RE: [EXTERNAL] Re: Domain Control Validation

2020-10-30 Thread Khuu, Linh Contractor via bind-users 
Thank you for verifying the function of CNAME. I just want to check if it can 
be done. I know we do "TXT" for domain control validation of the webserver.

Thanks,
Linh Khuu


From: Reindl Harald 
Sent: Friday, October 30, 2020 1:20 PM
To: Khuu, Linh Contractor ; bind-users@lists.isc.org
Subject: [EXTERNAL] Re: Domain Control Validation


it makes no sense what you ask for
why would you point with your whole webserver to geocerts?

a CNAME is what it is - and it can't exist with other revord types
so you can't have a CNAME for www.example.com<http://www.example.com> and at 
the same time a A-record or MX
Am 30.10.20 um 18:11 schrieb Khuu, Linh Contractor via bind-users:
Hello,

I have a question. Does anyone know if CNAME can be added for Domain Control 
Validation. For example,

www.example.com<http://www.example.com> 3600 IN CNAME 
_8DA14D435F7042B71E212832EBFFD76B.www.geocerts.net

Can this record be done in BIND?

Thanks,
Linh Khuu


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Domain Control Validation

2020-10-30 Thread Khuu, Linh Contractor via bind-users 
Hello,

I have a question. Does anyone know if CNAME can be added for Domain Control 
Validation. For example,

www.example.com 3600 IN CNAME 
_8DA14D435F7042B71E212832EBFFD76B.www.geocerts.net

Can this record be done in BIND?

Thanks,
Linh Khuu
Network Security Specialist
Northrop Grumman IS | Civil Systems Division (CSD)
Social Security Administration
Office: 410-965-0746
Pager: 443-847-7551
Email: linh.k...@ssa.gov
Team's email: dnsfwad...@ssa.gov (#DNSFWADMIN)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS TXT record for verification with CNAME

2015-12-11 Thread Khuu, Linh Contractor 
Hello,

We have a request to add TXT record for verification for a subdomain. We 
already have a CNAME record for that subdomain.

Currently, we have this:

oig.ssa.gov.36000   IN  CNAME   
dualstack.mc-1231-1799228220.us-east-1.elb.amazonaws.com.

Will there be an error or problem of adding TXT record for "oig.ssa.gov"? Or 
TXT record for verification will have to be added on both sides?

Thanks,
Linh Khuu


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Does anyone have DNSSEC problem with uscg.mil

2013-11-14 Thread Khuu, Linh Contractor 
Hi,

Does anyone have any DNSSEC problem with uscg.mil.

On our DNS servers, we have seen broken trust chain error and the validation 
failed.

14-Nov-2013 12:57:37.486 lame-servers: error (broken trust chain) resolving 
'uscg.mil/A/IN': 199.211.218.6#53
14-Nov-2013 12:57:37.573 lame-servers: error (broken trust chain) resolving 
'uscg.mil/A/IN': 199.211.218.6#53
14-Nov-2013 12:57:37.658 lame-servers: error (broken trust chain) resolving 
'uscg.mil/MX/IN': 199.211.218.6#53
14-Nov-2013 12:57:37.743 lame-servers: error (broken trust chain) resolving 
'uscg.mil/MX/IN': 199.211.218.6#53

14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.mil : 
in authvalidated
14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.mil : 
authvalidated: got broken trust chain
14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.mil : 
resuming nsecvalidate
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil A: 
starting
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil A: 
attempting positive response validation
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil A: in 
fetch_callback_validator
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil A: 
fetch_callback_validator: got failure
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil MX: 
starting
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil MX: 
attempting positive response validation
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil MX: in 
fetch_callback_validator
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil MX: 
fetch_callback_validator: got failure

Thanks,
Linh Khuu
Network Security Specialist
Northrop Grumman IS | Civil Systems Division (CSD)
Office: 410-965-0746
Pager: 443-847-7551
Email: linh.k...@ssa.gov
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Does anyone have DNSSEC problem with uscg.mil

2013-11-14 Thread Khuu, Linh Contractor 
Hi Marc,

Yes, on my DNS server, if I do a dig @8.8.8.8, I got answer (with AD bit set). 
I also do a dig @pac1.nipr.mil, I got answer (with AA bit set).

However, when I do dig @localhost, that is where I don't get any result at all.

All the DNSSEC tools out there, like dnsviz.net, dnsstuff.com, dnscheck.iis.se, 
they all show DNSSEC error for uscg.mil.

Linh Khuu
Network Security Specialist
Northrop Grumman IS | Civil Systems Division (CSD)
Office: 410-965-0746
Pager: 443-847-7551
Email: linh.k...@ssa.govmailto:linh.k...@ssa.gov

From: Marc Lampo [mailto:marc.lampo.i...@gmail.com]
Sent: Thursday, November 14, 2013 1:16 PM
To: Khuu, Linh Contractor
Cc: Bind Users Mailing List
Subject: Re: Does anyone have DNSSEC problem with uscg.mil

Not at this moment :
$ dig @8.8.8.8http://8.8.8.8 mx uscg.milhttp://uscg.mil. +dnssec

;  DiG 9.8.4-rpz2+rl005.12-P1  @8.8.8.8http://8.8.8.8 mx 
uscg.milhttp://uscg.mil. +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 42506
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;uscg.milhttp://uscg.mil.  IN  MX

;; ANSWER SECTION:
uscg.milhttp://uscg.mil.   8478IN  MX  40 
smtp-gateway-4.uscg.milhttp://smtp-gateway-4.uscg.mil.
uscg.milhttp://uscg.mil.   8478IN  MX  40 
smtp-gateway-4a.uscg.milhttp://smtp-gateway-4a.uscg.mil.
uscg.milhttp://uscg.mil.   8478IN  MX  10 
smtp-gateway-2.uscg.milhttp://smtp-gateway-2.uscg.mil.
uscg.milhttp://uscg.mil.   8478IN  MX  20 
smtp-gateway-5a.uscg.milhttp://smtp-gateway-5a.uscg.mil.
uscg.milhttp://uscg.mil.   8478IN  MX  10 
smtp-gateway-1.uscg.milhttp://smtp-gateway-1.uscg.mil.
uscg.milhttp://uscg.mil.   8478IN  MX  20 
smtp-gateway-5.uscg.milhttp://smtp-gateway-5.uscg.mil.
uscg.milhttp://uscg.mil.   8478IN  MX  10 
smtp-gateway-1a.uscg.milhttp://smtp-gateway-1a.uscg.mil.
uscg.milhttp://uscg.mil.   8478IN  MX  10 
smtp-gateway-2a.uscg.milhttp://smtp-gateway-2a.uscg.mil.
uscg.milhttp://uscg.mil.   8478IN  RRSIG   MX 7 2 86400 
20131118074336 20131113074105 53369 uscg.milhttp://uscg.mil. F...
Observe : AD bit set.

Kind regards,

On Thu, Nov 14, 2013 at 7:00 PM, Khuu, Linh Contractor 
linh.k...@ssa.govmailto:linh.k...@ssa.gov wrote:
Hi,

Does anyone have any DNSSEC problem with uscg.milhttp://uscg.mil.

On our DNS servers, we have seen broken trust chain error and the validation 
failed.

14-Nov-2013 12:57:37.486 lame-servers: error (broken trust chain) resolving 
'uscg.mil/A/INhttp://uscg.mil/A/IN': 199.211.218.6#53
14-Nov-2013 12:57:37.573 lame-servers: error (broken trust chain) resolving 
'uscg.mil/A/INhttp://uscg.mil/A/IN': 199.211.218.6#53
14-Nov-2013 12:57:37.658 lame-servers: error (broken trust chain) resolving 
'uscg.mil/MX/INhttp://uscg.mil/MX/IN': 199.211.218.6#53
14-Nov-2013 12:57:37.743 lame-servers: error (broken trust chain) resolving 
'uscg.mil/MX/INhttp://uscg.mil/MX/IN': 199.211.218.6#53

14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil : in authvalidated
14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil : authvalidated: got broken trust chain
14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil : resuming nsecvalidate
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil A: starting
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil A: attempting positive response validation
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil A: in fetch_callback_validator
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil A: fetch_callback_validator: got failure
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil MX: starting
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil MX: attempting positive response validation
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil MX: in fetch_callback_validator
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: 
uscg.milhttp://uscg.mil MX: fetch_callback_validator: got failure

Thanks,
Linh Khuu
Network Security Specialist
Northrop Grumman IS | Civil Systems Division (CSD)
Office: 410-965-0746tel:410-965-0746
Pager: 443-847-7551tel:443-847-7551
Email: linh.k...@ssa.govmailto:linh.k...@ssa.gov
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.orgmailto:bind-users

named crashed

2012-12-10 Thread Khuu, Linh Contractor 
Hello,

Our named just crashed this morning. I looked into the log, and saw the 
following errors in the log. What is dst_api.c? Why did it fail? Has anyone 
experience with this error? What do I do to prevent this error from happening 
again? We're running BIND 9.8.3-P1.

10-Dec-2012 12:05:51.118 general: dst_api.c:1256: REQUIRE((key-refs)-refs == 
0) failed
10-Dec-2012 12:05:51.118 general: exiting (due to assertion failure)

Thanks for all your help,
Linh Khuu




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC for NS delegation record

2012-07-17 Thread Khuu, Linh Contractor 
Hi,

I have questions about how to configure the DNS with NS delegation record once 
it's signed.

My DNS server is the parent zone, for example, testing.net and is signed  
with DNSSEC. My zone configuration is as follows:

$TTL 36000
$INCLUDE /var/named9/dnssec-testing/Ktesting.net..+007+32934.key ; key signing 
key
$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+46725.key ; zone signing 
key
$INCLUDE /var/named9/dnssec-testing/Ktesting.net.+007+32367.key ; pre-published 
zone signing key
@ IN SOA dns1.testing.net. root.testing.net. (2011031200 3600 600 1209600 14400)

Testing.net. IN  NS  dns1.testing.net.
Testing.net. IN  NS  dns2.testing.net.
www   IN  A   168.168.168.168
access IN  NS   sub1.testing.net.

As of right now, the sub1.testing.net isn't DNSSEC compliant yet. We want 
sub1.testing.net to be DNSSEC aware.

My question is, do we (as parent of testing.net zone) need to generate the key 
(KSK) and zone key (ZSK) for the sub1.testing.net or should 
sub1.testing.net server will need to do that? If they generate the keys to 
sign all the records in their server, do they need to send us their key files? 
How do we (as parent) to include those keys in our zone file?

Thanks,
Linh Khuu



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Format of the IPv6 reversed zone

2011-07-28 Thread Khuu, Linh Contractor 
Hello,

I'm new to IPv6 configuring in BIND. I need help. The forward zone is simple 
enough with  record, but the reversed zone is a bit confusing to me.

For example, I want to add a hostname of 
www.example.comhttp://www.example.com to 2001:1930:c00::2. This IPv6 address 
is /48.

How can I add this IPv6 address in a reversed format?

$ORIGIN 0.0.0.0.0.0.0.c.0.3.9.1.1.0.0.2.ip6.arpa. IN SOA ..

@ NS dnstemp1.example.com

What should I put for the PTR???

Is the reversed for IPv6 in the ip6.arpa file or IP6.int file???

Thanks,
Linh Khuu

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Format of the IPv6 reversed zone

2011-07-28 Thread Khuu, Linh Contractor 
Thanks Jay and Leonard for the pointers of IPv6 format.

Linh Khuu


-Original Message-
From: Jay Ford [mailto:jay-f...@uiowa.edu] 
Sent: Thursday, July 28, 2011 2:22 PM
To: Khuu, Linh Contractor
Cc: 'bind-users@lists.isc.org'
Subject: Re: Format of the IPv6 reversed zone

On Thu, 28 Jul 2011, Khuu, Linh   Contractor wrote:
 I'm new to IPv6 configuring in BIND. I need help. The forward zone is
 simple enough with  record, but the reversed zone is a bit confusing to
 me.
 
 For example, I want to add a hostname of www.example.com to
 2001:1930:c00::2. This IPv6 address is /48.
 
 How can I add this IPv6 address in a reversed format?
 
 $ORIGIN 0.0.0.0.0.0.0.c.0.3.9.1.1.0.0.2.ip6.arpa. IN SOA ..
 
 @ NS dnstemp1.example.com
 
 What should I put for the PTR???
 
 Is the reversed for IPv6 in the ip6.arpa file or IP6.int file???

It's in ip6.arpa.  The whole name for 2001:1930:c00::2 should be:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.0.0.3.9.1.1.0.0.2.IP6.ARPA

In your origin above you lost a 0 right of the c.  The :c00: chunk is
actually :0c00:, so the correct origin is:
0.0.0.0.0.0.c.0.0.3.9.1.1.0.0.2.ip6.arpa
in which the PTR RR would be:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN  PTR www.example.com


Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: IPv6 prefix length error

2011-04-29 Thread Khuu, Linh Contractor 
Thanks Mark for your recommendation!!!

However, in the ifconfig -a output, I have:

lo0: 
flags=e08084bUP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT
inet 127.0.0.1 netmask 0xff00 broadcast 127.255.255.255
inet6 ::1/128

But I still see the error in the log 28-Apr-2011 23:58:02.935 general: prefix 
length for ::1 is unknown (assume 128)

As for the prefix length of the IPv6 address of the interface, we have 
2001:1930:e03::e/48, but the log still show the error of (assume 128).

Will this error cause any problem with named to resolve IPv6 addresses?

Linh Khuu
Network Security Specialist
MicroTech ESS Contract
Office: 410-966-0798
Pager: 410-232-2350
Email: linh.k...@ssa.gov


-Original Message-
From: Mark Andrews [mailto:ma...@isc.org] 
Sent: Thursday, April 28, 2011 7:53 PM
To: Khuu, Linh Contractor
Cc: 'bind-users@lists.isc.org'
Subject: Re: IPv6 prefix length error


In message f80b214c2304c641b917b47051d743c407f0297...@hq-mb-08.ba.ad.ssa.gov,
 Khuu, Linh Contractor writes:
 Hello,
 
 We just added the IPv6 address on our DNS servers. When we started named, w=
 e see these errors in the log:
 
 prefix length for 2001:1930:e03::e is unknown (assume 128)
 prefix length for ::1 is unknown (assume 128)
 
 So far, named is still running fine... I can't find any information to corr=
 ect these errors.
 
 Thanks,
 Linh Khuu

These are reported because named was unable to determine the prefix
length associated with the address.  Usually because no one has
documented the OS specicif method for doing this or it is write
only.

Please contact your OS vendor so they can address the issue.

The major implication of not having this information is that the builtin
localnets acl will not be complete.  Instead of 2001:1930:e03::/64,
assuming it is a /64, it will have 2001:1930:e03::e/128.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: IPv6 prefix length error

2011-04-29 Thread Khuu, Linh Contractor 
We're running AIX 5.3

Linh Khuu


-Original Message-
From: bind-users-bounces+linh.khuu=ssa@lists.isc.org 
[mailto:bind-users-bounces+linh.khuu=ssa@lists.isc.org] On Behalf Of Phil 
Mayers
Sent: Friday, April 29, 2011 9:57 AM
To: bind-users@lists.isc.org
Subject: Re: IPv6 prefix length error

On 04/29/2011 02:17 PM, Khuu, Linh Contractor wrote:
 Thanks Mark for your recommendation!!!

 However, in the ifconfig -a output, I have:

 lo0: 
 flags=e08084bUP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT
  inet 127.0.0.1 netmask 0xff00 broadcast 127.255.255.255
  inet6 ::1/128

So?

As Mark said, the problem is that:

no one has documented the OS specicif method for doing this or it is 
write only.

Sure, the OS tools know it. But named doesn't.

What OS  Version are you running?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

IPv6 prefix length error

2011-04-28 Thread Khuu, Linh Contractor 
Hello,

We just added the IPv6 address on our DNS servers. When we started named, we 
see these errors in the log:

prefix length for 2001:1930:e03::e is unknown (assume 128)
prefix length for ::1 is unknown (assume 128)

So far, named is still running fine... I can't find any information to correct 
these errors.

Thanks,
Linh Khuu

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named crashed (mem.c:1099: INSIST(ctx-stats[i].gets == 0U) failed)

2011-04-12 Thread Khuu, Linh Contractor 
Hi,

Last night, our named crashed with the following errors:

daemon:crit named[221184]: mem.c:1099: INSIST(ctx-stats[i].gets == 0U) failed
daemon:crit named[221184]: exiting (due to assertion failure)

named restarted fine and running without any problem. Does anyone have any idea 
why named crashed with these errors??? Is it a bug in bind?? We're running bind 
9.7.3.

Thanks,

Linh Khuu




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Deny query to specific domain

2011-04-05 Thread Khuu, Linh Contractor 
Hello,

Is there a way in BIND to deny or block query to a specific domain? For 
example, I don't want anyone within my organization to do query on 
example.com. Is there any option in named.conf allow to do that?

Thanks

Linh Khuu
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users