Re: One Key File for Many Users
Have the system login scripts fire up rsync and sync the proper file over to the users home directory. Why make it harder on yourself than it needs to be. Assuming you have a profile.d directory create a nsupdate-sync.sh .csh Good luck. -- Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN On Apr 10, 2014, at 16:33, Martin G. McCormick mar...@server1.shellworld.net wrote: One way to allow account-holders on a system to be able to do nsupdates is to place the keys in each user's directory but this makes changing the keys later a laborious task. Is there a proper way to create links to one key that will produce the same effect? I seem to recall trying something like that some time ago and having the updates fail because the key referenced was a link. Thank you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Nothing is ever set in stone that hard. Sorry they wrote scripts for it. All apologies they decided to use Elmer's glue instead of high tensile strength super carbon based cement. They will just have to amend those temp scripts with some test cases or you can write a compatibility shim with an expiration clause with an annoying warning message. I recall spending a LOT of time with DNSSEC figuring out all the nonsense but like anything else stability and friendliness has to start somewhere. And development should not be impeded by adoption of bad practices. Fix the root cause not the symptom. -- Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN On Mar 6, 2014, at 3:11, Evan Hunt e...@isc.org wrote: On Thu, Mar 06, 2014 at 08:55:28AM +0100, Carsten Strotmann wrote: I agree that it might be nice to change dnssec-keygen to make the tool more userfriendly. The current state-of-things is because of historic developments in how DNSSEC came to birth. ...and lots of people dealing with dnssec-keygen's user-unfriendliness by writing shell scripts to run it, which will break if we change its interface now. A lot of old mistakes have gotten chiseled into stone by that. I've long wanted to write a replacement for the zone key functions of dnssec-keygen (or at least a sensible wrapper), so that DNSSEC keys could be generated according to a configured policy rather than command-line alphabet soup. For generating host keys, I suggest ddns-confgen rather than dnssec-keygen. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone gets permission denied
I would suspect your chmod 777 was inappropriate as I believe you should have just chmod'd var/named/slaves. The chmod isn't inheritable like windows. -- Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN On Jan 11, 2014, at 19:11, Mikael Johansson mikael.johans...@addpro.se wrote: On 12 Jan 2014 00:14, Georgy Goshin georgy.gos...@gmail.com wrote: Hi, CentOS, 6.5, default bind package bind-9.8.2-0.17.rc1.el6_4.6.x86_64. trying to add slave zone with command rndc addzone zone.local '{ type slave; file slaves/zone.local; masters { 172.31.199.154; }; };' but getting rndc: 'addzone' failed: permission denied, nothing on the logs, only received control channel command 'addzone zone.local { type slave; file slaves/zone.local; masters { 172.31.199.154; }; };' even after rndc trace 99. allow-new-zones yes; tried with chmod 777 for /var/named, /etc/named, /usr/lib64/bind but nothing helps. please advice me a way to find why permission is denied. thanks in advance. Hi, Have you checked if this might be related to SELinux? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can anyone help me resolve this named failure report
There is a lot of information missing here. I'm sure someone could help you but I'm not sure this is the correct list for that as I assume BIND, is not the cause of your errors. -- Jason Hellenthal Inbox: jhellent...@dataix.net Voice: +1 (616) 953-0176 JJH48-ARIN On Sep 17, 2013, at 11:00, Odimegwu David odimegwuda...@yahoo.fr wrote: named error report named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled) Active: failed (Result: exit-code) since Wed, 11 Sep 2013 20:17:05 +0100; 13min ago Process: 1660 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 1586 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/named.service The messages from /var/log/messages is thus: Sep 11 20:17:05 named: command channel listening on 127.0.0.1#953 Sep 11 20:17:05 named: isc_stdio_open 'data/named.run' failed: permission denied Sep 11 20:17:05 named: configuring logging: permission denied Sep 11 20:17:05 named: loading configuration: permission denied Sep 11 20:17:05 named: exiting (due to fatal error) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New warning message...
Basically a SPF record type in place that's new but you could carry both for new and older clients. -- Jason Hellenthal Inbox: jhellent...@dataix.net Voice: +1 (616) 953-0176 JJH48-ARIN On Jul 22, 2013, at 0:48, SH Development listacco...@starionline.com wrote: I just started noticing these in my log: 7/21/13 11:33:13 PMnamed[355]21-Jul-2013 23:33:13.646 general: warning: zone domain.com/IN: 'domain.com' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record The zone does have an SPF record. I'm not sure I understand what else I'm supposed to be doing. Jeff ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Lookups with Forwarders
Only thing I see to be missing here is actual Class B address space 172.16/12 but instead you are trying to forward from Class A public address space assigned to FACEBOOK. I don't quite think you will get that to work... That is unless you are the Facebook authoritative server... range: 172.0.0.0 172.15.255.255 range b10: 2885681152 2886729727 range b16: 0xac00 0xac0f hosts: 1048576 prefixlen: 12 mask:255.240.0.0 Was this just an intentional obfuscation ? # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=173.252.110.0?showDetails=trueshowARIN=falseext=netref2 # NetRange: 173.252.64.0 - 173.252.127.255 CIDR: 173.252.64.0/18 OriginAS: AS32934 NetName:FACEBOOK-INC NetHandle: NET-173-252-64-0-1 Parent:NET-173-0-0-0-0 NetType:Direct Assignment RegDate:2011-02-28 Updated:2012-02-24 Ref:http://whois.arin.net/rest/net/NET-173-252-64-0-1 OrgName:Facebook, Inc. OrgId: THEFA-3 Address:1601 Willow Rd. City: Menlo Park StateProv: CA PostalCode:94025 Country:US RegDate:2004-08-11 Updated:2012-04-17 Ref:http://whois.arin.net/rest/org/THEFA-3 OrgTechHandle: OPERA82-ARIN OrgTechName: Operations OrgTechPhone: +1-650-543-4800 OrgTechEmail: n...@fb.com OrgTechRef:http://whois.arin.net/rest/poc/OPERA82-ARIN OrgAbuseHandle: OPERA82-ARIN OrgAbuseName: Operations OrgAbusePhone: +1-650-543-4800 OrgAbuseEmail: n...@fb.com OrgAbuseRef:http://whois.arin.net/rest/poc/OPERA82-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # -- Jason Hellenthal Inbox: jhellent...@dataix.net Voice: +1 (616) 953-0176 JJH48-ARIN On Jul 9, 2013, at 2:21, sumsum 2000 sum2h...@gmail.com wrote: 173.252.110.0 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Lookups with Forwarders
Oops mistype range: 172.16.0.0 172.31.255.255 range b10: 2886729728 2887778303 range b16: 0xac10 0xac1f hosts: 1048576 prefixlen: 12 mask:255.240.0.0 -- Jason Hellenthal Inbox: jhellent...@dataix.net Voice: +1 (616) 953-0176 JJH48-ARIN On Jul 9, 2013, at 2:38, Jason Hellenthal jhellent...@dataix.net wrote: Only thing I see to be missing here is actual Class B address space 172.16/12 but instead you are trying to forward from Class A public address space assigned to FACEBOOK. I don't quite think you will get that to work... That is unless you are the Facebook authoritative server... range: 172.0.0.0 172.15.255.255 range b10: 2885681152 2886729727 range b16: 0xac00 0xac0f hosts: 1048576 prefixlen: 12 mask:255.240.0.0 Was this just an intentional obfuscation ? # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=173.252.110.0?showDetails=trueshowARIN=falseext=netref2 # NetRange: 173.252.64.0 - 173.252.127.255 CIDR: 173.252.64.0/18 OriginAS: AS32934 NetName:FACEBOOK-INC NetHandle: NET-173-252-64-0-1 Parent:NET-173-0-0-0-0 NetType:Direct Assignment RegDate:2011-02-28 Updated:2012-02-24 Ref:http://whois.arin.net/rest/net/NET-173-252-64-0-1 OrgName:Facebook, Inc. OrgId: THEFA-3 Address:1601 Willow Rd. City: Menlo Park StateProv: CA PostalCode:94025 Country:US RegDate:2004-08-11 Updated:2012-04-17 Ref:http://whois.arin.net/rest/org/THEFA-3 OrgTechHandle: OPERA82-ARIN OrgTechName: Operations OrgTechPhone: +1-650-543-4800 OrgTechEmail: n...@fb.com OrgTechRef:http://whois.arin.net/rest/poc/OPERA82-ARIN OrgAbuseHandle: OPERA82-ARIN OrgAbuseName: Operations OrgAbusePhone: +1-650-543-4800 OrgAbuseEmail: n...@fb.com OrgAbuseRef:http://whois.arin.net/rest/poc/OPERA82-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # -- Jason Hellenthal Inbox: jhellent...@dataix.net Voice: +1 (616) 953-0176 JJH48-ARIN On Jul 9, 2013, at 2:21, sumsum 2000 sum2h...@gmail.com wrote: 173.252.110.0 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF record with include:
Really I can't see as it would hurt in either SPF/SPF or SPF/TXT To me it looks to just be a referring URL for those that get a reject based on the SPF rule. Kinda like a comment judging by . I've not seen it in the wild this far besides this case. Not even in the google for business app references. Personally I would just drop the http URL and angles. Thus far I've only really had to use ip4 and 'a' and 'redirect' with no complaints. -- Jason Hellenthal Inbox: jhellent...@dataix.net Voice: +1 (616) 953-0176 JJH48-ARIN On Jun 18, 2013, at 1:56, Julie Xu j...@uws.edu.au wrote: Hi I be asked to add: include:otheremailsrv.otherdomainhttp://otheremailsrv.otherdomain so the TXT records will be looked like: TXT v=spf1 mx include:otheremailsrv.otherdomainhttp://otheremailsrv.otherdomain ~all Question, from my limited research, I have not found any example to put http part into TXT records, and a little bit worried. Could any one advice me if I can put http in spf record like above? If so, is my statement right? Any comments will be appreciated Thanks in advance julie ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Serving up two domains
Clue bat needed... :-) Poised with a deception of documentation hello list members. Curious if someone has faced the following. I have a domain or two that I'm serving up and have traffic from some mobile devices and a few pieces of software that also try to resolve to the hostname.tld instead of what normally would be expected to be hostname.domain.tld. Not really concerned with why but rather would just like to allow them to resolve to the same address as the .domain.tld. I've done this just simply copying over the zone file and serving up the tld as its own domain with the same information for just forwarding only. The reverse actually just maps back to the actual hostname.domain.tld. Is there an easier way that I just seem to be missing the term for in the docs ? A PTR. to the right place and terms would be great if someone could. Or share if you have come across this and how you handle it. Thanks for the tired reading eyes ... -- Jason Hellenthal Inbox: jhellent...@dataix.net Voice: +1 (616) 953-0176 JJH48-ARIN smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users