Re: Testing DNS security
There is a difference between security policy check and performance check. If you want to check policies, you can do it manually issuing different sorts of queries from different locations making sure what should be answered is answered and what should not be answered is not. If you want to test performance, there are multiple tools that could generate/replay queries at high volume, just search the list, the topic was discussed multiple times. Emil Original Message Subject: Testing DNS security Local Time: February 21, 2017 2:05 PM UTC Time: February 21, 2017 12:05 PM From: kaoutharcheti...@gmail.com To: bind-usersHi, I have created a DNS server by using BIND and I have established security policies Now I want to test its performance before hosting it Can you recommend me network simulators that allow to check its security ?? Thank you in advance. --___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec smart signing
Hello, I'm using dnssec-signzone to sign a zonefile. I have 3 keys stored on a HSM, here is the meta data for the keys: ; This is a key-signing key, keyid 15464, for example.com. ; Created: 20170112162324 (Thu Jan 12 18:23:24 2017) ; Publish: 20170112162324 (Thu Jan 12 18:23:24 2017) ; Activate: 20170112162324 (Thu Jan 12 18:23:24 2017) ; This is a zone-signing key, keyid 49480, for example.com. ; Created: 20170112162324 (Thu Jan 12 18:23:24 2017) ; Publish: 20170112162324 (Thu Jan 12 18:23:24 2017) ; Activate: 20170211162324 (Sat Feb 11 18:23:24 2017) ; This is a zone-signing key, keyid 60436, for example.com. ; Created: 20170112162324 (Thu Jan 12 18:23:24 2017) ; Publish: 20170112162324 (Thu Jan 12 18:23:24 2017) ; Activate: 20170112162324 (Thu Jan 12 18:23:24 2017) Using dnssec-signzone -S -d ... new signed zonefile is created and both ZSKs are used to sign all RRsets but thr DNSKEY. What I'm expecting to happen is that ZSK (keyid 49480) is published, but not used for signing (the activation time is a month in the future). I'm using BIND 9.9.9-P5. Am I missing something? Thank you in advance. Emil___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone type forward
Original Message Subject: Re: rndc addzone type forward Local Time: November 16, 2016 5:50 PM UTC Time: November 16, 2016 3:50 PM From: e...@foowatch.com To: bind-users@lists.isc.org <bind-users@lists.isc.org> Original Message Subject: Re: rndc addzone type forward Local Time: November 16, 2016 5:12 PM UTC Time: November 16, 2016 3:12 PM From: d...@dotat.at To: Emil Natan <e...@foowatch.com> bind-users@lists.isc.org <bind-users@lists.isc.org> Emil Natan <e...@foowatch.com> wrote: > > I'm trying to add zone of type "forward" with rndc addzone, but it fails with: > > rndc addzone zone.org '{type forward; forward only; forwarders { > 192.168.20.115; }; };' > rndc: 'addzone' failed: not found I think this happens if you are using a version before 9.11 (which has a more verbose error) and you get the view name wrong. The view name can be wrong if you have multiple views and you don't specify which one. e.g. on a 9.10 server with views: $ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found $ And on a 9.11 server with views: $ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found no matching view found for '_default' $ You can get a similar error if you specify an incorrect view: $ rndc addzone google in error '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found no matching view found for 'error' $ Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Shannon: West 6 to gale 8, perhaps severe gale 9 later. Rough or very rough, becoming mainly high. Thundery showers. Good, occasionally poor. Thank you for your response. I'm not using and not specifying view, which is optional anyway. I also compiled BIND 9.11.0rc3, but nothing changed, no more verbosity, only the name of the .nzf file created changed from hash to plain text. Another finding is that the failure .nzf file is created, but it's empty and the next run of rndc addzone fails with "already exists". root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf" root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf" /chroot/named/var/named/_default.nzf root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: already exists configure_zone failed: already exists ls -l /chroot/named/var/named/_default.nzf -rw-r--r-- 1 named named 0 Nov 16 17:39 /chroot/named/var/named/_default.nzf Emil Update: despite the errors, the forwarding takes effect, checked with tcpdump. But now I can't remove the forwarding zone: After: root@debugtzc:/usr/local/stow# rndc addzone google.com '{ type forward; forward only; forwarders { 8.8.4.4; }; }; 'rndc: 'addzone' failed: not found Here forwarding works: 18:04:36.703150 IP debugtzc.isoc.org.il.55531 > 8.8.4.4.domain: 20892+% [1au] A? google.com. (51) But then: root@debugtzc:/usr/local/stow# rndc delzone google.com rndc: 'delzone' failed: not found no matching zone 'google.com' in any view And the queries for google.com are still forwarded to 8.8.4.4. Emil___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone type forward
Original Message Subject: Re: rndc addzone type forward Local Time: November 16, 2016 5:12 PM UTC Time: November 16, 2016 3:12 PM From: d...@dotat.at To: Emil Natan <e...@foowatch.com> bind-users@lists.isc.org <bind-users@lists.isc.org> Emil Natan <e...@foowatch.com> wrote: > > I'm trying to add zone of type "forward" with rndc addzone, but it fails with: > > rndc addzone zone.org '{type forward; forward only; forwarders { > 192.168.20.115; }; };' > rndc: 'addzone' failed: not found I think this happens if you are using a version before 9.11 (which has a more verbose error) and you get the view name wrong. The view name can be wrong if you have multiple views and you don't specify which one. e.g. on a 9.10 server with views: $ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found $ And on a 9.11 server with views: $ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found no matching view found for '_default' $ You can get a similar error if you specify an incorrect view: $ rndc addzone google in error '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found no matching view found for 'error' $ Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Shannon: West 6 to gale 8, perhaps severe gale 9 later. Rough or very rough, becoming mainly high. Thundery showers. Good, occasionally poor. Thank you for your response. I'm not using and not specifying view, which is optional anyway. I also compiled BIND 9.11.0rc3, but nothing changed, no more verbosity, only the name of the .nzf file created changed from hash to plain text. Another finding is that the failure .nzf file is created, but it's empty and the next run of rndc addzone fails with "already exists". root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf" root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf" /chroot/named/var/named/_default.nzf root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: already exists configure_zone failed: already exists ls -l /chroot/named/var/named/_default.nzf -rw-r--r-- 1 named named 0 Nov 16 17:39 /chroot/named/var/named/_default.nzf Emil___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc addzone type forward
Hello, I'm trying to add zone of type "forward" with rndc addzone, but it fails with: rndc addzone zone.org '{type forward; forward only; forwarders { 192.168.20.115; }; };' rndc: 'addzone' failed: not found I have allow-new-zones set to yes in named.conf. Loading zones of type master works fine. All I see in the logs is: Nov 16 16:12:33 debugtzs named[1018]: general: info: received control channel command 'addzone' Am I missing something? Emil___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: R: Minimal responses and speeding up queries
minimal-responses affects the size and not the number of responses. On Sep 22, 2016 23:44, "Job"wrote: > Hi Matus, > > >>If you want to avoid additional queries, turn minimal_responses off. > > I thought setting minimal_responses = yes should lower the number of > queries > Do you think it is the opposite? > > Thank you again! > Francesco > > > Da: bind-users [bind-users-boun...@lists.isc.org] per conto di Matus > UHLAR - fantomas [uh...@fantomas.sk] > Inviato: giovedì 22 settembre 2016 17.07 > A: bind-users@lists.isc.org > Oggetto: Re: Minimal responses and speeding up queries > > On 22.09.16 16:41, Job wrote: > >in Bind 9.10 we tried minimal-responses = yes to limit "additional > queries" when resolving. > > > >I notice that resolution is faster. > >Actually, dig @host some_url still shows an additional query, maybe not > needed for a caching-only resolver: > > > >; (1 server found) > >;; global options: +cmd > >;; Got answer: > >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54581 > >;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > > >Is there a way to improve limiting of "additional queries" after > minimal-responses = yes? > > using minimal responses often results into additional queries needed, by > definition. If you want to avoid additional queries, turn > minimal_responses > off. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist > "So does syphillis. Good thing we have penicillin." - Matthew Alton > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can anyone tell me a good DNS server testing program
queryperf, supplied with BIND, found under contrib. What we usually do is "record" some real traffic, then run queryperf on multiple machines against a server. If I'm not mistaken similar topic was discussed here recently so you can search the archives. Emil On Wed, Jun 22, 2016 at 3:34 PM, King, Harold Clyde (Hal)wrote: > I have a new DNS BIND setup that I need to stress test. There are many > test for hitting a web server to simulate traffic, but I can’t find a one > for doing the same thing to a DNS server. Does anyone have any > recommendations? > > > -- > Hal King - h...@utk.edu > Systems Administrator > Office of Information Technology > Shared Systems Services > > The University of Tennessee > 103C5 Kingston Pike Building > 2309 Kingston Pk. Knoxville, TN 37996 > Phone : 974-1599 > Helpdesk 24/7 : 974-9900 > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Changelog details
Hello, I'm investigating an issue which started after upgrading to the latest version of BIND (bind-9.9.7-P2). I started with checking the changelog and I read a line saying: 4061. [bug] Handle timeout in legacy system test. [RT #38573] Where can I find more details about bug 4061 or RT #38573. My issue can or cannot be related to bug 4061, but I use it here mainly as an example. Thanks. Emil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suppress log entry...
I think showing this line on start is a good thing. I'm updating our DNS servers regularly and debugging a problem and checking the old logs it's useful to find which version was running at the time and how it was built. Emil On Mon, Apr 13, 2015 at 8:19 PM, Alan Clegg a...@clegg.com wrote: On 4/13/15 1:18 PM, Reindl Harald wrote: Am 13.04.2015 um 19:14 schrieb SH Development: For me, it’s in the interest of keeping clean easy to read log files. Seems like this info should be available to turn on and off when needed for debugging, not every time the config is changed. this line appears only when named is started in other words: if you everytime you change the config hard restart named instead a reload you are doing it terrible wrong with a ton of bad side effects Yep. rndc reconfig does the loading of configuration changes and does not put the how this binary was built message into the log file. AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a HSM card to sign zone
Hi, I have tested Safenet's Luna SA (the network appliance and not the card) a year ago. It did not work using the openssl patch provided with BIND, but at the end with some assistance from the Safenet's engineers and a proprietary engine provided by them we made it work. I presume it'll work also with the PCI card because the appliance is generally the same card in a box. I had very similar issues, the pkcs11-* commands worked and the dnssec-* ones did not. I had no issues with the HSMs from Utimaco, AEP and ARX. ena On Fri, Feb 14, 2014 at 9:43 PM, Sergio Ramirez srami...@seciu.edu.uywrote: Hi, We want to sign zones with bind using an HSM Luna PCI Safenet card. The command 'dnssec- keyfromlabel' fails: # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec. dnssec-keyfromlabel: warning: ENGINE_load_private_key failed dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found It was installed on Debian 4 Linux 2.6.18-6-686 server with: - openssl-1.0.0e - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) - bind 9.9.2 -P1 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed with bind, are working OK. ** The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. We would like to know if anyone are using this HSM or similar. Furthermore we would like to get some guidance to solve this problem. Thanks in advance. -- Sergio Ramírez ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple masters for slave zone
It does not matter where the notify comes from (it well can be sent from a slave too), named will try to transfer the zone from the first master listed in the masters list. At least it's how it works in 9.7.x, though I do not believe it's something that changed between the releases. ena On Mon, Mar 18, 2013 at 3:08 PM, eliran shlomo eliranshl...@gmail.comwrote: Hi, I need help with understanding how multiple masters work. i set for a slave zone few masters zone example.com in { type slave; file secondary/db.example.com; masters { 192.168.112.10; 192.168.112.12; 192.168.112.13; 192.168.112.14; 192.168.112.15; }; }; Each master is standalone and there's no handshake between them Now my question is if i change the serial on 192.168.112.13 master, after the notify from which one the zone transfer will occur? bind version is Version: 9.5.0-P2 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec keys and multiple slots
Hi all, I'm trying to implement DNSSEC using BIND and SoftHSM. I'm using the pkcs11-* and dnssec-* tools to manage the keys in the HSM and sign the zones. When I store both KSK and ZSK under single slot there is no problem to create local key files with dnssec-keyfromlabel and sign the zone. What I want to achieve is to store the KSK and the ZSK under separate slots protected with different PINs (there are 3 slots currently, 0,1 and 2, all three with different PINs), save the PIN for the KSK slot in a local file for automatic use and the PIN for the KSK slot I want to enter manually when needed. The pkcs11-keygen command accepts the -s parameter so I'm able to create the ZSK under slot 1 and the KSK under slot 2. When I try to create the local key files with dnssec-keyfromlabel command it fails to find the key objects in the HSM, it's not possible to specify slot option, so it searches for the keys only in slot 0 and of course does not find them. Is there a way to achieve that with BIND? Thanks, Emil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Selective resolution in a corporate environment
Look for my answer below. On Tue, Feb 5, 2013 at 5:16 PM, funky monkey wongsky.mon...@gmail.comwrote: One of my responsibilities has been general DNS (across platform) expertise in the organisation I currently work for. Over a fair amount of time, one thing that's repeatedly cropped up, has been the (ideally selective) subversion of DNS resolution of certain internet DNS domains. Sometimes that has been for DNS namespaces used purely by the company (but say subverting the odd name on an internal network, but in general, using the remaining records in external DNS) other times it's been for internal, but managed, use of things like social media (eg facebook, twitter, and other things...) My understanding is that at least with current DNS capabilities, that's largely all, or nothing - you either do the split brain thing, and have internal authority for the domain (and as a consequence, have to provide all the DNS entries required - probably perfectly OK for your own DNS domains, but possibly problematic or time consuming for alien DNS domains). I suppose, if you're doing it already and have the infrastructure, you could host such owned DNS namespaces, by using bind views, and use network DACLs to respond to internet DNS names, and internal DNS names with a different set of zone files - but in the environment I look after, that's not currently tenable - the environment is something of a hybrid, with largely Windows / Active Directory integrated DNS, internally, plus some areas of BIND (old versions 8.x.x and some 9.x.x instances). I did hear talk about some device (whether it was part of Microsoft's ISA, or more recent offerings like TMG) that could sit in the middle, kind of subvert certificate usage (for secure website access) and redirect internal access to a public / internet website, tactically. All I read were comments by a colleague, who was more involved in IT security, so didn't really glean much in the way of true details about how that would work. But to get back to what I'm often asked for, more as a tactical solution, is there any way of being able to subvert specific DNS names with alternate responses, whilst leaving the rest of the resolution to be obtained in the normal way - I know that doesn't follow the normal looking for authority for a domain name, then asking the correct question there. I did something similar using Unbound, check the local-zone: and local-data: declarations. Emil I'm just thinking that many corporate DNS environments are already caching most of what they're resolving from elsewhere, and whilst it may present issues if abused, for corporate scenarios where there's more likelihood of security and authority not being subverted, surely it would be something of a boon for DNS administrators and save a lot of tedium with split-brain DNS implementations. Am I just spouting crazy talk, or is there something that could more easily address this, that I'm currently unaware of? Any comments welcome... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc status number of zones
Hi list, I have a test environment with 3 VMs running different versions of BIND - 9.7.3-P3, 9.8.1-P1 and 9.9.0rc1. On all 3 machines rndc status reports unrealistic number of zones:. For example, when the zones configured at named.conf are 3, the number reported is number of zones: 18 and when the zones are 7, then I get number of zones: 41. Here is mine named.zones configuration file, part of named.conf (included into it). There are no other zone statements in named.conf: == named.zones === zone . { type hint; file /etc/root.hints; }; zone net.ttt { type master; file net.ttt.zone; }; zone vvv.ttt { type master; file vvv.ttt.zone; notify explicit; also-notify { 10.0.130.118; }; allow-transfer { 10.0.130.118; }; }; = If I comment the zone . { ... }; part and then reconfig/reload/restart, the number reported by rndc status remains unchanged. If I comment any other zone statement, the number reported decrease accordingly, when all commented, the number reported is 16. Do any of you experience the same issue? Any ideas what I'm missing or what's wrong? Thanks, ena ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 01/03/2012 11:20, Emil Natan wrote: Do any of you experience the same issue? Any ideas what I'm missing or what's wrong? Automatic empty zones? Thanks for the input. It seems you are right, adding recursion no; to named.conf which disables the automatic empty zones, reduces the number of zones to what I expect +1, which means named.conf with no zone statements, rndc status returns number of zones: 1, when I have 7 zone statements, the number returned is 8. So I'm still missing something. Any ideas? ena Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
It's really more elegant way to disable the empty zones, Thanks. On Thu, Mar 1, 2012 at 2:14 PM, Flex Banana flex.ban...@bluewin.ch wrote: I think you want to use options { empty-zones-enable no; }; in your named.conf configuration file to disable all empty zones. Look at the DNS and BIND reference from Cricket Liu ciao! Banana On Mar 1, 2012, at 1:10 PM, Emil Natan wrote: On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 01/03/2012 11:20, Emil Natan wrote: Do any of you experience the same issue? Any ideas what I'm missing or what's wrong? Automatic empty zones? Thanks for the input. It seems you are right, adding recursion no; to named.conf which disables the automatic empty zones, reduces the number of zones to what I expect +1, which means named.conf with no zone statements, rndc status returns number of zones: 1, when I have 7 zone statements, the number returned is 8. So I'm still missing something. Any ideas? ena Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
On Thu, Mar 1, 2012 at 2:27 PM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 01/03/2012 12:10, Emil Natan wrote: On Thu, Mar 1, 2012 at 1:26 PM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 01/03/2012 11:20, Emil Natan wrote: Do any of you experience the same issue? Any ideas what I'm missing or what's wrong? Automatic empty zones? Thanks for the input. It seems you are right, adding recursion no; to named.conf which disables the automatic empty zones, reduces the number of zones to what I expect +1, which means named.conf with no zone statements, rndc status returns number of zones: 1, when I have 7 zone statements, the number returned is 8. So I'm still missing something. Any ideas? Try: zone-statistics yes; and then dumping statistics, or looking at the XML statistics output. In fact, there are 4 extra zones in the _bind view I'd expect you to see as well as your configured zones: [version.bind (view: _bind)] [hostname.bind (view: _bind)] [authors.bind (view: _bind)] [id.server (view: _bind)] I always add hostname none; and version none;, so I believe that's the reason I do not see what you have expected. Here is the statistics file: +++ Statistics Dump +++ (1330605355) ++ Incoming Requests ++ ++ Incoming Queries ++ ++ Outgoing Queries ++ [View: default] 37 A 37 NS 172 [View: _bind] ++ Name Server Statistics ++ ++ Zone Maintenance Statistics ++ 1 IPv4 notifies sent ++ Resolver Statistics ++ [Common] [View: default] 182 IPv4 queries sent 64 IPv6 queries sent 238 query retries 174 query timeouts 1 IPv4 NS address fetches 6 IPv6 NS address fetches [View: _bind] ++ Cache DB RRsets ++ [View: default] [View: _bind (Cache: _bind)] ++ Socket I/O Statistics ++ 185 UDP/IPv4 sockets opened 65 UDP/IPv6 sockets opened 3 TCP/IPv4 sockets opened 1 TCP/IPv6 sockets opened 183 UDP/IPv4 sockets closed 64 UDP/IPv6 sockets closed 15 TCP/IPv4 sockets closed 64 UDP/IPv6 socket connect failures 182 UDP/IPv4 connections established 16 TCP/IPv4 connections accepted 64 UDP/IPv6 send errors ++ Per Zone Query Statistics ++ --- Statistics Dump --- (1330605355) ena Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc status number of zones
That should be it. And that's probably why adding and removing the custom root.hints file does not change the count, when enabled it's the one counted and when disabled, the build in one is counted. Thanks. ena On Thu, Mar 1, 2012 at 2:41 PM, Mark Andrews ma...@isc.org wrote: Built in root hints zones with class IN. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
session.key and managed-keys
Hi, I have few boxes running BIND 9.7.3-P3. I do not use DNSSEC (for now) and dynamic updates (at all) and I have them explicitly disabled in named.conf (dnssec-enable no; dnssec-validation no; allow-update{ none; };) but I see named still searching for managed-keys.bind file and trying to create session.key file. In the general case it fails with file not found and permission denied which I know how to correct. My question is why BIND is forced to create files and especially the session.key? Is there a way to change that behavior? Thanks, ena ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
openssl pkcs#11 engine patch
Hi, I try to build BIND 9.7.2-P3 with HSM support needed for DNSSEC on CentOS-5 box. Following the documentation (arm97, starting from page 27) I download the openssl source (0.9.8l), apply the patch provided with BIND (bin/pkcs11/openssl-0.9.8l-patch), no errors during the configure and make phase but I finish with openssl that does not supports pkcs#11. I tried to use both SCA6000 and SoftHSM pkcs#11 providers with no success. Here is my configure line: ./Configure linux-generic32 -m32 -pthread --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so --pk11-flavor=crypto-accelerator --prefix=/opt/pkcs11/usr /opt/pkcs11/usr/lib/libpkcs11.so is the pkcs#11 provider shipped with SCA6000 (actually copy of the original /opt/sun/sca6000/lib/libpkcs11_sca.so). Here is the error I get checking for pkcs#11 support: /opt/pkcs11/usr/bin/openssl engine pkcs11 27876:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(/opt/pkcs11/usr/lib/engines/libpkcs11.so): /opt/pkcs11/usr/lib/engines/libpkcs11.so: cannot open shared object file: No such file or directory 27876:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 27876:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: 27876:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:419:id=pkcs11 /opt/pkcs11/usr/lib/engines/libpkcs11.so should be the pkcs#11 engine if I understand this correctly, but it is not created. I checked all components are 32-bit and there is no mixing of 32 and 64-bit objects as proposed in README.pkcs11. If I go further and build BIND as described in ARM when I try to create keys using the pkcs11-keygen tool I get: /chroot/named/sbin/pkcs11-keygen -b 1024 -l ksk C_Initialize: Error = 0x00FF Someone got this working? The output of the configure command is attached. Thanks. ena configure_output.txt.gz Description: GNU Zip compressed data ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 multiple masters setup
On Wed, Jan 12, 2011 at 5:13 PM, dev null devn...@cimmerii.org wrote: Hello, I have most of this worked out but I intend to setup bind in a multiple master manner. This makes me question a few things: 1. What can I use for the SOA MNAME? In the off chance a box may die, I am thinking of using a VIP which contains the multiple masters within it. However I am not sure how this would affect NOTIFY. So can I use a VIP or do I just use one of the master DNS boxes in the SOA MNAME field? You can use any authoritative for the zone name server. One of the masters is good enough. 2. With that said, I intend to use rndc to push out DNS changes, should I worry about using a VIP still? I may need to use both and NOTIFY seems like it is more built-in so I want to keep rndc and NOTIFY going. How do you plan to replicate the zone data between the masters? At the slaves you can just set few masters for each zone. For example: zone example.com { type slave; file /var/named/example.com.zone; masters { master_ip_address; master_ip_address; ... }; } When named receives NOTIFY for a zone it will check one by one the servers from the masters list. Hope someone has gone through this trauma. Thank you!, Zahid Bukhari ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ena ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
error log entry
Hello, I have BIND 9.6 (BIND 9.6.2-P2 built with '--prefix=/chroot/named' '--enable-threads' '--with-openssl' '--enable-ipv6' 'CFLAGS=-DDIG_SIGCHASE=1') in a test environment serving a signed zone. I see the following error in the log, repeated every 5 minutes. I understand it indicates permissions problem, but I do not understand what is the action named is trying to perform that leads to this error. Jul 4 15:38:19 kvm-dns2 named[12751]: general: error: zone stest.org/IN: zone_resigninc:find_zone_keys - permission denied Jul 4 15:43:19 kvm-dns2 named[12751]: general: error: zone stest.org/IN: zone_resigninc:find_zone_keys - permission denied Jul 4 15:48:19 kvm-dns2 named[12751]: general: error: zone stest.org/IN: zone_resigninc:find_zone_keys - permission denied Any help would be appreciated. ena ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How See what is Cached?
On Sun, Jul 5, 2009 at 8:37 AM, Alansbatpowe...@yahoo.co.uk wrote: Hi, My boss wants to know what sites are cached? Is that possible with Bind 9 (OS: CentOS). Regards, Alans, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users rndc dumpdb -cache Check the rndc manual. By default the data will be written to file named_dump.db. Check the dump-file option in Bind ARM. ena ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Lookup of delegation NS records
2009/3/28 Cherney John-CJC030 john.cher...@motorola.com Is it possible to use nslookup or dig to look up delegation records? I can use them to get the nameservers for a particular domain, but I also want to see the nameservers it would delegate to. So far, the only way I can figure out to do that is to parse the actual db file. Thanks, jwc ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users dig +trace ns domainname ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users