Root hints
Since the H root server IP address will be changing I have a question: http://h.root-servers.org/renumber.html how does bind get the root servers these days? I think the code includes a set. Is there a provision to query a known address to get an update? (I also know that I can define a hints file locally) Thank you -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Inline signing and views.
Hello -
Is it possible to enable inline signing of a zone in 2 different views with 2
different keys?
I have the following config:
view external {
match-clients {
1.1.1.1;
};
zone test.com. {
type master;
file external.test.com.;
allow-update {
localhost;
};
key-directory /config/external.keys;
auto-dnssec maintain;
inline-signing yes;
};
};
view internal {
match-clients {
any;
};
zone test.com. {
type master;
file internal.test.com.;
allow-update {
localhost;
};
key-directory /config/internal.keys;
auto-dnssec maintain;
inline-signing yes;
};
};
When I run bind I get these errors:
11-Apr-2014 10:35:30.414 dns_dnssec_findzonekeys2: error reading private key
file test.com/RSASHA1/49440: file not found
11-Apr-2014 10:35:30.415 dns_dnssec_findzonekeys2: error reading private key
file test.com/RSASHA1/6124: file not found
11-Apr-2014 10:35:30.435 zone test.com/IN/external (signed): reconfiguring zone
keys
11-Apr-2014 10:35:30.436 zone test.com/IN/internal (signed): reconfiguring zone
keys
11-Apr-2014 10:35:30.436 dns_dnssec_keylistfromrdataset: error reading private
key file test.com/RSASHA1/49440: file not found
11-Apr-2014 10:35:30.437 dns_dnssec_keylistfromrdataset: error reading private
key file test.com/RSASHA1/6124: file not found
Is what I am trying to do not possible, or do I have a config error?
I created the key files using
dnssec-keygen test.com
dnssec-keygen -fk test.com
In the 2 different directorys.
All permissions and file owner ship is correct.
It works properly if I only have one (either of them) of these zones configured
for auto signing,
so I believe the key files are ok.
The man page and tutorials that I have found do not address multiple views.
Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
BIND and idnkit vs GNU libidn
BIND appears to be setup to compile against the idnkit supplied in contrib. It will not build against GNU's libidn. Or at least I have not been able to make it do so. Is there a way to use libidn instead of idnkit (besides modifying the code myself) that I am missing? Thank you -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: compile error building 9.9.3-P2
Please disregard. -- Jack Tavares How many more can we sell with this button? From: bind-users-bounces+j.tavares=f5@lists.isc.org [bind-users-bounces+j.tavares=f5@lists.isc.org] on behalf of Jack Tavares [j.tava...@f5.com] Sent: Thursday, September 12, 2013 11:24 To: bind-us...@isc.org Subject: compile error building 9.9.3-P2 I am attempting to build 9.9.3-P2 in a chroot-ed 32 bit build environment and I get an redefinition error. Has anyone seen this and have a suggestion for how to fix this? my configure options are ./configure --with-openssl=path --enable-fixed-rrset --enable-shared --enable-threads --enable-ipv6 --with-libtool --with-libxml2=no --with-pic --with-gssapi=path STD_CDEFINES=-DDIG_SIGCHASE=1 Error message: In file included from code.h:70, from rdata.c:334: rdata/in_1/naptr_35.c:37: error: redefinition of 'txt_valid_regex' rdata/generic/naptr_35.c:36: error: previous definition of 'txt_valid_regex' was here rdata.c: In function 'dns_rdata_compare': rdata.c:416: error: duplicate case value rdata.c:416: error: previously used here rdata.c: In function 'dns_rdata_casecompare': rdata.c:447: error: duplicate case value rdata.c:447: error: previously used here rdata.c: In function 'dns_rdata_fromwire': rdata.c:524: error: duplicate case value rdata.c:524: error: previously used here rdata.c: In function 'dns_rdata_towire': rdata.c:586: error: duplicate case value rdata.c:586: error: previously used here rdata.c: In function 'dns_rdata_fromtext': rdata.c:741: error: duplicate case value rdata.c:741: error: previously used here rdata.c: In function 'rdata_totext': rdata.c:855: error: duplicate case value rdata.c:855: error: previously used here rdata.c: In function 'dns_rdata_fromstruct': rdata.c:929: error: duplicate case value rdata.c:929: error: previously used here rdata.c: In function 'dns_rdata_tostruct': rdata.c:956: error: duplicate case value rdata.c:956: error: previously used here rdata.c: In function 'dns_rdata_freestruct': rdata.c:969: error: duplicate case value rdata.c:969: error: previously used here rdata.c: In function 'dns_rdata_additionaldata': rdata.c:988: error: duplicate case value rdata.c:988: error: previously used here rdata.c: In function 'dns_rdata_digest': rdata.c:1011: error: duplicate case value rdata.c:1011: error: previously used here rdata.c: In function 'dns_rdata_checkowner': rdata.c:1027: error: duplicate case value rdata.c:1027: error: previously used here rdata.c: In function 'dns_rdata_checknames': rdata.c:1036: error: duplicate case value rdata.c:1036: error: previously used here make[2]: *** [rdata.lo] Error 1 make[2]: Leaving directory `/local/tavares/perforce/tmos-dns-bugs-bind/ports/bind/build/lib/dns' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/local/tavares/perforce/tmos-dns-bugs-bind/ports/bind/build/lib' make: *** [subdirs] Error 1 -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
I have a request for clarification: The workaround states to rebuild BIND with regexp support disabled. And I see new versions of BIND have been released. Are those versions just a rebuild with regexp support disabled? Or are they a more comprehensive fix? thanks. -- Jack Tavares From: bind-announce-bounces+j.tavares=f5@lists.isc.org [bind-announce-bounces+j.tavares=f5@lists.isc.org] on behalf of ISC Support Staff [support-st...@isc.org] Sent: Tuesday, March 26, 2013 09:02 To: bind-annou...@lists.isc.org Subject: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named Note: This email advisory is provided for your information. The most up to date advisory information will always be at: https://kb.isc.org/article/AA-00871 please use this URL for the most up to date advisory information. --- A critical defect in BIND 9 allows an attacker to cause excessive memory consumption in named or other programs linked to libdns. CVE: CVE-2013-2266 Document Version: 2.0 Posting date: 26 March 2013 Program Impacted: BIND Versions affected:Unix versions of BIND 9.7.x, 9.8.0 - 9.8.5b1, 9.9.0 - 9.9.3b1. (Windows versions are not affected. Versions of BIND 9 prior to BIND 9.7.0 (including BIND 9.6-ESV) are not affected. BIND 10 is not affected.) Severity: Critical Exploitable: Remotely Description: A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine. Please Note: Versions of BIND 9.7 are beyond their end of life (EOL) and no longer receive testing or security fixes from ISC. However, the re-compilation method described in the Workarounds section of this document will prevent exploitation in BIND 9.7 as well as in currently supported versions. For current information on which versions are actively supported, please seehttp://www.isc.org/software/bind/versions. Additional information is available in the CVE-2013-2266 FAQ and Supplemental Information article in the ISC Knowledge base, https://kb.isc.org/article/AA-00879. Impact: Intentional exploitation of this condition can cause denial of service in all authoritative and recursive nameservers running affected versions of BIND 9 [all versions of BIND 9.7, BIND 9.8.0 through 9.8.5b1 (inclusive) and BIND 9.9.0 through BIND 9.9.3b1 (inclusive)]. Additionally, other services which run on the same physical machine as an affected BIND server could be compromised as well through exhaustion of system memory. Programs using the libdns library from affected versions of BIND are also potentially vulnerable to exploitation of this bug if they can be forced to accept input which triggers the condition. Tools which are linked against libdns (e.g. dig) should also be rebuilt or upgraded, even if named is not being used. CVSS Score: 7.8 CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Workarounds: Patched versions are available (see the Solutions: section below) or operators can prevent exploitation of this bug in any affected version of BIND 9 by compiling without regular expression support. Compilation without regular expression support: BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1), and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely safe from this bug by re-compiling the source with regular expression support disabled. In order to disable inclusion of regular expression support: - After configuring BIND features as desired using the configure script in the top level source directory, manually edit the config.h header file that was produced by the configure script. - Locate the line that reads #define HAVE_REGEX_H 1 and replace the contents of that line with #undef HAVE_REGEX_H. - Run make clean to remove any previously compiled object files from the BIND 9 source directory, then proceed to make and install BIND normally. Active exploits: No known active
RE: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
Thank you. -- Jack Tavares From: ISC Support Staff [support-st...@isc.org] Sent: Tuesday, March 26, 2013 11:08 To: Jack Tavares Cc: bind-us...@isc.org Subject: Re: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named On 3/26/13 10:05 AM, Jack Tavares wrote: I have a request for clarification: The workaround states to rebuild BIND with regexp support disabled. And I see new versions of BIND have been released. Are those versions just a rebuild with regexp support disabled? Or are they a more comprehensive fix? This question is addressed in the CVE-2013-2266: FAQ and Supplemental Information Knowledge Base article, which I encourage everyone to read. https://kb.isc.org/article/AA-00879 Please see specifically the section which begins: What is the difference between deploying the patched versions of BIND versus implementing the documented workaround? Thanks, Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: libbind 6.0
I haven't seen any answer on list, so I am resending in case it got lost in late Friday afternoon mail queue. Thank you: I have been using libbind(6.0) to do dynamic updates via res_mkupdate() libbind is not currently under development. Is there are replacement in bind9 that I should move to? I see the LWRES but that does not appear to have any update support. Thank you -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
libbind 6.0
I have been using libbind(6.0) to do dynamic updates via res_mkupdate() libbind is not currently under development. Is there are replacement in bind9 that I should move to? I see the LWRES but that does not appear to have any update support. Thank you -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: adding DS record via nsupdate
Of course. Thank you. -- Jack Tavares How many more can we sell with this button? From: Mark Andrews [ma...@isc.org] Sent: Tuesday, February 05, 2013 19:58 To: Andrew Latham Cc: Jack Tavares; bind-us...@isc.org Subject: Re: adding DS record via nsupdate The update code has sanity checks. You can only add DS records where delegating NS records exist. If you remove a delegating NS rrset any DS records there will also be removed. This check is done after all the records have been processed. Mark server 127.0.0.1 zone example key key.dv.isc.org update add oo.example 0 ns drugs.dv.isc.org update add oo.example 0 DS 10288 5 1 22F103696F795206A7373850444C6F4DA61D0076 send ; DiG 9.10.0pre-alpha isc.org oo.example ds +norec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60240 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;oo.example.IN DS ;; ANSWER SECTION: oo.example. 0 IN DS 10288 5 1 22F103696F795206A7373850444C6F4DA61D0076 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 06 14:57:45 EST 2013 ;; MSG SIZE rcvd: 163 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
adding DS record via nsupdate
Hello - I am trying to add a DS record via nsupdate and I can't get it to succeed. It does not generate an error, but when I dig for the DS record I get NXDOMAIN. What I edit the zone file and add the same DS record and reload, I can query it just fine. I do the following as an example: nsupdate -d server ip addr zone test.net update add subzone.test.net IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F send The output is Sending update to ip#53 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 45236 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; ZONE SECTION: ;test.net. IN SOA ;; UPDATE SECTION: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F Reply from update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 45236 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;test.net. IN SOA end Dig results dig @ip +noadflag +nocdflag -t ds subzone.test.net. ; DiG 9.8.4-P1 @ip -t ds subzone.test.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21747 ;; flags: qr aa rd cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;subzone.test.net. IN DS ;; AUTHORITY SECTION: test.net. 500 IN SOA .test.net. hostmaster..test.net. 2013010938 10800 3600 604800 86400 When I put the DS record in the zone manually: tail zonefile: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F and do a dig, it works: dig @ip -t ds subzone.test.net. ; DiG 9.8.4-P1 @ip -t ds subzone.test.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21326 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;subzone.test.net. IN DS ;; ANSWER SECTION: subzone.test.net. IN DS 34845 7 1 325AA7B83FAC7DB621678EB2FB9035B51A0A504F ;; Query time: 0 msec Should this work? Thank you -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
SOA minimum vs negative ttl
I believe that RFC 2308 redefines the SOA minimum field to be negative ttl If I create a dynamically updated zone file that looks like so: [begin] $ORIGIN . $TTL 500 new.com IN SOA d62.test.com. hostmaster.d62.test.com. 2013012301 10800 3600 604800 86400 new.com IN NS d62.test.com. [end] When a DNS update comes into to add or modify a record and bind eventually re-writes the master file it will rearrange the SOA and add comments (which is fine) but it labels the last field as minimum [begin] $ORIGIN . $TTL 500; 8 minutes 20 seconds new.com IN SOA d62.test.com. hostmaster.d62.test.com. ( 2013012302 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS d62.test.com. $ORIGIN new.com. a A 1.2.3.4 [end] Is there a reason for this or is it just a hold over? It is perpetrating a misconception that this is the minimum TTL. Thanks -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Need to improve named performance
One issue that *may* be impacting you (and another reason to upgrade) is the size of the receive buffer within named was bumped up in 9.5 or 9.6 IIRC. -- Jack Tavares From: bind-users-bounces+j.tavares=f5@lists.isc.org [bind-users-bounces+j.tavares=f5@lists.isc.org] on behalf of Florian Weimer [f...@deneb.enyo.de] Sent: Sunday, November 11, 2012 13:46 To: Ed LaFrance Cc: bind-users@lists.isc.org Subject: Re: Need to improve named performance * Ed LaFrance: Running BIND 9.3.6-P1-RedHat-9.3.6-16.P1.el5 on a quadcore xeon server (3Ghz) with 2GB RAM. Named is being used only for rDNS queries against our address space. You should really upgrade to the latest version on that branch (likely bind-9.3.6-20.P1.el5_8.5). The bottom line is: I need to improve named performance. Tcpdump only shows about 20 requests per second on average, I would estimate. This should be handled easily, but instead it's gagging on it and the requests are stacking up. Something is stalling the named process. Try to run strace -T -f -p 4509 (4509 is the PID for the named process) and see where named spends its time. The top output you quoted suggests that the process is not spinning in user space. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Disable log message
I wasn't suggesting that it be removed. I was asking if it was possible to disable it if desired. The answer is obviously no. Thank you all for your time. -- Jack Tavares How many more can we sell with this button? From: bind-users-bounces+j.tavares=f5@lists.isc.org [bind-users-bounces+j.tavares=f5@lists.isc.org] on behalf of Chris Thompson [c...@cam.ac.uk] Sent: Sunday, October 21, 2012 14:58 To: bind-users@lists.isc.org Subject: Re: Disable log message On Oct 20 2012, David Miller wrote: [...] Does this log message provide any information that the -V option doesn't provide? Given the number of times that problems brought up on this list turn out to be due to people not actually running the named binary they thought they were running, the more that the actually executing named says about itself, the better. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Disable log message
I am running bind9.8.x built from source and I see this message in the logs built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' '--mandir=/usr/share/man' '--with-openssl=/blah' '--enable-fixed-rrset' '--enable-shared' '--enable-threads' '--enable-ipv6' '--with-libtool' etc etc etc I would prefer to not have that show up in the log. Short of modifying the source, is there an easy way to disable that? Thanks -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Disable log message
Let me be more specific. Is there a way to tell named to not log this message? Thank you -- Jack Tavares From: Warren Kumari [war...@kumari.net] Sent: Thursday, October 18, 2012 10:18 To: Jack Tavares Cc: Warren Kumari; bind-us...@isc.org Subject: Re: Disable log message On Oct 18, 2012, at 1:13 PM, Jack Tavares j.tava...@f5.com wrote: I am running bind9.8.x built from source and I see this message in the logs built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' '--mandir=/usr/share/man' '--with-openssl=/blah' '--enable-fixed-rrset' '--enable-shared' '--enable-threads' '--enable-ipv6' '--with-libtool' etc etc etc I would prefer to not have that show up in the log. Short of modifying the source, is there an easy way to disable that? Erm… Depends on how you do your logging -- if this shows up in syslog, and you are using syslogng, you should be able to filter it out there… W Thanks -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Eagles soar but a weasel will never get sucked into a jet engine ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkconf view in error message?
If I run named-checkconf -z to check zones in my config, it will report on success or failure of each zone, but will not specify which view. If a zone name exists in more than one view, it will not indicate in which view the failing zone is in. This seems like this would be good information to have. Can I make a request to add that info to the output if possible. Thank you Not that it matters but bind9.8.1-P1 build from the source. -- Jack Tavares ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.6-ESV-R5 errors
Hello
I get several errors whenever I run rndc reload
that look like this:
named[9178]: 27-Mar-2012 05:56:00.798 general: error: zone
0.IN-ADDR.ARPA/IN/view_internal_dns: zone serial unchanged. zone may fail to
transfer to slaves.
named[9178]: 27-Mar-2012 05:56:00.798 general: error: zone
127.IN-ADDR.ARPA/IN/view_internal_dns: zone serial unchanged. zone may fail to
transfer to slaves.
named[9178]: 27-Mar-2012 05:56:00.798 general: error: zone
254.169.IN-ADDR.ARPA/IN/view_internal_dns: zone serial unchanged. zone may fail
to transfer to slaves.
etc etc.
This occurs with a very simple stripped down named.conf file:
--start--
controls {
inet 127.0.0.1 port 953 allow {
127.0.0.1;
};
};
logging {
channel logfile {
syslog daemon;
severity error;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
logfile;
};
category config {
logfile;
};
category notify {
logfile;
};
};
acl internal_addr {
10.0.0.0/8;
};
options {
listen-on port 53 {
127.0.0.1;
internal_addr;
};
listen-on-v6 port 53 {
::1;
};
recursion no;
directory /config/namedb;
};
view view_internal_dns {
match-clients {
internal_addr;
};
recursion yes;
};
view view_externall_dns {
match-clients {
any;
};
recursion yes;
};
--end--
Upgrading bind is not currently an option. Is there a way to stop these errors?
--
Jack Tavares
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.6-ESV-R5 errors
Mark: Ignore them. They are from the built in empty zones. They are fixed in the next maintenance release. I notice that adding enable-empty-zones no; to the config stops these messages. Is there any downside to doing that? Thank you -- Jack ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: trigger point for new bug
So is it true that there is no way to make an existing bind server (without this patch) safe from this? -- Jack Tavares How many more can we sell with this button? From: bind-users-bounces+j.tavares=f5@lists.isc.org [bind-users-bounces+j.tavares=f5@lists.isc.org] on behalf of Evan Hunt [e...@isc.org] Sent: Thursday, November 17, 2011 08:44 To: John Wobus Cc: bind-users Subject: Re: trigger point for new bug How about authoritative-only views? I.e., if a query reaches the bind instance but is in a view that does not have caching, could it crash the instance? (I assume not.) You're correct, that would be safe. (But, obviously, if the recursive view crashes, it's taking the authoritative one down with it.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: trigger point for new bug
From: Evan Hunt [e...@isc.org] Sent: Thursday, November 17, 2011 14:30 To: Jack Tavares Cc: John Wobus; bind-users Subject: Re: trigger point for new bug So is it true that there is no way to make an existing bind server (without this patch) safe from this? A server that only serves authoritative data and doesn't recurse is safe. The assertion takes place when retrieving data from the cache, which an authoritative server never does. Any server that does recursion, even if only in one view, should be considered to be at risk. Thank you -- Jack ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: trigger point for new bug
So is it true that there is no way to make an existing bind server (without this patch) safe from this? A server that only serves authoritative data and doesn't recurse is safe. The assertion takes place when retrieving data from the cache, which an authoritative server never does. Any server that does recursion, even if only in one view, should be considered to be at risk. I just re-read this. If the assertion takes place when retrieving data from the cache, would setting cache size to 0 (do disable caching) avert this issue while still allowing recursion? -- Jack ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: trigger point for new bug
I asked If the assertion takes place when retrieving data from the cache, would setting cache size to 0 (do disable caching) avert this issue while still allowing recursion? Evan responded: I don't think so. I believe the cache actually has a minimum size, lower than which named won't let you go. Setting max-ncache-ttl to 0 would prevent negative cache records from being retained for longer than the duration of one query, but that one query could still be enough to hurt you--I can't currently say for sure. Rather than guess, I recommend upgrading. Thank you again. And I agree that upgrading is the best option, however I was looking for any possible mitigations to the problem for the (unfortunately unavoidable) period of time it will take vendors to provide patched bind servers. Thank you for you assistance -- jack ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND 9.4-ESV-R5b1 is now available
Did I miss a notice? What issue(s) does this address? I can't find a way to see what this addresses without downloading the tarball.. -- Jack Tavares From: bind-users-bounces+j.tavares=f5@lists.isc.org [bind-users-bounces+j.tavares=f5@lists.isc.org] on behalf of Mark Andrews [ma...@isc.org] Sent: Thursday, May 12, 2011 21:59 To: bind-us...@isc.org Subject: BIND 9.4-ESV-R5b1 is now available Introduction BIND 9.4-ESV-R5b1 is a beta release of BIND 9.4-ESV-R5. Download The latest development version of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/development. There you will find additional information about each release, source code, and some pre-compiled versions for certain operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Threaded bind on CentOS
Recap: running named with -n 1 will spin up one worker thread and approx 4 other threads. Is there an official discussion or explanation of what these other threads do? -- Thanks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Threaded bind on CentOS
I am using bind 9.7.3 and I have tried running it with various -n values and it appears that I will always get n+3 threads. Ex: I run it: named -n 1 I get 4 threads named -n 4 I get 7 threads etc. I understand the desire to have background housekeeping threads, but I would like to know what, exactly, those threads do. I have looked in the ARM, but have not seen any discussion of the threading behavior. Is there a piece of documentation somewhere that discusses this? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Threaded bind on CentOS
-Original Message- From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind- users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Eivind Olsen Sent: Thursday, February 24, 2011 11:46 AM To: bind-users@lists.isc.org Subject: Re: Threaded bind on CentOS I am using bind 9.7.3 and I have tried running it with various -n values and it appears that I will always get n+3 threads. I haven't tried this myself on CentOS, but.. How do you verify the amount of threads? Checking with ps / top? What does BIND log when it starts up? Normally it should log how many threads it's using. Regards Eivind Olsen I verified is by using the H flag to ps like so: without the H flag ps ax|grep named 27716 pts/0Sl 0:00 named -f -g -n 1 27729 pts/0S+ 0:00 grep named with the H flag ps axH|grep named 27716 pts/0Sl 0:00 named -f -g -n 1 27716 pts/0Sl 0:00 named -f -g -n 1 27716 pts/0Sl 0:00 named -f -g -n 1 27716 pts/0Sl 0:00 named -f -g -n 1 27737 pts/0S+ 0:00 grep named And named logs how many _worker_ threads it is starting, which always matches the -n N input 24-Feb-2011 11:44:33.669 found 2 CPUs, using 1 worker thread 24-Feb-2011 11:44:33.669 using up to 4096 sockets ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Threaded bind on CentOS
-Original Message- From: Chris Thompson [mailto:c...@hermes.cam.ac.uk] On Behalf Of Chris Thompson Sent: Thursday, February 24, 2011 1:21 PM To: Jack Tavares Cc: bind-users@lists.isc.org Subject: Re: Threaded bind on CentOS On Feb 24 2011, Jack Tavares wrote: I am using bind 9.7.3 and I have tried running it with various -n values and it appears that I will always get n+3 threads. Ex: I run it: named -n 1 I get 4 threads named -n 4 I get 7 threads etc. I understand the desire to have background housekeeping threads, but I would like to know what, exactly, those threads do. This is standard in any threaded BIND - it isn't specific to your OS. There are $N worker threads and 3 overhead/management ones. I wouldn't mind a description of the latter from ISC myself ... I mentioned the CentOS because some folks will automatically ask if the info isn't included. And someone replied off list with this: quote: Yes. The FAQ at the apex of the source tree: Q: Why do I see 5 (or more) copies of named on Linux? A: Linux threads each show up as a process under ps. The approximate number of threads running is n+4, where n is the number of CPUs. Note that the amount of memory used is not cumulative; if each process is using 10M of memory, only a total of 10M is used. Newer versions of Linux's ps command hide the individual threads and require -L to display them. end quote: I grep-ed through the doc/ directory and below and didn't find anything. I didn't think to check the FAQ. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: root hints
I have a question about the hints file. It is built in to BIND. Does bind check for updates to this periodically? If so, where does it get it from ? I assume it gets it from ftp.isc.org. Does bind contain a hardcode for that IP address? or does it use the existing hints to find the address of ftp.isc.org and then download a new ftp.isc.org? Thanks -- jack ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind replication
A further complication on this is if you are using dynamic updates. If you are using dynamic zones, bind will create journal files. If you were to copy over the zone files and journal files and do a reload, bind determines whether or not to reload the zone based on the timestamp of the zone file. It does not look at the time on the journal file. If you wished to sync zone files in this manner, with dynamic zones, you would need to freeze the zones on the sending side, which forces a write of the data that is in the journal file to the zone file, freeze the zones on the receiving side then copy the files over reload unfreeze zones on both sides. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dynamic updates via libbind.
I am currently using libbind to do dynamic updates in C. I have looked in the bind 9.7.x source and I don't see a replacement mechanism for this. Is there one or is there one planned in bind10? Thanks -- Jack. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
libbind error
I believe I found a bug in the libbind code. Is this the correct place to report that? Thanks -- jack ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: managed-keys-zone file not found
Forgive the top post. The directory is writable. I run bind chrooted and the directory exists, is owned by the named user and is writable by the named user. -- Jack Tavares How many more can we sell with this button? From: David Forrest [...@maplepark.com] Sent: Sunday, October 03, 2010 09:12 To: Evan Hunt Cc: Jack Tavares; bind-users@lists.isc.org Subject: Re: managed-keys-zone file not found On Sun, 3 Oct 2010, Evan Hunt wrote: On Fri, Oct 01, 2010 at 10:29:34PM +, Jack Tavares wrote: Hello While starting up bind I get the following 2 messages 01-Oct-2010 15:13:15.304 set up managed keys zone for view external, file '3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys' and 01-Oct-2010 15:13:15.309 managed-keys-zone ./IN/external: loading from master file 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys failed: file not found The expected behavior is, the first time you start BIND with managed-keys configured in a view, it will try to load the keys from an existing managed-keys file. If the file isn't found, it logs this warning, and then if the directory is writable, it goes ahead and creates the file. So you should only be seeing this the first time, and not thereafter. Which is why I'm concerned about this: I have tried using managed-keys-directory option, but I cannot get rid of this message. BIND hasn't created the file yet? Is your working directory or managed-keys-directory writable? Evan, I had this same message and it continued on every start. But it went ahead and loaded the zone (in memory I surmised) and everything worked OK. I just tried creating an empty file (via touch) in my working directory and, viola! No more messages except for the set up managed keys zone for view external and it still works as it should. My working directory is owned by named and I run as -u named so I don't know why it does not write the file. I had a similar problem with the internal view and removed the annoying message in the same manner; touching the file with the name in the message in the working directory. So I now have two empty files; No biggie. I searched in the source code for the message and found it in ./bin/named/server.c but didn't go any further as my invocation hack worked for me and it just seemed to be a log info message. YMMV. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: managed-keys-zone file not found
Evan: My statement about the expected behavior (i.e., that you'd see this log message only on the first start, and not thereafter) turns out to be true only if there's actually a managed key that needs maintaining. If you don't have any such keys, named won't create a file to save them in-- but, oops, it still tries to load the file on startup, and so it always logs the file not found message. This is essentially a cosmetic bug, and will be fixed in a future release. You can work around it, as others have mentioned, by touching the file so that named will shut up, or you can ignore it. Thanks for your help with it. that makes sense. It did go away when I set up lookaside properly, and I thought I knew how to make it go away. Then I reconfigured (as a test) without lookaside (or any dnssec features enabled for that matter) and the problem returned. I agree it is cosmetic and we can live with it. Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
managed-keys-zone file not found
Hello While starting up bind I get the following 2 messages 01-Oct-2010 15:13:15.304 set up managed keys zone for view external, file '3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys' and 01-Oct-2010 15:13:15.309 managed-keys-zone ./IN/external: loading from master file 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys failed: file not found the number is a hash of the view name (external) The zones in the view allow dynamic update. I have tried using managed-keys-directory option, but I cannot get rid of this message. What am I missing? thanks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dynamically add zones
Thanks. I use the libisccc where possible. -- Jack Tavares How many more can we sell with this button? From: bind-users-bounces+j.tavares=f5@lists.isc.org [bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Mark Andrews [ma...@isc.org] Sent: Friday, July 30, 2010 01:53 To: Alan Clegg Cc: bind-users@lists.isc.org Subject: Re: Dynamically add zones In message 4c5220c1.7060...@isc.org, Alan Clegg writes: Will this functionality be available through an api? Or will it just be through rndc ? Not sure what API we would use beyond rndc. If you have recommendations, please e-mail me directly or give me a phone call (+1-919-355-885) and let's talk about it... rndc just makes libisccc (ISC Command Channel) calls to talk to the nameserver. One can use libisccc directly if one wants. Look at the rndc code for examples of how to do this. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
question about bind bug fixed in 9.6.2-P2
From the release notes: --- 9.6.2-P2 released --- 2876. [bug] Named could return SERVFAIL for negative responses from unsigned zones. [RT #21131] Question: Does this bug only occur if dnssec is enabled? or only if dnssec validation is turned on? or will it (potentially) occur regardless of whether or not either of these options are used? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dnssec-keygen is waiting endless...
Or it is a chroot jail and it does not have a source of entropy -Original Message- From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Paul Wouters Sent: Friday, May 28, 2010 9:34 AM To: Michelle Konzack Cc: Bind Users Subject: Re: dnssec-keygen is waiting endless... On Fri, 28 May 2010, Michelle Konzack wrote: Hello *; I am retrying to setup DNSSEC but I have a problem with: dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net because if I issue the command, it waits forever and nothing happen. What can this be? Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 My bet is that this is a VM and you have no entropy. Either generate some entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga) or create the keys on real iron instead of a VM. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dnssec-keygen is waiting endless...
Disregard my statement. An incorrect chroot setup will affect the named executable, but not the dnssec-keygen -Original Message- From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Michelle Konzack Sent: Friday, May 28, 2010 11:22 AM To: bind-users@lists.isc.org Subject: Re: dnssec-keygen is waiting endless... Hello Jack, Am 2010-05-28 10:36:51, hacktest Du folgendes herunter: Or it is a chroot jail and it does not have a source of entropy Ehm no... seufz Where must this entrophy be? Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND 9.6.2-P2 is now available.
I have a question about the bug that this patch fixes. --- 9.6.2-P2 released --- 2876. [bug] Named could return SERVFAIL for negative responses from unsigned zones. [RT #21131] Does this bug only occur if dnssec is enabled? or only if dnssec validation is turned on? or will it (potentially) occur regardless of whether or not either of these options are used? Thank you -- jack ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: add a record into signed zone
When I have this problem the first thing I check is the permissions on the key files. Ownership, etc. Are they in a place that named knows about? From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of rams Sent: Thursday, May 13, 2010 3:18 AM To: Mark Andrews; bind-users Subject: Re: add a record into signed zone Hi , As you said I tried with nsupdate but unable to add a record into signed zone. It is giving SERVFAIL. Do we need to send any special value? Thanks, Ramesh On Thu, May 13, 2010 at 9:05 AM, Mark Andrews ma...@isc.orgmailto:ma...@isc.org wrote: In message aanlktilljh9vaiifvfzzgi9ls3nyi1arkx2tyozky...@mail.gmail.commailto:aanlktilljh9vaiifvfzzgi9ls3nyi1arkx2tyozky...@mail.gmail.com, rams writes: Hi, How to add a record into signed zone using nsupdate. Is there any additional arguments need to be passed for getting RRSIG of addition record or automatically bind will take care? Thanks Regards, Ramesh Named will take care of it. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.orgmailto:ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkzone behavior change?
I have downloaded 9.7.0-P1 and I am running into something odd with named-checkzone I have a simple zone with an NS record that has no A or record. named-checkzone has flags to ignore this. and this same command (see below) worked in 9.6 but given this zone file test.net. 500 IN SOA d88.test.net. hostmaster.d88.test.net. 2010051001 10800 3600 604800 86400 test.net. 500 IN NS d88.test.net. named-checkconf -k ignore -n ignore -i none test.net. zonefile gives zone test.net/IN: NS 'd88.test.net' has no address records (A or ) zone test.net/IN: not loaded due to errors. Is this a bug? or do I have a flag missing or incorrect? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named-checkzone behavior change?
Correction: I am calling named-checkzone not checkconf. this: named-checkconf -k ignore -n ignore -i none test.net. zonefile should read named-checkzone -k ignore -n ignore -i none test.net. zonefile the rest of the email is correct From: Jack Tavares Sent: Monday, May 10, 2010 12:49 PM To: bind-users@lists.isc.org Subject: named-checkzone behavior change? I have downloaded 9.7.0-P1 and I am running into something odd with named-checkzone I have a simple zone with an NS record that has no A or record. named-checkzone has flags to ignore this. and this same command (see below) worked in 9.6 but given this zone file test.net. 500 IN SOA d88.test.net. hostmaster.d88.test.net. 2010051001 10800 3600 604800 86400 test.net. 500 IN NS d88.test.net. gives zone test.net/IN: NS 'd88.test.net' has no address records (A or ) zone test.net/IN: not loaded due to errors. Is this a bug? or do I have a flag missing or incorrect? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named-checkzone behavior change?
I see this was intentional. 2800. [func]Reject zones which have NS records which refer to CNAMEs, DNAMEs or don't have address record (class IN only). Reject UPDATEs which would cause the zone to fail the above checks if committed. [RT #20678] From: Jack Tavares Sent: Monday, May 10, 2010 12:54 PM To: Jack Tavares; bind-users@lists.isc.org Subject: RE: named-checkzone behavior change? Correction: I am calling named-checkzone not checkconf. this: named-checkconf -k ignore -n ignore -i none test.net. zonefile should read named-checkzone -k ignore -n ignore -i none test.net. zonefile the rest of the email is correct From: Jack Tavares Sent: Monday, May 10, 2010 12:49 PM To: bind-users@lists.isc.org Subject: named-checkzone behavior change? I have downloaded 9.7.0-P1 and I am running into something odd with named-checkzone I have a simple zone with an NS record that has no A or record. named-checkzone has flags to ignore this. and this same command (see below) worked in 9.6 but given this zone file test.net. 500 IN SOA d88.test.net. hostmaster.d88.test.net. 2010051001 10800 3600 604800 86400 test.net. 500 IN NS d88.test.net. gives zone test.net/IN: NS 'd88.test.net' has no address records (A or ) zone test.net/IN: not loaded due to errors. Is this a bug? or do I have a flag missing or incorrect? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ftp.isc.org is down
Not quite the right place to report this but... wget http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz --2010-05-06 10:53:30-- http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz Resolving ftp.isc.org... 204.152.184.110, 2001:4f8:0:2::18 Connecting to ftp.isc.org|204.152.184.110|:80... failed: Connection refused. Connecting to ftp.isc.org|2001:4f8:0:2::18|:80... failed: Network is unreachable. [tava...@seapddev01 isc.org]$ I have tried it from 3 different locations, 2 on the US west coast, one on the US east coast. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: ftp.isc.org is down
Acouple people have pointed out that I am attempting to connect to ftp.isc.orgftp://ftp.isc.org using http. That is so, but that is what happens if you use the download links on www.isc.orghttp://www.isc.org if you click on the web http://www.isc.org/software/bind/970-p1/download/bind-970-p1targz it attempts to download from http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz Which sits and spins and then times out. So I decided to try it on the command line using wget and the same URL that the webpage uses. It fails. I also tried the command ftp ftp.isc.orgftp://ftp.isc.org also fails From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Jack Tavares Sent: Thursday, May 06, 2010 10:55 AM To: bind-users@lists.isc.org Subject: ftp.isc.org is down Not quite the right place to report this but... wget http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz --2010-05-06 10:53:30-- http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz Resolving ftp.isc.org... 204.152.184.110, 2001:4f8:0:2::18 Connecting to ftp.isc.org|204.152.184.110|:80... failed: Connection refused. Connecting to ftp.isc.org|2001:4f8:0:2::18|:80... failed: Network is unreachable. [tava...@seapddev01 isc.org]$ I have tried it from 3 different locations, 2 on the US west coast, one on the US east coast. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: ftp.isc.org is down
And it is back now. wget http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz --2010-05-06 11:06:48-- http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz Resolving ftp.isc.org... 204.152.184.110, 2001:4f8:0:2::18 Connecting to ftp.isc.org|204.152.184.110|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7125947 (6.8M) [application/x-gzip] Saving to: `bind-9.7.0-P1.tar.gz' 100%[==] 7,125,947 1.26M/s in 6.0s 2010-05-06 11:06:55 (1.14 MB/s) - `bind-9.7.0-P1.tar.gz' saved [7125947/7125947] From: Jack Tavares Sent: Thursday, May 06, 2010 11:07 AM To: Jack Tavares; bind-users@lists.isc.org Subject: RE: ftp.isc.org is down Acouple people have pointed out that I am attempting to connect to ftp.isc.orgftp://ftp.isc.org using http. That is so, but that is what happens if you use the download links on www.isc.orghttp://www.isc.org if you click on the web http://www.isc.org/software/bind/970-p1/download/bind-970-p1targz it attempts to download from http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz Which sits and spins and then times out. So I decided to try it on the command line using wget and the same URL that the webpage uses. It fails. I also tried the command ftp ftp.isc.orgftp://ftp.isc.org also fails From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Jack Tavares Sent: Thursday, May 06, 2010 10:55 AM To: bind-users@lists.isc.org Subject: ftp.isc.org is down Not quite the right place to report this but... wget http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz --2010-05-06 10:53:30-- http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz Resolving ftp.isc.org... 204.152.184.110, 2001:4f8:0:2::18 Connecting to ftp.isc.org|204.152.184.110|:80... failed: Connection refused. Connecting to ftp.isc.org|2001:4f8:0:2::18|:80... failed: Network is unreachable. [tava...@seapddev01 isc.org]$ I have tried it from 3 different locations, 2 on the US west coast, one on the US east coast. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ftp.isc.org back up
from isc.org: ISC experienced a fiber outage this morning that affected some of our services. It has now been fixed and you should be able to reach all of the download servers. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about message your system is lacking dev/random (or equivalent)
Perhaps you have configured it to run in a chroot jail and have not fully outfitted the chroot with /dev/random this is old, but looks to be accurate, at least when talking about the /dev/random file on linux. You didn't even specify what OS you are running on: http://tldp.org/HOWTO/Chroot-BIND-HOWTO-2.html -Original Message- From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Warren Kumari Sent: Tuesday, April 13, 2010 12:43 PM To: Khuu, Linh MicroTech Cc: 'bind-users@lists.isc.org' Subject: Re: Question about message your system is lacking dev/random (or equivalent) On Apr 13, 2010, at 3:28 PM, Khuu, Linh MicroTech wrote: I just turned on the dnssec-validation today, and I saw lots of messages: 13-Apr-2010 15:17:17.122 dnssec: debug 3: validating @202be918: 3e77469i48du24agcu5ftfumd6iocmrk.org NSEC3: verify rdataset (keyid=47948): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:35.016 dnssec: debug 3: validating @202bd638: usps.gov DNSKEY: verify rdataset (keyid=10539): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) 13-Apr-2010 15:26:37.385 dnssec: debug 3: validating @202c0e28: usps.gov SOA: verify rdataset (keyid=43133): You must use the keyboard to create entropy, since your system is lacking /dev/random (or equivalent) Is this a problem with dnssec on my DNS server? Did you build BIND yourself? When BIND starts does it log anything like: --with-randomdev=something? What operating system, etc? You haven't really provided very much useful information in your question... DNSSEC needs entropy for signing -- it believes that your system does not provide a useful source of entropy (do you have a /dev/random?) and so it want you to add some. This is not a BIND problem, it is an OS (or more likely configuration issue). W Linh Khuu Network Security Specialist MicroTech ESS Contract Office: 410-966-0798 Pager: 410-232-2350 Email: linh.k...@ssa.gov ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: threading and linux (2.6.
You said: On most operating systems, the default is threaded. On linux, the default is unthreaded, for historical reasons having t do with an odd interaction between linux threads and linux process privileges. I expect we'll correct this fairly soon; it's on the to-do list for 9.7.1. [Jack Tavares] So, for bind 9.6.x and 9.7.0 is the recommendation to run nonthreaded? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
threading and linux (2.6.
Hello - What is the default build on linux (2.6) with regard to threads. If I don't explicitly enable or disable threads, does named run threaded or unthreaded? Thanks -- jack ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: is it possible to dynamically update an RRSIG record?
Jack Tavares wrote: Looking at the code for libbind, specifically res_nmkupdate, there is no case statement for RRSIG records. In this case, I was trying to update the TTL. Is that not allowed intentionally? I think so. The TTL of a RRSIG RR *MUST* match the TTL value of the RRset it covers. Hugo Hmm. Well then i guess one cannot update the TTL of the RRSIG itself, since if it must match the RRset it covers, then the TTL on the RRSET must be changed at which time bind would resign the records. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: can't query for RRSIG that references NSEC3
Thanks. I obviously missed that part of the rfc. -- Jack Tavares From: Chris Thompson [c...@hermes.cam.ac.uk] On Behalf Of Chris Thompson [c...@cam.ac.uk] Sent: Wednesday, June 24, 2009 18:44 To: Jack Tavares Cc: Bind Users Mailing List Subject: RE: can't query for RRSIG that references NSEC3 On Jun 24 2009, Jack Tavares wrote: a correction: my dig command is dig @127.0.0.1 -t RRSIG 4PPH7Q8R02M0AD8MLJPS0UEH2AB9KFJL.test.net and I still get NXDOMAIN NSEC3 records (and their associated RRSIG records) are, in a sense, not properly part of the zone. RFC 5155 section 7,2,8 Responding to Queries for NSEC3 Owner Names mandates the response you are seeing. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
/dev/random in chroot jail causing errors with nsupdate of dnssec signed zone
So I posted a couple of message about how my nsupdates were failing intermittenly when attempting to update a signed zone. The only error I get in the log is: 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': prerequisites are OK 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: signer update.test.net approved 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: update 'test.net/IN' approved 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': update section prescan OK 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': adding an RR at 'newest4.test.net' A 14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure 14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': rolling back The keys are generated with RSASHA1 and use -r /dev/urandom I run named in chroot jail, at /var/named I created /var/named/dev/random with mknod -m644 /var/named/dev/random c 1 8 which mimics the major and minor number from the system ls -lL /dev/random crw-r--r--1 root root 1, 8 May 13 03:27 /dev/random The nsupdates fail, seemingly randomly. When I delete this /dev/random from the chroot, they work. So my question is: am I setting up the /dev/random incorrectly? should I not be creating /dev/random? (the how-tos I have seen all talk about re-creating /dev/null and /dev/random etc) Note: I also tried generating the keys not using /dev/urandom, and have the same inconsistent behavior with the chroot /dev/random present. -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: /dev/random in chroot jail causing errors with nsupdate of dnssec signed zone
One other thing: when I remove /dev/random from the chroot, bind just uses the pre-chroot /dev/random 14-May-2009 14:09:51.065 could not open entropy source /dev/random: file not found 14-May-2009 14:09:51.065 using pre-chroot entropy source /dev/random which is groovy. So I guess I dont need the chroot random, but I would still like to know why using the chrooted /dev/random causes this problem. -- Jack Tavares AIM: jacktavares SKYPE: jackandkaddee Reminder: I am at GMT+2, 10 hours AHEAD of Seattle. My workweek is Sunday-Thursday. Email sent to me Thursday afternoon (PST) may not be viewed until Sunday morning (GMT+2). From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares [j.tava...@f5.com] Sent: Thursday, May 14, 2009 09:50 To: bind-users@lists.isc.org Subject: /dev/random in chroot jail causing errors with nsupdate of dnssec signed zone So I posted a couple of message about how my nsupdates were failing intermittenly when attempting to update a signed zone. The only error I get in the log is: 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': prerequisites are OK 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: signer update.test.net approved 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: update 'test.net/IN' approved 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': update section prescan OK 14-May-2009 13:17:09.077 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': adding an RR at 'newest4.test.net' A 14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure 14-May-2009 13:17:09.084 client 127.0.0.1#10277: view external: updating zone 'test.net/IN': rolling back The keys are generated with RSASHA1 and use -r /dev/urandom I run named in chroot jail, at /var/named I created /var/named/dev/random with mknod -m644 /var/named/dev/random c 1 8 which mimics the major and minor number from the system ls -lL /dev/random crw-r--r--1 root root 1, 8 May 13 03:27 /dev/random The nsupdates fail, seemingly randomly. When I delete this /dev/random from the chroot, they work. So my question is: am I setting up the /dev/random incorrectly? should I not be creating /dev/random? (the how-tos I have seen all talk about re-creating /dev/null and /dev/random etc) Note: I also tried generating the keys not using /dev/urandom, and have the same inconsistent behavior with the chroot /dev/random present. -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
error while attempting to use nsupdate on a DNSSEC signed zone
Hello - (bind9.6.0-P1) I have set up a zone that is signed. It is an island of security zone for testing purposes. I have set up a TSIG key and set the allow-update to accept the key. I have followed every step, afaict, in the various how-tos on how to sign a zone. But when I try to do an update, I get an error. All the error says is signer update.test.net approved 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': adding an RR at 'blah.test.net' A 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure failure is all it says for a reason. I looked at the bind source, and there are some more useful error messages about keys etc. But all I am getting is failure. If i do the same nsupdate without DNSSEC, it works. It appears there is something wrong with my setup and the regeneration of the RRSIG/NSEC keys is failing. (I have tried it with both NSEC and NSEC3 keys) I will put together a (simpler) named.conf and zone file that causes this and post that info, but I was hoping that maybe somebody has seen this and has an idea. Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: error while attempting to use nsupdate on a DNSSEC signed zone
I am running bind in a chroot jail, btw. I had this working a while ago, and left it for a while and then tried to set it up again, with no luck. I am sure it is something simple... -- Jack Tavares From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares [j.tava...@f5.com] Sent: Wednesday, May 13, 2009 10:27 To: bind-users@lists.isc.org Subject: error while attempting to use nsupdate on a DNSSEC signed zone Hello - (bind9.6.0-P1) I have set up a zone that is signed. It is an island of security zone for testing purposes. I have set up a TSIG key and set the allow-update to accept the key. I have followed every step, afaict, in the various how-tos on how to sign a zone. But when I try to do an update, I get an error. All the error says is signer update.test.net approved 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': adding an RR at 'blah.test.net' A 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure failure is all it says for a reason. I looked at the bind source, and there are some more useful error messages about keys etc. But all I am getting is failure. If i do the same nsupdate without DNSSEC, it works. It appears there is something wrong with my setup and the regeneration of the RRSIG/NSEC keys is failing. (I have tried it with both NSEC and NSEC3 keys) I will put together a (simpler) named.conf and zone file that causes this and post that info, but I was hoping that maybe somebody has seen this and has an idea. Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: error while attempting to use nsupdate on a DNSSEC signed zone
yes.
And I when I previously failed to specify the correct key-directory, I got an
error
found no private keys, unable to generate any signatures
I corrected that error and now get the failure message
everything is owned by named .
options {
dnssec-enable yes;
dnssec-validation yes;
key-directory /config/namedb;
--
Jack Tavares
From: mark_andr...@isc.org [mark_andr...@isc.org]
Sent: Wednesday, May 13, 2009 10:38
To: Jack Tavares
Cc: bind-users@lists.isc.org
Subject: Re: error while attempting to use nsupdate on a DNSSEC signed zone
In message 4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com
Hello -
(bind9.6.0-P1)
I have set up a zone that is signed.
It is an island of security zone for testing purposes.
I have set up a TSIG key and set the allow-update
to accept the key.
I have followed every step, afaict, in the various
how-tos on how to sign a zone.
But when I try to do an update, I get an error.
All the error says is
signer update.test.net approved
13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zon=
e 'test.net/IN': adding an RR at 'blah.test.net' A
13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zon=
e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
failure is all it says for a reason.
I looked at the bind source, and there are some more useful error messages =
about keys etc.
But all I am getting is failure.
If i do the same nsupdate without DNSSEC, it works.
It appears there is something wrong with my setup and the regeneration of t=
he RRSIG/NSEC
keys is failing. (I have tried it with both NSEC and NSEC3 keys)
I will put together a (simpler) named.conf and zone file that causes this a=
nd post that info,
but I was hoping that maybe somebody has seen this and has an idea.
Thanks
--
Jack Tavares
Have you told named where the private keys are (key-directory)?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: error while attempting to use nsupdate on a DNSSEC signed zone
Thanks, but that is not my problem.
the error message you are getting at leasts give a hint:
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
failure
My error says:
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': prerequisites are OK
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: signer
update.test.net approved
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: update
'test.net/IN' approved
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': update section prescan OK
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': adding an RR at 'blarney.test.net' A
13-May-2009 22:04:59.665 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
failure that's it.
I am still having this problem.
It is intermittent.
one update will work.
than another update for the very same zone, using the very same key, will fail.
It works fine if I remove the signed zone.
I have tried removing from the chroot jail, in case I had an error in the setup
there and it
makes no difference.
the failure seems to be coming from dns_dnssec_sign, but it is just returning
ISC_R_FAILURE .
When I step through the code with the debug, it seems to work everytime
(naturally)
I am really scratching my head.
--
Jack Tavares
From: Alexa Petrean [apetr...@bluecatnetworks.com]
Sent: Wednesday, May 13, 2009 17:50
To: Jack Tavares
Cc: bind-users@lists.isc.org
Subject: RE: error while attempting to use nsupdate on a DNSSEC signed zone
I've encountered a similar issue when using DSA keys with BIND 9.5.1-P1.
The dynamic records weren't added to a master zone signed with DSA keys
- the journal file doesn't get created at all, just similar messages
logged in syslog:
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': adding an RR at 'h2.fred.com' A
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
failure
The solution was to sign every dynamic zone with RSASHA1 keys only.
Alex
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares
Sent: Wednesday, May 13, 2009 4:03 AM
To: unlisted-recipients
Cc: bind-users@lists.isc.org
Subject: RE: error while attempting to use nsupdate on a DNSSEC signed
zone
yes.
And I when I previously failed to specify the correct key-directory, I
got an error
found no private keys, unable to generate any signatures
I corrected that error and now get the failure message
everything is owned by named .
options {
dnssec-enable yes;
dnssec-validation yes;
key-directory /config/namedb;
--
Jack Tavares
From: mark_andr...@isc.org [mark_andr...@isc.org]
Sent: Wednesday, May 13, 2009 10:38
To: Jack Tavares
Cc: bind-users@lists.isc.org
Subject: Re: error while attempting to use nsupdate on a DNSSEC signed
zone
In message
4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com
Hello -
(bind9.6.0-P1)
I have set up a zone that is signed.
It is an island of security zone for testing purposes.
I have set up a TSIG key and set the allow-update
to accept the key.
I have followed every step, afaict, in the various
how-tos on how to sign a zone.
But when I try to do an update, I get an error.
All the error says is
signer update.test.net approved
13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external:
updating zon=
e 'test.net/IN': adding an RR at 'blah.test.net' A
13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external:
updating zon=
e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
failure is all it says for a reason.
I looked at the bind source, and there are some more useful error
messages =
about keys etc.
But all I am getting is failure.
If i do the same nsupdate without DNSSEC, it works.
It appears there is something wrong with my setup and the regeneration
of t=
he RRSIG/NSEC
keys is failing. (I have tried it with both NSEC and NSEC3 keys)
I will put together a (simpler) named.conf and zone file that causes
this a=
nd post that info,
but I was hoping that maybe somebody has seen this and has an idea.
Thanks
--
Jack Tavares
Have you told named where the private keys are (key-directory)?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users
NS_NXT_BITS for NSEC records
Hello - In libbind-6.0b1/includ/arpa/nameser.h there are some convenience macros for parsing the type bits for NXT records /* How RR types are represented as bit-flags in NXT records */ #define NS_NXT_BITS 8 #define NS_NXT_BIT_SET( n,p) (p[(n)/NS_NXT_BITS] |= (0x80((n)%NS_NXT_BITS))) #define NS_NXT_BIT_CLEAR(n,p) (p[(n)/NS_NXT_BITS] = ~(0x80((n)%NS_NXT_BITS))) #define NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS](0x80((n)%NS_NXT_BITS))) #define NS_NXT_MAX 127 I don't see any macros for NSEC records. I am pretty sure I can use the NS_NXT_xxx macros with some fudging for NSEC records, but I was wondering if there is a plan for updateing nameser.h? Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: NS_NXT_BITS for NSEC records
Sorry. I still have libbind-6.0b1. I missed the announcement that libbind6.0 had shipped. What I need is in libbind6.0 Thank you From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares [j.tava...@f5.com] Sent: Thursday, April 02, 2009 14:13 To: bind-users@lists.isc.org Subject: NS_NXT_BITS for NSEC records Hello - In libbind-6.0b1/includ/arpa/nameser.h there are some convenience macros for parsing the type bits for NXT records /* How RR types are represented as bit-flags in NXT records */ #define NS_NXT_BITS 8 #define NS_NXT_BIT_SET( n,p) (p[(n)/NS_NXT_BITS] |= (0x80((n)%NS_NXT_BITS))) #define NS_NXT_BIT_CLEAR(n,p) (p[(n)/NS_NXT_BITS] = ~(0x80((n)%NS_NXT_BITS))) #define NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS](0x80((n)%NS_NXT_BITS))) #define NS_NXT_MAX 127 I don't see any macros for NSEC records. I am pretty sure I can use the NS_NXT_xxx macros with some fudging for NSEC records, but I was wondering if there is a plan for updateing nameser.h? Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: ResendRE: ns_type question
No, you're looking at the right place, and libbind isn't supposed to provide any new feature regarding the new DNSSEC spec. Ok. So is there a 'C' api for dealing with DNSSEC in this regard? Hmm...I was wrong. There's actually a planned patch to introduce newer types in nameser.h, including DNSKEY. If what you need as a 'C' api for dealing with DNSSEC is just new enum elements for these RR types, a near future version of libbind will satisfy you. Yes, all I wanted was the additions to the enum. I plan on patching it when I build the libbrary for my own uses until a new version of libbind is available. Thanks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: libbind 6.0b1 bug?
Thank you Actually, it is a compile time problem. Is there a place on the isc.org website to report a bug on libbind? I ddn't see it anywhere. libbind-b...@isc.org -- jack ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
libbind 6.0b1 bug?
Actually, it is a compile time problem. Is there a place on the isc.org website to report a bug on libbind? I ddn't see it anywhere. Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: ResendRE: ns_type question
From: JINMEI Tatuya / 神明達哉 [jinmei_tat...@isc.org] I have downloaded libbind6.0b1 My question is; the arpa/nameser.h file included does not include type definitions for DNSKEY (or other dnssec rr types) in the ns_type enum. am I looking in the wrong place? No, you're looking at the right place, and libbind isn't supposed to provide any new feature regarding the new DNSSEC spec. Ok. So is there a 'C' api for dealing with DNSSEC in this regard? -- jack. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ResendRE: ns_type question
Hello - Any suggestions on this? Thank you -- Jack Tavares From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares [j.tava...@f5.com] Sent: Wednesday, February 11, 2009 15:00 To: bind-users@lists.isc.org Subject: ns_type question I have downloaded libbind6.0b1 My question is; the arpa/nameser.h file included does not include type definitions for DNSKEY (or other dnssec rr types) in the ns_type enum. am I looking in the wrong place? Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ns_type question
I have downloaded libbind6.0b1 My question is; the arpa/nameser.h file included does not include type definitions for DNSKEY (or other dnssec rr types) in the ns_type enum. am I looking in the wrong place? Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: is this a valid zone file?
Thanks to everybody so far. I am still confused trying to figure this out. At the risk of looking stupid... Given this zone file. $TTL 500 $ORIGIN 168.192.in-addr.arpa. @ IN SOA d62.test.net. hostmaster.d62.test.net.. 2008122201 10800 3600 604800 86400 NS d62.test.net. 0/16NS d88.test.net. dig for a zone transfer returns [r...@d62:Active] shared # dig axfr @127.0.0.1 168.192.in-addr.arpa. ; DiG 9.5.0-P2 axfr @127.0.0.1 168.192.in-addr.arpa. ; (1 server found) ;; global options: printcmd 168.192.in-addr.arpa. 500 IN SOA d62.test.net. hostmaster.my.domain. 2008122201 10800 3600 604800 86400 168.192.in-addr.arpa. 500 IN NS d62.test.net. 0/16.168.192.in-addr.arpa. 500 IN NS d88.test.net. 168.192.in-addr.arpa. 500 IN SOA d62.test.net. hostmaster.my.domain. 2008122201 10800 3600 604800 86400 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 22 03:16:38 2008 ;; XFR size: 4 records (messages 1, bytes 179) and a dig for the NS record returns: [r...@d62:Active] shared # dig -t ns @127.0.0.1 168.192.in-addr.arpa. ; DiG 9.5.0-P2 -t ns @127.0.0.1 168.192.in-addr.arpa. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3426 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;168.192.in-addr.arpa. IN NS ;; ANSWER SECTION: 168.192.in-addr.arpa. 500 IN NS d62.test.net. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 22 03:17:15 2008 ;; MSG SIZE rcvd: 64 while a dig for the 0/16 NS record returns 0 answers, but 1 AUTHORITY record. [r...@d62:Active] shared # dig -t ns @127.0.0.1 0/16.168.192.in-addr.arpa. ; DiG 9.5.0-P2 -t ns @127.0.0.1 0/16.168.192.in-addr.arpa. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 29418 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;0/16.168.192.in-addr.arpa. IN NS ;; AUTHORITY SECTION: 0/16.168.192.in-addr.arpa. 500 IN NS d88.test.net. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 22 03:17:53 2008 ;; MSG SIZE rcvd: 69 So I am trying to figure out, if named wont serve the 0/16 NS record from 168.192 zone, what is the purpose of putting it there? -- Jack Tavares AIM: jackatavares SKYPE: jackandkaddee Reminder: I am at GMT+2, 10 hours AHEAD of Seattle. My workweek is Sunday-Thursday. Email sent to me Thursday afternoon (PST) may not be viewed until Sunday morning (GMT+2). From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas [uh...@fantomas.sk] Sent: Monday, December 22, 2008 11:14 AM To: bind-users@lists.isc.org Subject: Re: is this a valid zone file? On 21.12.08 04:21, Jack Tavares wrote: as specified, wouldn't this zone then be non-authoritative I believe BIND doesn't check NS Records when deciding if it should set the AA flag and only takes care about the records being from zone (master/slave) or authoritative source (for AA records) or cache. That has no NS server defined for the zone, just the ranges of the zone. Is that valid? it is, but may cause problems. NS records for the zone itself should be defined. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: is this a valid zone file?
as specified, wouldn't this zone then be non-authoritative -- Jack Tavares AIM: jackatavares SKYPE: jackandkaddee Reminder: I am at GMT+2, 10 hours AHEAD of Seattle. My workweek is Sunday-Thursday. Email sent to me Thursday afternoon (PST) may not be viewed until Sunday morning (GMT+2). From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas [uh...@fantomas.sk] Sent: Sunday, December 21, 2008 2:13 PM To: bind-users@lists.isc.org Subject: Re: is this a valid zone file? On 21.12.08 03:54, Jack Tavares wrote: Looking at rfc2317 $ORIGIN 2.0.192.in-addr.arpa. @ IN SOA my-ns.my.domain. hostmaster.my.domain. (...) ;... ; 0-127 /25 0/25NS ns.A.domain. 0/25NS some.other.name.server. [...] That has no NS server defined for the zone, just the ranges of the zone. Is that valid? it is, but may cause problems. NS records for the zone itself should be defined. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
is this a valid zone file?
Looking at rfc2317 I see the example zone file $ORIGIN 2.0.192.in-addr.arpa. @ IN SOA my-ns.my.domain. hostmaster.my.domain. (...) ;... ; 0-127 /25 0/25NS ns.A.domain. 0/25NS some.other.name.server. ; 1 CNAME 1.0/25.2.0.192.in-addr.arpa. 2 CNAME 2.0/25.2.0.192.in-addr.arpa. 3 CNAME 3.0/25.2.0.192.in-addr.arpa. ; ; 128-191 /26 128/26 NS ns.B.domain. 128/26 NS some.other.name.server.too. ; 129 CNAME 129.128/26.2.0.192.in-addr.arpa. 130 CNAME 130.128/26.2.0.192.in-addr.arpa. 131 CNAME 131.128/26.2.0.192.in-addr.arpa. ; ; 192-255 /26 192/26 NS ns.C.domain. 192/26 NS some.other.third.name.server. ; 193 CNAME 193.192/26.2.0.192.in-addr.arpa. 194 CNAME 194.192/26.2.0.192.in-addr.arpa. 195 CNAME 195.192/26.2.0.192.in-addr.arpa. That has no NS server defined for the zone, just the ranges of the zone. Is that valid? o -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
