ++
++ Outgoing Queries ++
[View: default]
  37 A
  37 NS
 172 
[View: _bind]
++ Name Server Statistics ++
++ Zone Maintenance Statistics ++
   1 IPv4 notifies sent
++ Resolver Statistics ++
[Common]
[View: default]
 182 IPv4 queries sent
  64 IPv6 queries sent
 238 query retries
 174 query timeouts
   1 IPv4 NS address fetches
   6 IPv6 NS address fetches
[View: _bind]
++ Cache DB RRsets ++
[View: default]
[View: _bind (Cache: _bind)]
++ Socket I/O Statistics ++
 185 UDP/IPv4 sockets opened
  65 UDP/IPv6 sockets opened
   3 TCP/IPv4 sockets opened
   1 TCP/IPv6 sockets opened
 183 UDP/IPv4 sockets closed
  64 UDP/IPv6 sockets closed
  15 TCP/IPv4 sockets closed
  64 UDP/IPv6 socket connect failures
 182 UDP/IPv4 connections established
  16 TCP/IPv4 connections accepted
  64 UDP/IPv6 send errors
++ Per Zone Query Statistics ++
--- Statistics Dump --- (1330605355)

ena

   Cheers,

Matthew

 --
 Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc status number of zones

2012-03-01 Thread Emil Natan 
That should be it. And that's probably why adding and removing the custom
root.hints file does not change the count, when enabled it's the one
counted and when disabled, the build in one is counted. Thanks.

ena

On Thu, Mar 1, 2012 at 2:41 PM, Mark Andrews ma...@isc.org wrote:


 Built in root hints zones with class IN.

 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

session.key and managed-keys

2011-07-10 Thread Emil Natan 
Hi,

I have few boxes running BIND 9.7.3-P3. I do not use DNSSEC (for now) and
dynamic updates (at all) and I have them explicitly disabled in named.conf
(dnssec-enable   no; dnssec-validation no; allow-update{ none; };) but I
see named still searching for managed-keys.bind file and trying to create
session.key file. In the general case it fails with file not found and
permission denied which I know how to correct. My question is why BIND is
forced to create files and especially the session.key? Is there a way to
change that behavior?

Thanks,
ena
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

openssl pkcs#11 engine patch

2011-02-07 Thread Emil Natan 
Hi,

I try to build BIND 9.7.2-P3 with HSM support needed for DNSSEC on CentOS-5
box. Following the documentation (arm97, starting from page 27) I download
the openssl source (0.9.8l), apply the patch provided with BIND
(bin/pkcs11/openssl-0.9.8l-patch), no errors during the configure and
make phase but I finish with openssl that does not supports pkcs#11. I
tried to use both SCA6000 and SoftHSM pkcs#11 providers with no success.
Here is my configure line:

./Configure linux-generic32 -m32 -pthread
--pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so
--pk11-flavor=crypto-accelerator --prefix=/opt/pkcs11/usr

/opt/pkcs11/usr/lib/libpkcs11.so is the pkcs#11 provider shipped with
SCA6000 (actually copy of the original
/opt/sun/sca6000/lib/libpkcs11_sca.so).
Here is the error I get checking for pkcs#11 support:

/opt/pkcs11/usr/bin/openssl engine pkcs11
27876:error:25066067:DSO support routines:DLFCN_LOAD:could not load the
shared
library:dso_dlfcn.c:162:filename(/opt/pkcs11/usr/lib/engines/libpkcs11.so):
/opt/pkcs11/usr/lib/engines/libpkcs11.so: cannot open shared object file: No
such file or directory
27876:error:25070067:DSO support routines:DSO_load:could not load the shared
library:dso_lib.c:244:
27876:error:260B6084:engine routines:DYNAMIC_LOAD:dso not
found:eng_dyn.c:450:
27876:error:2606A074:engine routines:ENGINE_by_id:no such
engine:eng_list.c:419:id=pkcs11

/opt/pkcs11/usr/lib/engines/libpkcs11.so should be the pkcs#11 engine if I
understand this correctly, but it is not created. I checked all components
are 32-bit and there is no mixing of 32 and 64-bit objects as proposed in
README.pkcs11.

If I go further and build BIND as described in ARM when I try to create keys
using the pkcs11-keygen tool I get:

/chroot/named/sbin/pkcs11-keygen -b 1024 -l ksk
C_Initialize: Error = 0x00FF

Someone got this working?

The output of the configure command is attached.

Thanks.

ena


configure_output.txt.gz
Description: GNU Zip compressed data
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9 multiple masters setup

2011-01-12 Thread Emil Natan 
On Wed, Jan 12, 2011 at 5:13 PM, dev null devn...@cimmerii.org wrote:

 Hello,

 I have most of this worked out but I intend to setup bind in a
 multiple master manner.

 This makes me question a few things:

 1. What can I use for the SOA MNAME? In the off chance a box may die,
 I am thinking of using a VIP which contains the multiple masters
 within it. However I am not sure how this would affect NOTIFY. So can
 I use a VIP or do I just use one of the master DNS boxes in the SOA
 MNAME field?


You can use any authoritative for the zone name server. One of the masters
is good enough.


 2. With that said, I intend to use rndc to push out DNS changes,
 should I worry about using a VIP still? I may need to use both and
 NOTIFY seems like it is more built-in so I want to keep rndc and
 NOTIFY going.

 How do you plan to replicate the zone data between the masters? At the
slaves you can just set few masters for each zone. For example:

zone example.com {
   type slave;
   file /var/named/example.com.zone;
   masters { master_ip_address; master_ip_address; ... };
}

When named receives NOTIFY for a zone it will check one by one the servers
from the masters list.

Hope someone has gone through this trauma.

 Thank you!,

 Zahid Bukhari
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


ena
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

error log entry

2010-07-04 Thread Emil Natan 
Hello,

I have BIND 9.6 (BIND 9.6.2-P2 built with '--prefix=/chroot/named'
'--enable-threads' '--with-openssl' '--enable-ipv6'
'CFLAGS=-DDIG_SIGCHASE=1') in a test environment serving a signed zone. I
see the following error in the log, repeated every 5 minutes. I understand
it indicates permissions problem, but I do not understand what is the action
named is trying to perform that leads to this error.

Jul  4 15:38:19 kvm-dns2 named[12751]: general: error: zone stest.org/IN:
zone_resigninc:find_zone_keys - permission denied
Jul  4 15:43:19 kvm-dns2 named[12751]: general: error: zone stest.org/IN:
zone_resigninc:find_zone_keys - permission denied
Jul  4 15:48:19 kvm-dns2 named[12751]: general: error: zone stest.org/IN:
zone_resigninc:find_zone_keys - permission denied

Any help would be appreciated.

ena
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How See what is Cached?

2009-07-05 Thread Emil Natan 
On Sun, Jul 5, 2009 at 8:37 AM, Alansbatpowe...@yahoo.co.uk wrote:
 Hi,



 My boss wants to know what sites are cached? Is that possible with Bind 9
 (OS: CentOS).



 Regards,

 Alans,

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


rndc dumpdb -cache

Check the rndc manual. By default the data will be written to file
named_dump.db. Check the dump-file option in Bind ARM.

ena
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Lookup of delegation NS records

2009-03-28 Thread Emil Natan 
2009/3/28 Cherney John-CJC030 john.cher...@motorola.com

  Is it possible to use nslookup or dig to look up delegation records? I
 can use them to get the nameservers for a particular domain, but I also want
 to see the nameservers it would delegate to. So far, the only way I can
 figure out to do that is to parse the actual db file.

 Thanks,
 jwc


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


dig +trace ns domainname
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users