refresh: retry limit for master 10.133.253.128#53 exceeded (source 0.0.0.0#0)
at my work cellphone had died, and work never thought to try contacting me by any other meanslike my home phone(s)such as the one they had called me on when a replace bad mirror went south (two problems, the replacement disk wasn't partitioned the same way as good disk, and it ran out of relocation sectors soon after resilvering was done.) But, apparently they could only think to try work means during this timevoicemail, the sms notification goes where?, office jabber, the sms notification goes where? I did setup voicemail imap retrieval on my (personal) smartphone Work cellphone is the only one out of 4 I have that wasn't plugged inits a KRZR K1, which has to use its special mini-usb charger...not a mini-usb cable from my charging stationso its tangled into a big ball with various other cords on floor by my desk. But, the phone had been sitting by computer where I was working Ended up with a health check from the police, though the police didn't say why work had done that. Found other voicemails saying they heard back from the police that I'm alive, but still can't get a hold of me about the emergency So it was a few hours later before I happened to see cacti graphs of my DNS servers (and saw spikes from having been restarted a few times.) In taking a peek at my email to see what's up... fixed it quick...after peeling out all the weird things that other admins were trying. After the dust settled, it was off to catch up on the backlog of DNS tickets that were somewhat dependent on this. -- I have one split domain...which I had been doing as master scp's the (signed) zone to other servers, which all act as master for it. Along with fixing the problem caused by upgrading to 9.9.7-P2where we had all the zones using the same file between internal/external views Which I had kluged a fix by having CFEngine copy from internal to external, and "if repaired" do an 'rndc reload' Surprised it held together for 3 monthshad figured that it would do for a couple of weeksbut wanted it out of the way should I end up put out on disability. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- & SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: separation of authoritative and recursive functions on internal networks
On 2015-08-10 13:12, Mark Andrews wrote: Authoritative servers (listed in NS records) shouldn't be recursive. This prevents leakage of cache data. This provide consistent answers. The server also doesn't have to decide what type of answer to give (recursive vs authoritative). Glue doesn't get overridden by answers, etc. Recurive servers (honouring RD=1) however can be authoritative for zones. This proves robustness in the presence of link failures. Faster than ttl expiry of local zone changes (provided that notify messages are sent). Unfortunately this has become strict seperation lore which really wasn't ever the intent. Mark Though it didn't work out the one time we had an extended link blockage (due to a full log volume - no log no pass) At first local resolution continued working, until all the recursion slots (10,000) filled up on my (4) recursive servers, which are authoritative slave for local domain...had them stop answer anything. Otherwise, its normally how we get local changes out quickly despite usually have a 1 day TTL. Though when its a domain that we host that they want to see a quick local changewe sometimes do nasty cache flushes to make that change appear. I have a script that takes care of thatwhich goes through all the servers without delays (I've debated on which is better, or if it doesn't matter.) I've played around with flushname/flushtree, but they don't seem always work So, I'm considering trying to separate things again. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configuration error in lists.isc.org
On 2015-08-13 21:14, Mark Andrews wrote: In message 94ac3fe7e1948b9c0ce80a78f8a59...@lhaven.homeip.net, Lawrence K. C hen, P.Eng. writes: Earlier today had a request to add another entry...didn't notice that how close the string was to 255? characters. You just use multiple fields if there isn't space. The field are concatenated together with no space to produce the full SPF entry. e.g. ab cd - abcd Mark I had thought that was the way...what I had forgotten were the parens... so (ab cd) - abcd -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configuration error in lists.isc.org
On 2015-08-10 17:12, Reindl Harald wrote: truncated the long, hard to understand and unrelated stuff Am 10.08.2015 um 23:49 schrieb Lawrence K. Chen, P.Eng.: that above is pure nonsense - your DOMAIN has either a strict SPF policy - or a testing policy ~ and no mix of both ~ means testing, please don't reject if it don't pass and *nothing* with good or bad IP's - from the moment on you have a ~ you don't enforce SPF for *anybody* - bad enough that this topic appeared at all but much more bad that so many people setup SPF without understand it Except there are people that feel a strict black and white policy is too limiting. well, when you can't say from where you send mail you should refrain from setup SPF at all Except there are external forces that demand an SPF, and that it contain specific strings at all times. Namely Office365, the add domain to tenant process can't be completed until things are just the way it wants. And, if you temporarily switch back and the back againits flagged that it wasn't write already and the extra bits don't match...so went through the whole verification and setup process again (I wouldn't have thought the verification stuff was needed again after the first time, but I may have skimmed the docs wrongor the group that admins it and generates those DNS tickets Especially when the IPs are a shared resource of the service provider where this little to stop another customer from pretending to be us (just as there was nothing for us to pretend to be the shared resource don't enforce SMTP authentication? Doesn't matter if there'll be at least one person among the group that'll fall victim to a spearphishing email, and they run a mail system where sending forged emails is permitted. Though Office365 seemed to be the first that I've encountered that only allows you send from addresses that your approved for. Our previous and in-house system allow anything once authenticated. Some of these phishers can be weirduntil recently we used to still provide an on-premise auth. smtp server (a certain group has people in the field with an email client that only supported export ciphers So, its weak and exposed...but some people had responded to spearphishing emails, and the phishers used the credentials to connect to our VPN and the authenticate into smtp to send their spearphishing emails. (sad thing is our non-authenticated smtp could also have been reached with VPN, now the ports are blocked from VPN. By default our VPN is split tunnel, so its not needed to hit Office365. or permit a visiting research to continue to send with his email address but through our servers) this has *nothing* to do with *your* SPF policy I had explained that, the only thing I didn't do was suggest they contact their own admins to get us added to their SPF Though I wouldn't be surprised if there had been such requests When suddenly they setup an SPF and rejected mail from us, with lots of angry messages and calls that its my job to fix it so it'll work again. in that case it has to be ruled out if you made a mistake by not include all your sending servers in your SPF No that'swas it my mistake to not include all my sending servers in your SPFummm, no. As the apparently lots of different universities have been originating mail this way for years and years. And, they need to continue to do so, as the application can't do any authentication for sending(since it had always worked) that's a lame excuse and finally means don't setup SPF/DMARC at all if you have no clue who is sending from where with what enevlopes since it has always worked is a bad attitude - you enforce policies or just don't touch them at all We don't do DMARC, though it has come up that we should do DKIM (plus everything we send should be signed, so they won't yield 100 passwords by sending a forged email that looked like it was from our CIO. Except we permit an overly diverse selection of email clients to be used, where most of them don't support S/MIME. The DMARC issue is largely due to yahoo and aol. Not sure about aol, but there are a lot of faculty and students with yahoo or hotmail addresses (there's no restriction on forwarding university email address to another, and its not uncommon for students to do that. And, it turns out when we generate class mailing lists, it'll the forwarded to account is on the list directly cuts down on the extra hop, and when it was our servers it helped cut the load But, the DMARC issue hit our listserv. Don't know if there's a breakdown of what's forwarded...but we always had lots of problems with getting blocked by yahoo or hotmail in the past (since forward all, includes all the spam a user receives, and some places realize that it we're just the messenger, while other places don't care who they shoot. But, aol came up again due to DMARC. I think
Re: configuration error in lists.isc.org
On 2015-08-13 18:47, Reindl Harald wrote: Am 13.08.2015 um 23:15 schrieb Lawrence K. Chen, P.Eng.: On 2015-08-10 17:12, Reindl Harald wrote: well, when you can't say from where you send mail you should refrain from setup SPF at all Except there are external forces that demand an SPF, and that it contain specific strings at all times. Namely Office365, the add domain to tenant process can't be completed until things are just the way it wants. no, no and no again these are TXT records which have nothing to do with SPF and hence i am done with you talking about SPF http://office365support.ca/adding-and-verifying-a-domain-for-the-new-office-365/ #17 has the SPF record they need to verify at #20 before you can finish. Since we had done this so we could start migration we switching things back. Though Microsoft had kept saying we start green, and maybe backfill later...since was little seamless with this switch. (except that I run ssl proxies so users can continue to do imap and pop3 using the old names, and our old webmail domain redirects them to O365 so they can be redirect a few more times through out SSO process...for which is which now...but we do one type and Microsoft takes the other, so there's a hop where they get Microsoft one from ours. There was a time that I was doing ssl proxy for webmail, but those were darker times... I strongly suspect that either the error that our required DNS fields were wrong, was more of a warning or that start over at #1 wasn't necessary. Namely, that we've our SPF is kind of bad now I counted 16 include:'s The mailhop one contains 8, + itself makes 9., O365 has 3 + 1, and qualtrics is an include to just a single includeto consume 2. Earlier today had a request to add another entry...didn't notice that how close the string was to 255? characters. Not sure how I could possibly get the lookups to 10 (or less), without risky behavior... -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configuration error in lists.isc.org
On 2015-08-10 16:49, Lawrence K. Chen, P.Eng. wrote: Though I realize my error not recalling that there is a middle (neutral) level, and which is more appropriate, since softfail is somewhere between fail and neutral which is not where I had intended the servers to be. Went to fix it, only to discover that I had fixed it 1.5 years agomaybe I am losing my mind. Did while cleaning up SPF after an O365 verification, too. Thought read somewhere that the SPF RR has been discontinued. Should I, and is it safe to, remove those now? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configuration error in lists.isc.org
On 2015-08-07 22:23, Reindl Harald wrote: Am 08.08.2015 um 05:13 schrieb Lawrence K. Chen, P.Eng.: So, when we were with this provider, our SPF had exclusive pool as good, but included the other pool prefixed with '~' can we stop that foolish discussion on the named list? How about an unnamed one? Plus this is passing the time while I'm waiting to see if I understood https://kb.isc.org/article/AA-00295/ And, had adjusted it for BIND 9.9.0 or greater correctly... Not quite sure if use of external or internal in master vs notify is on the correct side It links to https://kb.isc.org/article/AA-00851/0 (and says example 4 which gives an example that where its hard to tell if it or how it matches like itexcept its two server example, and while its better formatted than the previous article, it doesn't say what the server IPs are, so the IPs getting notified or being master could just as well servers not shownlet along whether its the other server or itself. Plus it has master zones in one view, and then says loopback is the master for the slave zone in second(should be the one if first view right?, but the only notify it does is some unknown external IP that could be itself the other server in the example or one not shownand not its master. Which might seem an odd thing to do normally...except that on my system, both views, both zones are slaves. So, internal view does zone transfers with master(s), and passes it to external view so that it exposed slaves can get it. And, hopefully this solution will restore sending them notificationwhich seemed to work as both sides sharing the file, but not as the outside by updating them by unison (for reasons unknown I have one internal server that updates the external view, Though only 3 zones go to internal slaves...and originate from this server's master zone. Also the one exception in direction has multimaster set, as it received notifications and transfers from AD servers (3)...with off by one serial numbers. Presumably all the multimaster option does is shutoff the noise (and the highest one always wins), since the alternative is probably the latest one wins. No sure how one would handle if the its middle one or youngest oneor a mix. Or maybe its the one name ads1 that wins over ads2 and ads3but what happen when they're impossible type and diff only a letter or twothat were names of jedi masters (or so we were told...) Though I thought the boss said skywalker was part of his naming servers after bulldozers or something. Of servers from that time, only brutus and muskie live on Solaris 9 sun cluster, doing NFS from our 9990V (which had replaced our 9985.) Needed to be retired a long time ago...but getting people to migrate to NAS has been a problem. especially one group that had made extensive use of sunacls, and we don't yet have NFSv4 working anywhere...our ksuPerson schema makes LDAP integration difficult everywhere...though the new devs are making progress at some things back, like striping it totally of any way to do or support groups. Though that group's use of sunacls are on the decline since they're pushing the use of central cms for everything...so cms becomes the only user allowed to writethough it wiped out secret 'intranet' directory...and the idea of getting restored didn't occur until after the 90 day backup retention time. And, apparently now an area covered by any archive policy. (some of which are subject to infinite retention.) All future LTO drives will retain the ability to read LTO1 tapes, which leaves the problem of the period of time where they were NDMP backups from a NetApp filer. that above is pure nonsense - your DOMAIN has either a strict SPF policy - or a testing policy ~ and no mix of both ~ means testing, please don't reject if it don't pass and *nothing* with good or bad IP's - from the moment on you have a ~ you don't enforce SPF for *anybody* - bad enough that this topic appeared at all but much more bad that so many people setup SPF without understand it Except there are people that feel a strict black and white policy is too limiting. Especially when the IPs are a shared resource of the service provider where this little to stop another customer from pretending to be us (just as there was nothing for us to pretend to be or permit a visiting research to continue to send with his email address but through our servers) When suddenly they setup an SPF and rejected mail from us, with lots of angry messages and calls that its my job to fix it so it'll work again. As the apparently lots of different universities have been originating mail this way for years and years. And, they need to continue to do so, as the application can't do any authentication for sending(since it had always worked) Though I haven't gotten a smarttable hack that I found that should allow me to send through
Re: do not stupidly delete ZSK files
On 2015-08-07 09:50, Heiko Richter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 07:16 schrieb Lawrence K. Chen, P.Eng.: On 2015-08-06 19:26, Heiko Richter wrote: Though back then I was still building bind 32-bit, and the hardware as much slower. A full signing was more than 10x longer than our current hardwarewhich can get it done in just under a minute. (usually) The need for speed is some people expect DNS changes to be near instantaneous. So either you have very slow servers, or a really big zone, if it takes a whole minute to sign it. Just use inline-signing and the changes will be instantanious. As soon as nsupdate delivers a change to the master server, it will sign it automatically and send out notifies. Doesn't even take a second, as only the changes need to be signed, not the whole zone. Its big and probably full of a lot of stuff that isn't needed anymore, etc. Though there something weird about the zones too. our ksu.edu zone will have more entries than the k-state.edu one, even though by policy they should be the same, Just one addition aside the face that your network seems to drown in chaos: If the two zones are mandated to be the same, just empty one of them, put a DNAME record in it that points to the other one and make all future changes there. That way you can be sure the two zones are always in sync But, there are cases where what is pointed for a name differs. It has only be recent that we've had access to multi-name certificates, and so far nothing has migrated to the new F5 where SNI is available. There had only been one request an SNI virtual server...but that was before I knew whether there was ever going to be a new F5 in the future. There had been a lot of talk that we'd stop the F5 is the first thing that is blamed ... when its doing the best it can. There are also specific exceptions where something is only in one side and not the other (though not all the reasons are clear or known to meplus the ones that just make no sense at all. Like our central LDAP is ldap.k-state.edu, while there was a personal website on ldap.ksu.edu) Though it was a conscious decision that our rfc1918 systems were only in 'campus.ksu.edu', so there's no campus.k-state.edu entry. Can't recall off the top of my head of case where something exists only in k-state.edu. But, I'm sure if I looked there'll be some. Otherwise, we make pretty heavy use of $INCLUDE of sections that are common on both sidesespecially after an incident where there was a significant mismatch (due to over-editing...have to be more careful when using global search and destroy ;) Hopefully the use of relative $ORIGIN's in include files remains valid. Though I had found some include files where they created two blocks of $ORIGIN. Which seems to have become extra noisy now. namely giant log file (close to its 10M rotate point.) grep out those lines to see what other warnings there areleft with less than a screenful of lines stopping those, it was time to turn my attention back to fixing the sharing slave zones... -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configuration error in lists.isc.org
On 2015-08-06 19:00, /dev/rob0 wrote: My SPF record doesn't include lists.ist.org, of course and it never will. Furthermore it ends with -all so all my messages to the list are being rejected by list members who have spf aware servers. No, GNU Mailman (which is the software behind lists.isc.org) does the right thing, setting a proper *envelope* sender address in the ISC domain. Proper filtering would go on the envelope sender. Hmm, I had thought look, but I see that nowwhich seemed that it should be the ideal way to go People here have gotten angry when something changes headers on them. Office 365 rewrite From lines...and its not a fixed wayas it breaks my mail filters every now and then. The rewriting had angered users here, since for some of us what we put with our email address in the from is important or consistent (its what I sent my from to when I first started here, not sure what people would think if I changed it Though there'll be a point where I might want to stop paying for right right to use it... Just wanted to let you all know about it as I can imagine I'm not the only person who has outgoing SPF. And the worst thing: If you have a record ending with ~all your messages will be accepted but probably end up in a spam report container slowly eating away the good anti-spam-reputation your server has. Unfortunately a lot of sites do silly things, so there may be a bit of truth in that. But it's not a reason to join in on doing silly things. In looking through the received headers I see that there's no SPF for lists.isc.org We used to have ~all for our SPF, but eventually we went with -all, and that has caused some weird rejections for people. Like a research needs to email expenses some .gov address, which is just a forwarder to the real person's addressbut the mailer for that address, doesn't see their forwarder as an allowed address for us, so its bounced the bounced the emails back. I don't see why I need to list the .gov as ours...when the people that run it don't trust it. But, various reasons didn't seem to calm the person down.. went over our heads but never heard about the issue again. OTOH, we have caved on adding systems that aren't 'ours'...though how much of Office365 is actually 'ours'but I think we currently have a couple includes for mass emailing solutions or our survey system (normally we push for them to use a subomain, our old in-house survey system was on its own subdomain, which the new one can use, but its more flexible on what users can useit then comes down to whether there's a SPF rule in their way or not. So ISC: please fix your list servers, let them rewrite the From headers! Seems to me this is the Listserv way though we haven't yet upgraded to that version of Listserv. Otherwise I had thought about using mimedefang to rewrite the envelope so that our old Listserv could continue...current is 16 ours is 14really need to get it upgraded for other reasons...and though they were going to finally go live while I had been away, but now it might be not be until next year? Suspect there's something between our generating class lists automation while our mainframe is gone the the automation, a collection of nearly 150 ReXX scripts...lives on. And, it does things that Listserv is not supposed allow ...like prevent users from unsubscribing from a list...though that's basically processes notification that somebody has unsubscribed, and send commands to resubscribe them While Mimedefang can also rewrite Fron/To/Subject, etc I'm person don't like such things Especially the rewriting because it thinks the email is spam (or I am and changes it so the email can't be replied to, etc.) Though the frequency of complaints over this seems to have dropped off here...though its summer and most people haven't noticed yet that the new listserv did not go live on June 1st. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
tsig zone sharing between zones check + scream
Gjust noticed that about 12 hours ago, the business office person finally update our KSK with registrar. (where window was last month.) Well, apparently history must repeat 3 years ago, we rolled over from RSASHA256 to RSASHA256... but the person that did all the interaction with registrarswhere the criteria is that they be in position to pay as needed (which did used to be dns administrator/department manager/etcbut when they left the new manager he didn't want us to continue to have that responsibility...but would've taken it...anyhoo) They selected algorithm type as RSASHA1-NSEC3... Which caused a bit of an outage, especially since they went on vacation right after having left it to the last minute. we had a 60 day rollover window)...original I had gone around end of fiscal year, but decided to shift it... Well, this timestill going RSASHA256 to RSASHA256 (I had done the roll from RSASHA1-NSEC to RSASHA256 before it was possible to register do such things with registrar...so only DLV was involvedthough I did run into a problem since I had a DS record in my zone, etc. the mismatch doing one than the other apparently was the wrong way to go...or soemething.) So this time...RSASHA1 (#5) got selected. -- So about tsig sharing a zone Is something like this right? (ignoring any typos ;) == key external { algorithm hmac-sha1; secret ; } key internal } algorith hmac-sha1; secret ; } options { notify explicit; allow-trasnfer { none; }; } acl k-state { 129.130/16; 10.130/16; 10.131/16; 10.132/16; ... 10.139/16; 172.21/16; 192.168.x.0/24; 10.0.0.0/24; }; acl internal { !key external; key internal; k-state; }; acl external { !key internal; key external; any; }; view internal { match-clients { internal; }; allow-transfer { key internal; }; zone ksu.edu { type master; file pri/ksu.campus.signed; allow-transfer { key internal; int-secs; }; also-notify { 129.130.x.x; 129.130.x.y; 129.130.x.z; }; } zone ads.ksu.edu { type slave; file sec/zone.ads.ksu.edu; masters { 127.0.0.1 key external; 129.130.y.y; 129.130.y.z; }; multi-master yes; also-notify { 127.0.0.1 key external }; }; }; view external { match-clients { external; }; allow-transfer { key external; }; zone ksu.edu { type master; file pri/ksu.edu.signed; also notify { 129.130.139.150 key external; 129.130.139.151 key external; 129.130.254.21 key external; }; }; zone ads.ksu.edu { type slave; file ext/zone.ads.ksu.edu; masters { 127.0.0.1 key internal; }; also notify { 129.130.139.150 key external; 129.130.139.151 key external; 129.130.254.21 key external; }; }; }; == I think that's what I'm thinkingthough been so long since I too break from monitor that I can barely see now -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: tsig zone sharing between zones check + scream
On 2015-08-07 10:08, Heiko Richter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 08:52 schrieb Lawrence K. Chen, P.Eng.: Gjust noticed that about 12 hours ago, the business office person finally update our KSK with registrar. (where window was last month.) Well, apparently history must repeat 3 years ago, we rolled over from RSASHA256 to RSASHA256... but the person that did all the interaction with registrarswhere the criteria is that they be in position to pay as needed (which did used to be dns administrator/department manager/etcbut when they left the new manager he didn't want us to continue to have that responsibility...but would've taken it...anyhoo) They selected algorithm type as RSASHA1-NSEC3... Which caused a bit of an outage, especially since they went on vacation right after having left it to the last minute. we had a 60 day rollover window)...original I had gone around end of fiscal year, but decided to shift it... Well, this timestill going RSASHA256 to RSASHA256 (I had done the roll from RSASHA1-NSEC to RSASHA256 before it was possible to register do such things with registrar...so only DLV was involvedthough I did run into a problem since I had a DS record in my zone, etc. the mismatch doing one than the other apparently was the wrong way to go...or soemething.) So this time...RSASHA1 (#5) got selected. If you change the algorithm of your KSK it shoudn't be necessary to change your server's configuration. Neither is it necessary to change the TSIG keys. Just dump the keys into your domain's key-directory and bind will eventually import and use them. If you're in a hurry, you can force the import by running rndc loadkeys Of course you will also need to retire your old key and remove them from the zone by running dnssec-keygen -D now -I now And you should (should, not must!) generate new ZSKs, using the same algorithm, so change your ZSK-rollover-script to generate RSASHA1 from now on. But looking at your algorithm you will have a slight problem, which you need to take care of, BEFORE you publish your new key: RSASHA1 is not NSEC3-aware. So if you decide to run with that key, you have to remove the NSEC3-parameters from your zone (if you have any). The TSIG stuff is related to a separate issue I'm trying to resolve caused by upgrading to 9.9.7-P2. While for KSK, I have no intention of change my algorithm, in violation of previous rulings by Chief Info Security Officer just because the business office staff person had changed the algorithm we use when putting up the new DS I had forwarded up to get set with our registrar. No error was made when DS was added for our other domain done at the same time. I sure wish there was an automated way to do our KSK rolloversespecially if they want to do DNSSEC for the 100's of other domains we serve. But, on second try today, it got fixed. (though I suspect the first was valid, but differed from how k-state.edu got done. Also not sure what the implications are. That I sent two DS records (per domain) up. And, only the SHA-1 has been entered. Today in fixing the RSASHA1 + SHA1 entry, it was first replaced as being RSASHA256 + SHA256, but then replaced with SHA-1 digest version (though the SHA256 attempt might have been a real error? Nope...the last 4 digits match the SHA256 DS) What's odd is that in all cases, the confirmation email says DNSKEY was Verfied I'd expect that with the two tries today, but how was that possible when they had selected the wrong algorithm? Hmmm, wonder if all they're 'verifying' is the key id? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configuration error in lists.isc.org
On 2015-08-07 07:34, wbr...@e1b.org wrote: From: Lawrence K. Chen, P.Eng. lkc...@ksu.edu OTOH, we have caved on adding systems that aren't 'ours'...though how much of Office365 is actually 'ours'but I think we currently have a couple includes for mass emailing solutions or our survey system (normally we push for them to use a subomain, our old in-house survey system was on its own subdomain, which the new one can use, but its more flexible on what users can useit then comes down to whether there's a SPF rule in their way or not. SPF has nothing to dow with who owns the servers. It states who is allowed to send email on behalf of the domain. If you are using O365 for your mail, you add their SPF records. If you use a mail service provider for your marketing emails, be sure to add them. Just make sure you don't exceed the limits on how many DNS queries are required to fully resolved the SPF record. I'm starting to see more records overloaded with includes, MX, and other types that require further queries. We now return you to our regularly scheduled program. But, the point of 'ours' is trusting that system is only generating mail as us that we expect it to generate. Generally we expect servers we operate to be trustworthy (which has somewhat improved now that our general SMTP server is usable from, say, guest wireless. Before we moved to Office365, our email provider had configured that our outgoing mail was processed to come out from one of two pools. One pool for spam/virus check good mail from our exclusive use, and the everything else pool that is shared with with all the other tenants. With no guarantee that another tenant's account get hijacked and starts send forged emails with our domain So, when we were with this provider, our SPF had exclusive pool as good, but included the other pool prefixed with '~'. Meanwhile, Office365 claims to employ a similar system where there are pools used only for send tested good emails, and other pools that they send everything else through and if IPs get blocked they don't care where we have one include:spf, which in turn has another include:spfa, which in turn has another include:spfb for over 50,000 IPs + a ip6:/48to be all trusted. Then there's the include that survey company provides, which just contains a single include for who actually send their mails? Which seems strange familiar...also noticed that they're using Dyn for NS. Probably because it seems to be a subset of what mass marketing mailer has in their chain of spf includes And, we include:outbound.mailhop.org for people that go abroad and want to get around places that block port 25, which is like everywhere now though the number of alternatives has probably reduced the need for this. Though I still have my mailhop account, even though its now DuoCircle that owns it. But, still have one domain with Dyn, Along with some dyndns names Like for my ec2 instances --a dyndns domain so I can find them easier, and they use mailhop to send me alerts But, given how Office365 operates, its unlikely that rogue tenant would be able to impersonate us and ... we can't speak for anybody else, but I trusted Dyn with email for many years now, trying to recall when I got the accountthink it was sometime after I stopped using PocketMail - Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.8 named_stats parser
Hmm, wonder if I should upgrade my stats collector for cacti. It had bee a while since I looked at my cacti, a I know there was a bunch of graphs not working on it But, bind stats is still workingagainst the latest 9.9despite the graph titles of Bind 9.6 Before this script, I used to use one that fed off of querylogthat was horribly unreliable, though the service collector is still being monitored and kept running on my servers. Possibly because our production cacti sever (running on RHEL3) is still trying to keep up (pretty sure I'm not using it on newer servers, should make a note to check. Interesting that for some reason after the 1st of the month time has the time on two computers have been wandering back and forth, while my ntp servers have been stable. At first I thought it might related to big poweroutage then, but that was the weekend before. So, I wonder what I changed (though I still looking for the thing I changed on August 3rd that is fill logs on a couple servers. Plus I need to unbreak my email search.) On 2015-08-07 17:55, Leandro wrote: Wow, you gave me a very nice tip Rob. Now Im really interested in getting json format. I will begin by updating to 9.10 Regards. LEo. On 04/08/15 16:38, /dev/rob0 wrote: On Tue, Aug 04, 2015 at 04:01:56PM -0300, Leandro wrote: Hello , guys , im thinking about getting my bind statistics on cacti. Im looking for some parser script but so far I can not get anyone for my version, witch is 9.8. I guess by named_stats, you mean the file which is written for rndc stats. (By default that's called named.stats and found inside the directory specified in your named.conf(5) options.) Exactly I'd recommend against that. It's a relic of the past. Consider instead the statistics-channels statement: http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#statschannels Consider also moving to a supported BIND version. In particular, BIND 9.10 might be of interest, with upgraded statistics-channels functionality: https://kb.isc.org/article/AA-01123/ Is something around there ? If not I will need to deploy by my self ... then of course will share it. There too, if you're doing things the old way on abandoned old software versions, I wouldn't expect to find much interest. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: do not stupidly delete ZSK files
IXFR-Transfers, the slaves will only transfer the records that have changes; there's no need to transfer the whole zone. Combined with inline-signing your updates will propagate to all servers within a second. Well, we do have our caching servers acting as slaves for some zones, but frequently its not realiable for getting our busiest server (the server that listed first on our DNS configuration page, and is what DHCP gives out as first.) to not continue with its cached answer... I've made suggestions to try to get them to spread things outthere's 6 serversnot just two...as they some areas now get the second server first. Resulting in second listed server being my second busiest. After that its a split between 3 and 5 ones. We used to list our datacenter DNS as 'backup', though we had an outage our student information system due to the datacenter DNS getting swamped by a few computers across campus (that were getting hammered by a DDoS attack number 3 used to be 3rd busiest, but its popularity is has gone down...since it only has a 100M connection, while others have gigabit. All the campus servers used to be only 100M. But, people that know which say it matters... But, tis in the powerplant and has one leg on inverter power...the batteries for the old phone system are therenext to large empty room though at the moment, no incremental capabilities so I can hit a slave a few times before the transfer finishes the info updates. (just as I can hit master servera few times after it does 'rndc reload' after the signingbefore it reflect the change... But, it it was actually hard getting to the amount of automation that I have now but occasion people fight the automation. (some more than others) Now if only I could figure out how to do that to the rest of the world to satisfy those other requests. It's just a matter of lowering your ttl. Resolvers all over the world will cache your records according to your ttl. If you really have 86400 set as ttl, any given record will be queried only once per day. Just lower the default ttl to a resonable number and your updates will propagate faster to the resolvers. It's just a question of how much bandwidth and resources are you willing/able to give to DNS? Lower it step-by-step until either hit the limit in your bandwidth or the system-resources of your servers. Recently saw in incidenta department that has full control of their subdomain made a typo on an entry with TTL 86400. They had fixed the typo, but the world still wasn't seeing the correction. Asked us if we could lower the TTL for it, to maybe 300. Hmmm... no. If they have full control of their subdomain, why don't they just change the ttl themselves? that's basically what my co-worker said in responding to the ticket. But, what they're ask is we lower the TTL of the already cached value. Setting a ttl of 1 day seems a bit high, but of course it always depends on your zone. If the data is static, 1 day is find, but for dynamic zones this is a but high. There lots that seem to feel that 1 day is what things need to be at except for temporary reasonsthough people often forget to have to lowered in advance of a server upgrade or something. And, this case they had made a typo on where the new server was...so instead of traffic shifting from old to new as their update spread outit all disappeared All my domains are static, and I just have forwarding set to the servers that have dynamics subdomains (though I'm slave to them...shich this new bind has me a bit stumped on what the correct way to go is. When you use inline-signing, your updates will be signed on-the-fly, as they come in, so you can lower the ttl to a few minutes without any problems. This helps much in keeping outdated data out of any resolver's cache. Hopefully a solution will suddenly appear that can replace the scripts I've mashed together over the years to do what we do now I had thought I'd have solution to our current DNS problem in place by now -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
expired KSK, other domains failed to resolve?
I wish I had the foresight to same the dig traces But, on Tuesday we had a strange DNS outage. I have 3 outside facing authoritative-only nameservers named ns-1.ksu.edu, ns-2.ksu.edu, ns-3.ksu.edu, which are all slaves off our hidden master server. that in addition to being the authority for ksu.edu, is the authority for many other zonessuch as kstatesports.com. Our KSK rollover was the month of July, but the business office person that has access to our registrars did't update to our new KSK. by the 31st. (the actual inactivation was August 2nd at 1am...should've been August 1st, but the script had failed to run automatically for previous KSK rollover, but got it to run the following day...though it again didn't work for this KSK rollover...) However I noticed that the zone file on my slaves had a July 28th timestamp. which is odd, because the routine resiging had run in the morning of the 31st (Friday mornings by cron) So, in running some testsI found that dig +trace kstatesports.com would get to ns-1.ksu.edu show couple NSEC3 records and stop. I then tried dig +trace +nodnssec kstatesports.com and it resolved. Ohwonder why I hadn't tried doing dig after I got things temporarily working again. I see now that I got two NSEC3 records, and their corresponding RRSIG records. So, what's the reason for needing those NSEC3's in getting to kstatesports.com? And, what was the cause for no RRSIG's. Is the timing part of the signing or was it past its half life to stop these other domains, but not resolutions in from the ksu.edu zone -- Only our .edu domains are signed. Though in the future we might start signing everythingexcept our reverse IP space. Who knew that ARIN was going to disallow role accounts from making changes, where we only have role accounts as contacts for our IP space. (was probably before I knew of such things, like their take over of things...) Like while I'm the only individual contact for a former employer's IP space, but they require proof of the company's existance and that I'm part of the companybefore they can process my request to release the IP space. But the company went out business in early 2001. Some company in Japan seems to be squatting on our old domain (I recall our business manager suddenly finding that we had to pay to keep our domain. But, seems to be I didn't hear about ARIN wanting money for IP space just before my first LISA (2007), where I found person from ARIN surround by admins discussing,asking,screaming,etc. about them want to suddenly charge lots of money for their (pre-ARIN) assignments, etc. Or perhaps it was my second LISA in 2008... Hmm, probably 2007 when there was lots of news that ipv4 was about to run out where we finally did last month? Wonder how long before I'll get around to doing IPv6..at home... I actually tried to release it twice, somehow I forgot why they wouldn't let me the first time. They also won't let me remove the company info without some kind of impossible proof...from the company to allow it. Wasn't until their request for proof the companies existence that I remembered that I had run into the problem before. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ERROR : - writeable file 'data/udalgurijudiciarygov.hosts': already in use: /etc/nicnet2007.govdomain:15424 - loading configuration: failure
This unfortunately looks like the thread for me to jump on to I missed installing the last two 9.9...-p# patches, first time I built everything and was pretty much ready to do it, and then forgot all about it due to health issues. More recent one...I had got it built for Solaris x64 and was about to work on building it for Solaris SPARC when the most recent one appeared. This one carried a much strong get things patched (to me at first, then higher ups started jumping around...) But, it turned out to be a huge mess to upgrade. The first time I ran into this error, were some really old mistakes where the admin had copy and pasted a bunch of similar zones...and missed adjusting some of the files. Since on the master side they all come from the same fileit probably didn't cause any noticeable problems for the slaves or clients. However, install upgrade on our master server...knocked it out, so I'm here looking to see what the proper fix for my situation is. Looking for a valid easy fix here ;) Partly because coming soon they're going to demolish the DNS infrastructure that I got saddled with and feel like I done a pretty good job at re-engineering it to meet all the demands of it. But, I'm the last legacy unix systems administrator here Anyways...the problem is because we had turned out existing master server into doing split/stealth (started out stealth...) DNS, while having it continue to serve as slave to delegated subdomains. So that those subdomains are propagated to our external facing slave servers. So that's where the problem comes inthe internal authoritative+ nameservers having the master collect secondary zone data from them...on the Internal view. But, then having to send that information to nameservers that hit the external view of the master. So, until a few hours agoit was include a file containing all the delegated (sub)domains into both viewscausing both sides to be working off of the same file. WHich seemed to work fine. As only one side is getting updates, the other side is just to feed our outside facing slaves. Well, this update wouldn't go for that. So, cloning the file and doing a global search and destroythe external view is looking zone files in a directory that is emtpy, while the internal side continus as is. To have something for the external nameservers to transfer (hopefully), I'm doing a regular sync of the file 'sec' to 'ext'. Not totally sure that's workingbut nothing filing up logs about it. So, is what I did something that'll hold...or is there an easy proper solution to this? To hold us/me over until they decide if its going to be BlueCat or Infoblox that replaces everything. Sadly, I missed both presentations due to other issuesmore sad because I found my named.iner shirt, which I was going to wear to the second presentation ;) There were a couple of other interruptions in my upgrading my 20 servers, but I don't recall what the issue was with those now. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator with LOPSA Professional Recognition. For: Enterprise Server Technologies (EST) -- SafeZone Ally On 2015-08-03 10:06, Reindl Harald wrote: Am 03.08.2015 um 16:59 schrieb Anand Buddhdev: On 03/08/15 16:50, Heiko Richter wrote: Hi Heiko, Why use the file option at all on a slave? If you don't use the file option on a slave, then BIND does not write the zone to disk. This is okay for a small number of small zones. But if you have many zones, or they are large, then you usually want to save a copy of the zone to disk, so that at restart, BIND can load the zones in quickly and load them at all in a acceptable timeframe if it doesn ot save them to disk as you said and you have some hundret zones you likely exceed transfer ratelimits and it takes unacceptable long until you slave responds while clients already ask him the next problem with not having them on disk is: god beware if your master is down and due analyzes or before you recognize the problem you restart your slave named or the server ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Pros/Cons for staying with 9.9 or going to 9.10
Currently running 9.9.4-P2, been trying to decide if I want to go to 9.10 or stay within 9.9.x? Since 9.9.x is ESV could stay with this version for along time, plus its more likely if we go with an applianceif its using bind, its probably more likely to be this version (have only looked at one that is bind based, and it was 9.6-ESV though.) Not sure management realizes these days appliances tend to just be custom PCs, they still need to get software updates over time (or not...just as our DHCP servers are still running the same level of Solaris 9 and version 3.x DHCP when it was configured back in 2006. They want to replace it with an appliance because its been getting less and less stable) Though usually an appliance has a (relatively) simple way to get updated. Compared to having to open a ticket to get me to update a system that I didn't setup or configure...so can't estimate how long that would take, but after the first update, I would think future updates to be pretty quick. I usually have our bind servers updated to the latest security patch before our IT security group tells me that I need to update them (unless I determine that the patch isn't relevant now...ever since I rushed to a patch...that only applied had I upgraded preceding feature release... which I was going slow with, because it involved needing to make configuration changes...with more empty zones defaulting to on. Someday I should dig through and clean up our entire config filenot just search for the ADD NEW ZONES HERE line and doing only that Like why (until I changed IPs of my servers) kept getting notifies for domains I didn't know if I was supposed to be secondary forhad made contact with admin before me, and he said we probably were secondary for them, but you'll have to ask the person before me on details like who to contact about it...or at least a monitored email account ... or non-domain dependent. Had another case where the servers we had listed for them, either didn't respond or said they weren't authoritative for the domain. Couldn't send email to their domain...which had come to my attention because another administrator had mail piling up for that domain. After a few years, I finally got an email for their admin asking why their domain wasn't working off our servers, but my reply bounced. Someday it might get fixed ;) OTOH, management has also been looking at non-bind based appliances...so my days of using bind on anything might be numbered (my other site is using FreeBSD 9.2 for its DNS, eventually they might upgrade to 10.x. Though I'm running 9.9.5 out of ports on these servers, so its possible I could continue to stay with bind on 10.x...though I would lose the replace base option. (though starting to wish I hadn't selected that option.) The main reason for using ports bind, was to enable the 'filter--on-v4' option. Though someday they^H^H^H^H^H I might get ipv6 working. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
On 05/07/14 23:32, Barry Margolin wrote: In article mailman.160.1399503258.26362.bind-us...@lists.isc.org, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: Oh...I misread the questionguess DNAME isn't what's wanted just the apex to somewhere else Yeah...I currently just look up the name and enter A records. But, I've wondered if there was another record type that allowed it to detect address changes of the requested 'CNAME'so I wouldn't have to. Especially, if the requested 'CNAME' is a name that is known to change its IP... Have the apex point to your own webserver, and have it send an HTTP redirect to www.domain.com, which is CNAMEd to the third party domain. I mentioned that option...but it doesn't work so well for https://example.com (except maybe if they gave me their certthough I have limited IPs - though the new appliance supposedly does SNI...) Either that...or come up with a way to script it. That's what we did when I was at Akamai. Their custom DNS servers have an option to resolve the domain apex by looking up another name and returning its IP. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
On 05/08/14 02:01, Dave Warren wrote: On 2014-05-07 15:54, Lawrence K. Chen, P.Eng. wrote: Though it was just a minor delayfor them to revert back to the old site, until they migrated their email accounts to the CNAME site as well You still can't CNAME the APEX of a zone even if you do migrate your email accounts to the CNAME site as you can't have a CNAME and SOA/NS records at the same level. You're quoting out of context.I wasn't talking about CNAME for my APEX, but CNAME for somebody's host...they used to do their own website, while using our central email service. But asking to change their hostname to be a CNAME to an outside web hosting provider...kind of broke their email until they moved to using the web hosting's email service. Don't know if they moved their accounts there, or just defined aliases up there to send it back to our system on our side I had virtusertable entries to map the store email addresses to their real accounts, though we switched email providers recently...and I recently heard rumblings that some subdomains wanting to use google apps to solve the problems they're having with our email provider. Which is easier for those that have their subdomains delegated to themthough I haven't been told that I need to stop fulfilling requests to add verification strings for other department subdomains -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-master (HA)
On 05/06/14 13:39, Evan Hunt wrote: On Tue, May 06, 2014 at 06:20:11PM +, Baird, Josh wrote: Hi, For those of you who operate at multiple sites or datacenters, are you doing any HA for your BIND masters? Ideally, we would have a master in each datacenter; maybe not an active one, but one that is standing by in case your primary master becomes unavailable. Do you have multiple active masters and list them as master in each of your slave's zone definitions? This seems like it could get rather messy. One thought is to use a technology like VMWare SRM which will spin up a master/virtual machine automatically in a second datacenter if your primary master goes down. This coupled with Layer2 connectivity between your sites could make things fairly simple. The standby/secondary master would retain the same IP address as your primary, so everything should just *work*. What are others doing? Any thoughts, ideas or advice is much appreciated. Thank you for bringing this up. As it happens, high-availability/ multi-master support in BIND is something we've been seriously considering for a future release. There's been a lot of internal discussion of use cases, requirements, and possible design approaches. I don't want to influence the conversation here by saying too much about the ideas we've had so far, but I wanted to say: if anyone has specific thoughts on how to make this sort of thing easier in BIND -- even just at the level of boy, it irritates me that I can't make BIND do X -- such comments will fall on welcoming ears. I hadn't thought of doing multi-master...but the issue of promoting a slave to master for DR had come up. At the time the problem was DNSSEC. Its one thing for the slave to become master, its another when it needs to change entries in the zone file to redirect key web-services to DR instances. (at the time, it was create two signed zone files each time...and secure transfer the second one out of bandbut no DR web servers were ever setup, so both were identical files and eventually got scrapped. The issue of raw vs text on secondaries came up after abandonment. But, DR comes up now and then...recently its using DNS appliances and cloud... OTOH, the idea of multi-master is intriguing.the only down side I see, is that I have one really powerful server for my current master(Sun Fire X4170)and my other servers are weak leftoversjust passed EOL last year. And, have all the servers doing full DNSSEC signing could be interesting. It also raises the question of how does the outside world cope with all the servers having identical zones...signed on slightly different times, etc. (especially since I'm using unix timestamp for zone serialavoids issues of multiple admins incrementing serial without noticing others and/or collisions with DNSSEC's incrementing of serials.) But, it shouldn't be too hard to implement since, our nameservers are managed by CFEngine. And, it makes possible for all my name servers to have both internal and external views. Instead of having to have separate external slaves and internal slaves. (and other issues that I'm still working through with having thisnamely my recursive caching servers hitting external slaves instead of internal slaves...) Things have gotten more complicated since we started allowing vanity internal namesbefore it was one subdomain that only existed on internal, and everybody had to put their host in there, as dept-host.subdomain.ksu.edu but then certain VIPs wanted host.dept.ksu.edu to work even though its a 10.x.x.x address. It would also mean one of our satellite campuses that refuses to use our caching servers (and even sent our server that was providing the service for their campus back, which they had firewalled their users from using while it was there)...can have their own caching servers work without needing to understand that our whois record doesn't list our stealth/internal nameservers...which is why they can't resolve any internal services and need to track down somebody to give them the 10.x.x.x IP and having their users use that, etc. Wonder if they know about the change in forwarding on my caching resolvers to AD? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
DNAME ? On 05/06/14 11:44, Rom, Gloria wrote: Yup, that’s what I was asking. Thanks. Gloria Rom UCLA Library Digital Initiatives and Information Technology glor...@library.ucla.edu mailto:glor...@library.ucla.edu 310-206-9784 *From:*bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Kevin Darcy *Sent:* Tuesday, May 06, 2014 9:39 AM *To:* bind-users@lists.isc.org *Subject:* Re: Point domain name of my zone to name in somebody else's zone? The apex name of a zone can't own a CNAME, if that's what you're asking. E.g. the name example.com can't be a CNAME pointing at otherexample.com. But, of course, you can certainly put A and/or records at the apex, that resolve to one or more addresses in one or more ranges you don't own/control. - Kevin On 5/6/2014 12:31 PM, Rom, Gloria wrote: Hello All, Here’s an easy one. I administer a zone that consists of a few names, each of which points to a name in a zone that I do not administer. Now my project manager wants to resolve the domain name of my zone to another name in that foreign zone. Can I tell him that it can’t be done, or have I overlooked a clever workaround? I’m running an oldish version of BIND 9. Thanks, Glo Gloria Rom UCLA Library Digital Initiatives and Information Technology glor...@library.ucla.edu mailto:glor...@library.ucla.edu 310-206-9784 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
Oh...I misread the questionguess DNAME isn't what's wanted just the apex to somewhere else Yeah...I currently just look up the name and enter A records. But, I've wondered if there was another record type that allowed it to detect address changes of the requested 'CNAME'so I wouldn't have to. Especially, if the requested 'CNAME' is a name that is known to change its IP... Either that...or come up with a way to script it. This is also handy when somesite.ksu.edu decides to outsource its web content to a CNAME...but wonder why they've stopped receiving mail as someaddress@somesite.ksu.edu. Though it was just a minor delayfor them to revert back to the old site, until they migrated their email accounts to the CNAME site as well But, there have been others where that doesn't work for them. Meanwhileusers keep thinking I can also create aliases to: https://someCNAME/some/path I can do http, by bouncing them off a redirector, https is harder (and require me to pass it over to a WSE.) On 05/07/14 17:10, Lawrence K. Chen, P.Eng. wrote: DNAME ? On 05/06/14 11:44, Rom, Gloria wrote: Yup, that’s what I was asking. Thanks. Gloria Rom UCLA Library Digital Initiatives and Information Technology glor...@library.ucla.edu mailto:glor...@library.ucla.edu 310-206-9784 *From:*bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Kevin Darcy *Sent:* Tuesday, May 06, 2014 9:39 AM *To:* bind-users@lists.isc.org *Subject:* Re: Point domain name of my zone to name in somebody else's zone? The apex name of a zone can't own a CNAME, if that's what you're asking. E.g. the name example.com can't be a CNAME pointing at otherexample.com. But, of course, you can certainly put A and/or records at the apex, that resolve to one or more addresses in one or more ranges you don't own/control. - Kevin On 5/6/2014 12:31 PM, Rom, Gloria wrote: Hello All, Here’s an easy one. I administer a zone that consists of a few names, each of which points to a name in a zone that I do not administer. Now my project manager wants to resolve the domain name of my zone to another name in that foreign zone. Can I tell him that it can’t be done, or have I overlooked a clever workaround? I’m running an oldish version of BIND 9. Thanks, Glo Gloria Rom UCLA Library Digital Initiatives and Information Technology glor...@library.ucla.edu mailto:glor...@library.ucla.edu 310-206-9784 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
Can't seem to figure out how to work something like that into my configuration. It doesn't like that I have allow-recursion { k-state; }; set in optionsthen something about when using 'view' statements, all zones must be in views. So, I uncommented the view ksu { lines in my config (there used to be a separate view for a JOIN K-STATE SSID, which basically sent you to a special website regardless of what you wanted to connect to.it was scrapped, because users using computers running an OS that starts with Wwould still be stuck going to the site when they switched to normal wireless. (even though the TTL for the zone was only 5 seconds...) And, then it finally crashed complain that there was no root hints for the view _ksu_bind, and making class IN view _ksu_bind with all the same zones, including the hint zoneit still complained that there was no root hints for view _ksu_bind and crashed. daemon.notice] starting BIND 9.9.4-P2 -c /var/chroot/named/etc/named/named.conf -4 daemon.notice] built with '--prefix=/usr/local' '--sysconfdir=/etc/named' '--localstatedir=/var' '--with-openssl' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-ipv6' '--enable-newstats' '--enable-filter-' '--enable-rrl' 'CFLAGS=-m64 -O2' 'LDFLAGS=-Wl,-R/usr/local/ssl/lib/64 -L/usr/local/ssl/lib/64 -Wl,-R/usr/local/lib/amd64 -L/usr/local/lib/amd64 -Wl,-R/usr/local/lib -L/usr/local/lib' daemon.notice] daemon.notice] BIND 9 is maintained by Internet Systems Consortium, daemon.notice] Inc. (ISC), a non-profit 501(c)(3) public-benefit daemon.notice] corporation. Support and training for BIND 9 are daemon.notice] available at https://www.isc.org/support daemon.notice] daemon.warning] no root hints for view '_ksu_bind' daemon.notice] command channel listening on 127.0.0.1#953 daemon.crit] db.c:795: REQUIRE(rdataset-rdclass == db-rdclass) failed, back trace daemon.crit] #0 4307e3 in ?? daemon.crit] #1 fd7ffeef92ca in ?? daemon.crit] #2 fd7fff1d8467 in ?? daemon.crit] #3 fd7fff1dafc6 in ?? daemon.crit] #4 fd7fff1ef91e in ?? daemon.crit] #5 fd7fff2f1f39 in ?? daemon.crit] #6 fd7fff2f4b29 in ?? daemon.crit] #7 45a851 in ?? daemon.crit] #8 45bc3e in ?? daemon.crit] #9 fd7ffef1a49f in ?? daemon.crit] #10 fd7ffeacbfbb in ?? daemon.crit] exiting (due to assertion failure) On 05/02/14 23:34, Jeremy C. Reed wrote: On 05/02/14 09:23, Jeremy C. Reed wrote: Only for the built-in Chaos _bind view (for id.server, authors.bind, hostname.bind, and version.bind). On Fri, 2 May 2014, Lawrence K. Chen, P.Eng. wrote: Awww...I found messages about version.bind. My workaround I use is like: # for builtin tests do not rate-limit # redefine chaos builtin zones # can't redefine builtin view '_bind' view _dnsbench_bind chaos { recursion no; notify no; allow-new-zones no; rate-limit { responses-per-second 0; }; zone version.bind chaos { type master; database _builtin version; }; zone hostname.bind chaos { type master; database _builtin hostname; }; zone authors.bind chaos { type master; database _builtin authors; }; zone id.server chaos { type master; database _builtin id; }; }; Or edit bin/named/config.c (you will quickly find the configuration) and make and install. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
Awww...I found messages about version.bind. On 05/02/14 09:23, Jeremy C. Reed wrote: On Thu, 1 May 2014, Lawrence K. Chen, P.Eng. wrote: Does compiling in RRL mean its active, even without a rate-limit {} control block? Only for the built-in Chaos _bind view (for id.server, authors.bind, hostname.bind, and version.bind). -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RRL active by default?
Does compiling in RRL mean its active, even without a rate-limit {} control block? The other day, I got reports some service is getting intermittent lookup failures for our ldap server. Why these appliances have to query DNS servers many times per second to get the address of a record with a TTL of 1 day In looking at the logs, I saw messages about rate-limit of various subnets. (but, only for the busiest 2 of 8 caching servers) Starting when I first updated to 9.9.4-P1. Though both had said they had stopped limiting responses by the time I looked. Just in case, I threw in a rate-limit { exempt-clients { k-state; }; }; where k-state is the same acl used with allow-query {} and allow-recursion {}. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can't validate existing negative responses (no DS)
On 04/01/14 19:49, Lawrence K. Chen, P.Eng. wrote: Having problems with a particular insecure delegation (most are) from our zone file, that is only not working for local users (our caching resolvers running BIND 9.9.4-P2 or 9.9.5) But, everybody else reports its workingits working from my other location (FWIW, is the base bind for FreeBSD 9.2 - 9.8.4-P2?) Can't think of an easy way to tell if its BIND or geography In dnssec.log, I'm seeing messages of: validating @0x8063a2700: click.mail.nacada.ksu.edu A: can't validate existing negative responses (no DS) validating @0x8089d9800: click.mail.nacada.ksu.edu A: can't validate existing negative responses (no DS) validating @0x80abc9500: click.mail.nacada.ksu.edu A: can't validate existing negative responses (no DS) validating @0x8063a2700: click.mail.nacada.ksu.edu A: can't validate existing negative responses (no DS) validating @0x8089d9800: click.mail.nacada.ksu.edu A: can't validate existing negative responses (no DS) flushing the cache or restarting doesn't help. So, digging into thingsI turned up trace. On my 9.9.4-P2 server: http://pastebin.com/sQKHe15p On my FreeBSD 9.2 system at home: http://pastebin.com/JjQMG9CQ -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
can't validate existing negative responses (no DS)
Having problems with a particular insecure delegation (most are) from our zone file, that is only not working for local users (our caching resolvers running BIND 9.9.4-P2 or 9.9.5) But, everybody else reports its workingits working from my other location (FWIW, is the base bind for FreeBSD 9.2 - 9.8.4-P2?) Can't think of an easy way to tell if its BIND or geography In dnssec.log, I'm seeing messages of: validating @0x8063a2700: click.mail.nacada.ksu.edu A: can't validate existing negative responses (no DS) validating @0x8089d9800: click.mail.nacada.ksu.edu A: can't validate existing negative responses (no DS) validating @0x80abc9500: click.mail.nacada.ksu.edu A: can't validate existing negative responses (no DS) validating @0x8063a2700: click.mail.nacada.ksu.edu A: can't validate existing negative responses (no DS) validating @0x8089d9800: click.mail.nacada.ksu.edu A: can't validate existing negative responses (no DS) flushing the cache or restarting doesn't help. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: High recursive client counts
On 03/26/14 04:02, Sam Wilson wrote: In article mailman.2530.1395774135.20661.bind-us...@lists.isc.org, Jason Brandt jbra...@fsmail.bradley.edu wrote: For now, I've disabled DNS inspection on our firewall, as it is an ancient Cisco firewall services module, and that seems to have stabilized things, but it's only been 30 minutes or so. Until I get a few days in, I'll keep researching. We used to run DNS inspection on our FWSMs. We didn't notice any issues with DNS resolution per se, but we did find that turning it off dropped the FWSM CPU from ~70% to less than 30%. We're not aware of any issues that using DNS inspection might have caused. Sam I had to get our DNS servers exempted from our Procera, as it was interfering DNSSEC. The security analyst said it considered some of the large encrypted UDPs as P2P. So, every few days (less during busy times), a recursive caching query server would stop answeringwhere restarting it would make it work again. It was to the point where I had our monitoring system restart bind as needed. Eventually, my manager asked about all strange notifications. Where he then pushed it up to the CISO to get the analyst to make the change to stop interfering with DNS. They had done a test a few months earlier, and said we didn't complain then. I went back through the logs, and found that it had been interfering then...but the weekend test wasn't enough to cause any servers to stop responding. I didn't think to see what the client counts were. Though another time when the Procera had stopped passing any traffic, the counts did get really high before they stopped working. Need to work on figuring out how to have it resolve local domains when Internet connection is down. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.1 forward zone local
What happens if you remove the . after local? On 03/25/14 12:57, Андрей Ветров wrote: Hello. I have a problem with forwarding zone local to ISP resolvers. My config is: options { directory /tmp; disable-empty-zone .; }; zone . { type slave; masters { 192.0.32.132; 193.0.14.129;}; masterfile-format text; file /etc/bind/db.root; allow-query { any; }; }; zone local. IN { type forward; forwarders {DNS_IP_ISP;}; forward only; }; zone opendns.com http://opendns.com IN { type forward; forwarders {208.67.222.222; 208.67.222.220; 208.67.220.220; 208.67.220.222;}; forward only; }; Forwarding to opendns works, dig +short myip.opendns.com http://myip.opendns.com returns ip address correctly. Forwarding to local doesnt works, dig return nxdomain. Commenting zone . leads to correct work of zone local -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to create a fake root server?
of the reserved TLDs in RFC 6761. I'm not sure what your question is, exactly. Set up the root zone, slave it, publish 2 or more of the master/slaves in the NS records, delegate whatever TLD you're going to use, set up *that* zone, lather, rinse, repeat, for the entire hierarchy. Anyone who reads _DNS_and_BIND_ should be able to set up an internal-root infrastructure, IMO (although, sadly, the later editions don't seem as aligned to internal-root as they used to be). - Kevin On 3/12/2014 11:07 AM, Peter wrote: Hi guys, I'm doing a virtual internet (internal net) for several VPS's. My goal is to simulate the Internet root servers and the ISP:s domain servers, which are hosting the actual domains. I want to the create several DNS nameservers that will contain the specific domain under the xxx.loc, yyy.loc, zzz.loc. 1 server for the .loc root 3 servers for xxx.loc (server1), yyy.loc (server2), zzz.loc (server3) Running BIND 9 at every server. Any suggestions or good links are highly appreciated. Best regards, Peter ___ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal clients' queries for myhostname. get sent to forwarders. Why?
On 03/12/14 06:50, Tony Finch wrote: Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: If you have FQDN for machines, the problem might be that the domain isn't set in resolv.conf? The machines are configured with a bare hostname. If there isn't a search or domain directive in /etc/resolv.conf and there isn't an entry for the machine in /etc/hosts then `hostname -f` will fail. It is probably a bug that `hostname -f` does not have any ndots logic. See also RFC 1535. Tony. Around here, the users insist on being able to only use hostname to reach everythingso our resolv.conf's have search is max'd...though some systems seem to work when 7 subdomains are listed for search. Though most of the time, we'll find that we have to ask them which subdomain can they live without to add a new one to search. One time, they removed the first one...because the department doesn't exist anymore and they don't (think they) have anything in it they need. Except that the backup jobs they run all stopped working. Yeah, the backup server is in that subdomain (and the fqdn is baked into the library catalog's Oracle DB backend, so we can never change it...though every few years they look at switching us to another vendor's product rather than upgrading...and we end up upgrading.) Also we still have a large number of Solaris systems around...where typing 'hostname -f' would change the hostname of the system to '-f'. (or an error if not root.) And, virtually every system here uses just hostnamesince lots of people call `hostname` in their prompts, and don't like the added length of getting an fqdn. (or figuring out what they need to do to make it right.) Though I did discover that search appends to all lookups, not just bare hostnames. Could not understand why new SA saying machines could be reached with hostname.campus (years ago when we started having systems with RFC1918 IPs...they decided to make up a TLD. The DNS administrator said that it wasn't possible to do split DNS, yet he didn't ask what I meant when I had asked him about it. After he quit, DNS got thrown in my lap. and .campus.ksu.edu was born, which was good, because we had a policy at the time requiring user facing sites to use Thawte certificates...which were hard to get for .campus fqdn's...but we can get for .campus.ksu.edu fqdn's, which can't be resolved from off campus (well, not fully...) Several years ago, another admin tried to get force everybody to stop using the .campus TLD. (I've joked that its only a matter of time that some one goes and registers itor perhaps one of the other fake TLDs we used, like .wireless ;) Problem was there was a big move of Oracle DBs into the TLD...and with the name baked into the installationrenaming isn't going to happen until those systems are abandoned (though a big hardware refresh is near on the horizon...along with a network reorg for data classification.) Though everything that was .campus is in .campus.ksu.edu (except that we had functional subdomains in .campus and functional hostnames in .campus.ksu.edu) But, a host in .campus.ksu.edu is often not in .campus (since its deprecated) And, there's a mix on which domain the reverses are pointed towhich is important for the particular system he was setting up at the time. (Some old systems have had their reverses updated, but not all users have switched to using the new forward in service requests to him) Oh, there have been cases where we've added hostnames to /etc/hosts so that they could use bare hostnames to reach things in other subdomainsother times its to ensure the desired hostname is reached when the name exists in more than one subdomain. Some also have names that are not in DNS (not sure if they thought of CNAMEs) so they can find the application. Which was especially important before we forced a consistent functional naming scheme across our datacenter. They were using Sith Lords to name their machines, some where very similar in spelling but significantly different functions or classifications. Probably ran out of Sith lords with names starting with p, t, d, a or b (prod, test, dev, alpha or beta). It was whole bunch of very similar names starting with 's' that made my manager snap. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internal clients' queries for myhostname. get sent to forwarders. Why?
If you have FQDN for machines, the problem might be that the domain isn't set in resolv.conf? from resolv.conf(5): domain Local domain name. Most queries for names within this domain can use short names relative to the local domain. If no domain entry is present, the domain is determined from the local host name returned by gethostname(3); the domain part is taken to be everything after the first `.'. Finally, if the host name does not contain a domain part, the root domain is assumed. On 03/11/14 06:28, Tony Finch wrote: Andreas Ntaflos d...@pseudoterminal.org wrote: Using Bind 9 on Ubuntu 12.04 for internal DNS (master for zones dc01.example.at., 7.1.10.in-addr.arpa., ...) with forwarders (ISP's nameservers) for everything outside of internal zones. The Problem: Clients, when running hostname -f or hostname -i, create queries for myhostname. which are sent to the forwarders which respond with NXDomain. This generates load on the forwarders and exposes our internally used hostnames, both of which seems unnecessary and possible dangerous. This doesn't seem like normal or healthy behaviour. What can we do to stop it? Option 1: put the FQDN in /etc/hostname on each machine. Option 2: populate /etc/hosts on each machine. Option 3: slave the root zone on your name servers. Tony. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disabling stateful firewalls for DNS traffic
This is March, right? I probably should've tried this on one DNS server, instead of all of them. I removed state tracking on outbound to port 53 trafficand nothing could be resolved. And, couldn't fix without manual intervention, as cfagent (cfengine) couldn't resolve its policy server And, as soon as I fixed one systemI started getting the flood of pages from our nagios :) Hmmm, I guess in order to have no state tracking on outbound...I would need to open the inbound wide, because it can't use state tracking to decide if something coming back to a random port is supposed to be coming back I guess I was kind of hoping that this might be the answer on why two of my resolvers get inconsistent results on reply size testing. It either says somewhere around 3830+/-10 or it'll say only 1086 bytes.run a watch on the command every 61 seconds Its probably something else that causing the issue...the main obvious difference is that these two servers are behind our F5. On 03/01/14 08:30, Chuck Anderson wrote: In the following two Best Practices documents, it is recommended to disable stateful firewalls for DNS traffic (outbound on recursive servers, and inbound on authoritative servers). Can people share their Linux iptables configurations for how they have accomplished this? https://deepthought.isc.org/article/AA-00874/0/Best-Practices-for-those-running-Recursive-Servers.html Disable the use of stateful firewalls/packet filters on your servers for outbound query traffic (iterative queries made by a recursive server to authoritative Internet servers). Administrators often consider the impact of stateful firewalls and load balancers on inbound client queries, but then fail to consider their impact on resolver query traffic. https://deepthought.isc.org/article/AA-00892/0/Best-Practices-for-those-running-Authoritative-Servers.html In most instances we would not recommend the use of inbound packet filtering for authoritative nameservers, Response Rate Limiting is the recommended solution. However there are some circumstances where filtering at very high inbound packet rates can be helpful - please contact ISC if you think you might benefit from our operational experience in this area. The typical vendor defaults I've seen don't follow this advice. For example, on Red Hat-like servers, stateful rules like the following are often implemented with rules added to non-open recursive servers to allow only your internal network to connect to port 53: *filter :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m icmp -p icmp --icmp-type any -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -s $INTERNALNET -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 53 -s $INTERNALNET -j ACCEPT -A INPUT -j LOG -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j LOG COMMIT and for authoritative-only servers allowing any sources to connect to port 53: *filter :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m icmp -p icmp --icmp-type any -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A INPUT -j LOG -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j LOG COMMIT How should these rules be changed to adhere to the Best Practices while not breaking anything and still allowing the servers to do their own DNS lookups? I know theoretically how I would do this, but I'm looking for others' experiences. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
retransfer zone from stealth master
Noticed some zones weren't transferring, so I tried to see what was up. The logs show its polling the published master (one of my secondaries), which fails since it doesn't have the zone yet. None of my secondaries have it yet. I was on vacation when the domains were set up, though I had provided instructions on how to do this very task before I left, along with other instructions, since the request was how do I setup a new secondary...in the context of DDoS...which I first read as another secondary authoritative nameserver (which didn't make sense to me...since there are other things outside of our groups control that are needed.) I later decided the real request was how to make our secondaries slave to a departmental nameserver, so that there will still be accessible authorities for their (sub)domains after their port 53 gets blocked at the border. Which was that its the same as the last part of our adding a new domain to our DNS wiki document, except that instead of slaving from our master nameserver, its slaving from the departmental master. Anyhoo... How can I get an initial transfer of the zone from a stealth master? Or do I have to wait to get the administrator of the master to give it another kick? masters {}; contains the IPs for both departmental nameservers, plus IP for ns-1.ksu.edu, but logs show its only trying to transfer from ns-1.ksu.edu. Often, due to historical reasons, some departments only notify ns-1.ksu.edu, leaving me to also-notify my other secondaries, etc. masters {} also used to contain every server that could act as an authoritative source...even if the instance was host-only (the admin wanted a local recursive caching resolver instance, created a full blown authoritative with recursive caching query resolver that only responds to localhost) I think there are 8 of these still in existence. They were to be refreshed or eliminated in the near future ~5 years ago (I did remove one or two from my pseudo-script to update bind everywhere, last year...) -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: retransfer zone from stealth master
Guess I had something wrong in my named.conf, just now 'rndc retransfer' worked, because after some change at 2:04pm it tried more IPsincluding the actual master I suppose I should've expected to see it continue to attempt to refresh the zone, as it started doing for another zone I had setup at the same time, where the refresh from departmental servers is failing with non-authoritative answer from master ... Instead of just a single poll of my ns-1.ksu.edu when an 'rndc reload' was done. Probably because for some reason, yesterday I was typing out the added zone entries completely by hand, instead of the normal copy-paste-modify way I normally do things. On 02/26/14 09:42, Phil Mayers wrote: On 26/02/14 14:57, Lawrence K. Chen, P.Eng. wrote: How can I get an initial transfer of the zone from a stealth master? Or do I have to wait to get the administrator of the master to give it another kick? rndc retransfer? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.0b1 has been released.
On 02/26/14 10:01, Evan Hunt wrote: On Wed, Feb 26, 2014 at 12:44:37PM +, G.W. Haywood wrote: Many of us seek no excitement at all in our working day. We're here for you, too. BIND 9.9 is an extended support version, it won't reach end-of-life until at least 2017, and we won't add new features to it unless there's a darned good reason. (Even then, we'll generally put them beind #ifdef's, as with --enable-rrl, so you can build without them.) Gotta put new stuff somewhere, though, or we'd all still be using BIND 4. :) Except that security patches haven't been going into BIND 4 for some time (though I vaguely recall hand patching security patches into bind on RedHat 7.3 in response to the Kaminsky DNS Vulnerability.) Which was after I had upgraded servers at work from Bind 9.3.x, because upgrading from openssl 0.9.7 on those systems wasn't possible as it would break other packages on there. Though the former admin said there was probably a new flag I needed to use to make it build against that ancient version of openssl. I looked to see what package was the problempre-Solaris 10 we deployed systems with our own build of sshd, and trying to remove and add openssl/sshd while ssh'd into the box is hard. So, I upgraded those systems from the console...later those machines were replaced with Solaris 10 systems, where we stayed with the system sshd. So, upgrading openssl is less scary It also helps what with Solaris 10, we went from bind in a chroot to bind in a DNS only Solaris container (the only two packages that depend on openssl are bind and nrpe.) I recall there was some reason to upgrade from 9.6 to 9.7...so that we didn't go to 9.6-ESV. Possibly DNSSEC related. Of course, I'm looking at some of the new features in 9.10 and I'm thinking that they might be something we'll want when its stable OTOH, our DHCP servers are still running v3.0.4. (since a month before I started in 2006...) I had offered to upgrade them to something newer at various times (and bring them under our configuration management system -- like I'm doing for a smaller site. They already have all the common configuration, pools/reservations, in separate files, but currently they make edits by hand on each server separatelywe've had outages due to mismatches.), but they keep saying some year (since summer 2011) they'll come up with money to replace them with appliances. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: changing NSEC3 salt
On 02/06/14 15:07, Timothe Litt wrote: On 06-Feb-14 09:14, Klaus Darilion wrote: On 06.02.2014 14:58, Cathy Almond wrote: On 06/02/2014 12:58, Timothe Litt wrote: On 06-Feb-14 05:56, Cathy Almond wrote: On 05/02/2014 18:54, David Newman wrote: The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every time a zone's ZSK changes. Is this just a matter of a new 'rndc signing' command, or is some action needed to remove the old salt? thanks dn rndc signing -nsec3param ... I would expect the old NSEC3 chain and old NSEC3PARAM record to be removed, once the new chain is in place. (Similarly, the new NSEC3PARAM record will not appear in the zone until the new NSEC3 chain has been completely generated). Cathy This seems silly. Why should a person have to select a salt at all? It's just a random number, and people are really bad at picking random numbers. Seems like a miss in 'DNSSEC for humans' :-) There should be a mechanism to tell named to pick a random number and use it for the salt. (I suggest '*' - '-' already means 'none'.) named already has to know how to get random numbers, so this should not be difficult. It should work for records supplied in UPDATE transactions as well as rndc signing. A bit more work to have it function when loaded from a zone file, though that doesn't seem unreasonable. (E.g. if read from a zone file, pick a salt, treat the record as if loaded with that value, and do all the requisite (re-)signing.) I'm copying bind9-bugs so this doesn't get lost. Please don't copy that list if you comment on this. (Careful with that 'reply all'!) Timothe Litt ACM Distinguished Engineer Sounds like a good idea - thanks. Indeed. It would also solve the theoretical problem of NSEC3 hash collisions (see my email from 3. Feb 2014) regards Klaus Not quite. It would enable a solution, but it doesn't solve it unless named also checks for a collision, picking a new salt and re-trying in that case. That would be a good idea (though creating a test case would be a good student challenge). [If it isn't tested, it doesn't work...] Note also the RFC 5155 recommendation: The salt SHOULD be at least 64 bits long and unpredictable, so that an attacker cannot anticipate the value of the salt and compute the next set of dictionaries before the zone is published. In case it wasn't obvious, I should have noted that the length would be a config file entry. Timothe Litt ACM Distinguished Engineer InterestingI guess I need to keep up more on these things. I haven't changed my NSEC3 salt since I initially set up DNSSEC here, and seemed to me that the document I was working off of back then said 4 hex characters. Which probably made it extra hard for me to come up with a random number. So, its totally non-random...so all I did was take the hex for two (well-known) letters...for my salt. Since the salt is 'public', I'll say it. my salt is KS, or 4b53. So now to think of how to add NSEC3 salt changing to my current automation scripts -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I may be confused regarding sub delegated zone
.example.com and then from there ns record of subdom.example.com http://subdom.example.com will be given? Or will it directly be forwarded to n2.example.com http://n2.example.com? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Upgrading from 9.8.3 to 9.9.4
On 01/16/14 16:39, Mike Hoskins (michoski) wrote: -Original Message- From: Mike Bernhardt bernha...@bart.gov Date: Thursday, January 16, 2014 4:09 PM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: RE: Upgrading from 9.8.3 to 9.9.4 Sorry for the double post, but I forgot to ask this: And if it is indeed enabled regardless of my RFC1918 ranges, I would imagine that for my internal servers which have those ranges, I would want to add disable-empty-zone .; to my global options? And for my external-facing server which of course has no RFC1918, I would leave it to the default setting? You don't have to do this. BIND won't enable the empty zone if you already have it defined. The problem I was referring to is mentioned in the feedback to this KB article: https://kb.isc.org/article/AA-00803/0/Why-are-queries-for-some-PTR-records-no-longer-forwarded-since-upgrading-to-BIND-9.9.0.html Though, from 9.9.4 Release Notes, that's probably addressed by this bug fix: Fix forwarding for forward only zones beneath automatic empty zones. [RT #34583] -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Upgrading from 9.8.3 to 9.9.4
IIRC, The main change I ran into when I upgraded to 9.9.2-P1 (from 9.7.6-P4) was the change in default for empty-zones. All are enabled by default, including RFC1918 ranges whether you have any defined or not. On 01/14/14 12:16, Mike Bernhardt wrote: Is there anything I need to know regarding changes in default operation when upgrading from 9.8.3 to 9.9.4? I'm specifically looking for changes that must be addressed in named.conf options in order to keep an upgrade as transparent as possible. Thanks, Mike ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
On 01/13/14 03:43, Barry Margolin wrote: In article mailman.2022.1389603219.20661.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On Jan 11 2014, Joseph S D Yao wrote: (2) There is no requirement that a domain name refer to the Web site for that domain. I personally don't like that (for no special reason), and neither apparently does the owner of this domain, who forces people to go to the trouble of typing in www.p3net.net to get to his or her Web site. On 12.01.14 15:04, Chris Thompson wrote: That would be more plausible if www.p3net.net actually resolved to something, rather than giving NXDOMAIN ... why? If it's not supposed to work, it should give NXDOMAIN instead of fake record (including localhost). That's his point: they're not forcing people to go to the trouble of typing in www.p3net.net, because there is no such record. OTOH, some of us think the notion that all websites have to begin with www. is dated. I want the site to work without the 'www.' I find it annoying that keep running into sites where only www.domain.name works.worse are the ones where domain name alone doesn't something else... Though there used to be an enforced policy here, when you requested a website name to be added to DNS, you got both with and without www forms auto-magically. As well as be in both our domains. Can cause problems with sites that do SSLthey've always been known only by one name, but since the other forms exist and somebody out of the blue tries one ... and they typed https:// firstwell, now its somebody's problem that it resulted in an SSL error. Including the person that was just following policy Seemed to me that there are mailservers that reject mail from domains that claim to be localhost, (or perhaps its sites like these that result in some sites rejecting such domains?) What's p3net.net? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A Few Additional Words About CVE-2014-0591
Hmmm, from what I vaguely recall from my software engineering days, was that memcpy() didn't ever handle overlapped memory buffers and that you should consider memmove() in such cases. Doesn't really make sense that it should, though I think I first learned about this during a code review. Don't recall if I had lazily used it once or if it was something an intern had done, but it was a co-worker that had caught it. On 01/13/14 13:13, Michael McNally wrote: Hello, Bind-Users Readers -- Since you are all subscribers to bind-announce as well [You are, aren't you? It's where we make announcements about security vulnerabilities and about new versions of BIND] you are probably already aware that ISC has announced CVE-2014-0591, a vulnerability which can cause BIND to crash while servicing certain queries against an NSEC3-signed zone. The official announcements can be found in bind-announce or at: https://kb.isc.org/article/AA-01078 and new versions of BIND which patch the vulnerability can be found at http://www.isc.org/downloads But we'd like to point out a few additional facts about this advisory which you might find relevant. 1) Security Patches Are Ending for the BIND 9.6-ESV Branch Back in 2012 we announced our intention to retire the 9.6-ESV branch in 2013. We previously extended the EOL (End of Life) date for 9.6-ESV by six months but those six months are almost over and the rescheduled EOL date for 9.6-ESV is upon us. Unless there are extraordinary circumstances justifying it, 9.6-ESV will not receive future security patches and 9.6-ESV-R11 is the last version planned in the 9.6-ESV sequence. BIND 9.9 was designated an ESV version of BIND in May 2013. Users who require long-term support for their version of BIND should migrate to BIND 9.9. 2) Vulnerability to CVE-2014-0591 is OS and libc Dependent We have issued a general warning for the bug that causes CVE-2014-0591, because with security it is better to be safe than sorry, but per our developer's analysis, the bug (which causes an INSIST crash in name.c) can only be triggered on servers using a memcpy call that behave in a certain fashion. This bug went undiscovered until recently because under most memcpy implementations the software behaves safely. However, recent optimizations to glibc's memcpy have exposed the underlying bug on systems using newer versions of glibc. To date our reports of CVE-2014-0591 crashes have all been from Linux users using glibc version 2.18, but because of the multiplicity of Unix-like operating systems and C library variants we cannot represent all others as safe. The safest course of action is to patch the underlying bug and ensure that your server is not vulnerable regardless of memcpy optimizations, but we do believe that users are unlikely to encounter this crash on older glibc versions or on non-Linux operating systems that do not use glibc. Slightly more information about this is available in our CVE-2014-0591 FAQ and Supplemental Information article in the ISC Knowledge Base: https://kb.isc.org/article/AA-01085 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: which end does the problem exist?
On 2013-12-19 14:54, /dev/rob0 wrote: On Thu, Dec 19, 2013 at 02:48:59PM -0600, Lawrence K. Chen, P.Eng. wrote: Got reports that users are unable to send mail to usda.gov sites using our campus SMTP server (where we have usda.gov sites on campus.) The users have said they were able to send using other servers like Google and Microsoft. When I look at my system, its unable to resolve the domain name. Dec 19 14:51:43 chestnut named[11604]: validating @0x7f17880be380: usda.gov DNSKEY: no valid signature found (DS) DNSSEC failure on their end. I had checked my dnssec.log, but nothing for usda.gov in it...but now that I look closer, the file hasn't updated since Jan 29thseems somebody changed the resolv.conf on my smtp servers...so I've been looking at the wrong caching servers. Guess this latest problem with usda.gov started around 10:16 CST...though there are errors logged going back to Nov 19 (the first log line is Nov 17 00:16, and the 10M file before has nothing for usda.gov, from Nov 14 18:46...wonder if I dare keep more dnssec logs) -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9-ARM (HTML) feature request: better hyperlinking in/of chapter 6
So does this mean there could be a Kindle edition of it? Having impulsively snapped up a new Kindle Paperwhite (2nd Gen) for $19 (WiFi only), when I originally had no plans to do so...since I had only jumped in on using the first gen Kindle Paperwhite 3G a few months ago (before that I had a Kindle 2.) I sent the PDF to my Kindle once don't even want to think about it even if I'm in a bind. Though I had at one time thought about trying to read it cover to cover On 2013-11-21 09:14, /dev/rob0 wrote: On Wed, Nov 20, 2013 at 09:43:40PM +, Evan Hunt wrote: On Wed, Nov 20, 2013 at 03:27:59PM -0600, /dev/rob0 wrote: Looking at the HTML source for the Table of Contents, it seems like someone had this idea before but didn't follow through. There are numerous links to plain-language anchors amidst mostly the id25x anchor names. (These probably had something to do with the DocBook XSL Stylesheets V1.71.1 generator.) Note that the HTML isn't the source, it's generated from doc/arm/Bv9ARM-book.xml and from the various .docbook files throughout the source tree. Right, I figured. It seems that I might add id tag modifiers to various sectX and command and optional tags, and that would at least create the anchors. The daunting part is that I'm not sure what this will do: command id=some-named.conf-settingsome-named.conf-setting /command ... See xref linkend=some-named.conf-setting/ ... because at this point, it looks like the only anchors are in section headers. Perhaps more code will have to be added to properly deal with these links? Or is there some other xref modifier which would do it? (I suppose I can try it and see what happens.) I might try to work on this myself, but I thought I should toss the idea out for comments and suggestions first. Specifically, I suppose that whatever work that is done should be compatible with the DocBook source and other BIND9-ARM formats. We'd certainly be glad to have help with it. hehe, oops, I guess I'm committed now :) -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Listen queue overflow
On 2013-11-18 17:57, Lawrence K. Chen, P.Eng. wrote: On 2013-11-14 17:04, Mark Andrews wrote: In message fd9b2cb2b33e394fae3b7466954760571d666...@dfwx10hmptc01.amer.dell.co M, vinny_abe...@dell.com writes: Hi Everyone, I recently had a recursive server running BIND 9.9.4 on FreeBSD 9.2 appear to wedge and stop responding to clients. I had a flurry of these errors on the console: sonewconn: pcb 0xfe007211d930: Listen queue overflow: 16 already in queue awaiting acceptance You can tune tcp-listen-queue in named.conf. The current default is 10. Thanks! -Vinny My logs have been filling up with sonewconn: pcb 0xfe02bb7187a8: Listen queue overflow: 10 already in queue awaiting acceptance Which seems to have started since upgrading to FreeBSD 9.2 (though there have been other changes, but on the email front...so looking at BIND hadn't crossed my mind at all until I spotted this thread), though its only on one server, so I had been hunting around trying to figure out where its been coming from. So, digging around further16 is QLEN, and the message is shown when QLEN is 3 * QLIM / 2. So, QLEN = 16 for QLIM = 10 is right. So, I need to find something with QLIM = 6 in my case? Hmm, my proxy server. Which seemed to be the only thing busy at the same time as when these messages appear in my logs. Meanwhile...I had this happen today... sonewconn: pcb 0xfe00a7367930: Listen queue overflow: 5 already in queue awaiting acceptance Which does correspond with QLIM=3, where tcp-listen-queue's minimum and default was 3...until 9.9 where it's minimum and default became 10. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Listen queue overflow
On 2013-11-14 17:04, Mark Andrews wrote: In message fd9b2cb2b33e394fae3b7466954760571d666...@dfwx10hmptc01.amer.dell.co M, vinny_abe...@dell.com writes: Hi Everyone, I recently had a recursive server running BIND 9.9.4 on FreeBSD 9.2 appear to wedge and stop responding to clients. I had a flurry of these errors on the console: sonewconn: pcb 0xfe007211d930: Listen queue overflow: 16 already in queue awaiting acceptance I couldn't trace that directly back to the named process by the time I looked at it, but I suspect that's what it was since it's really the only thing this machine is used for and it stopped working. It seems to have oddly become unstuck when I logged into the machine and started looking around. I never restarted named. Everything else on the server was running normally from what I could tell and no other errors existed that I could find. Unfortunately my logs rolled over too fast to check if named had logged anything else interesting. From what I've found in googling, this is an OS level error stating the process isn't accepting new TCP connections and it's an application fault. I've only ever seen this on this particular machine, and just this once. My other recursive servers are running older versions of FreeBSD. Or it's just a plain DoS attack. For any service it is possible to send tcp connection requests faster than the service can handle it. Has anyone come across this before and know how to prevent or correct this properly? You can tune tcp-listen-queue in named.conf. The current default is 10. Thanks! -Vinny My logs have been filling up with sonewconn: pcb 0xfe02bb7187a8: Listen queue overflow: 10 already in queue awaiting acceptance Which seems to have started since upgrading to FreeBSD 9.2 (though there have been other changes, but on the email front...so looking at BIND hadn't crossed my mind at all until I spotted this thread), though its only on one server, so I had been hunting around trying to figure out where its been coming from. The hex number doesn't correspond to any socket that shows up with lsof, though the sockets that lsof show some resemblence. doing lsof -i -T fqs and looking at QLIM=, I had thought sendmail was the culprit since its default Listen queue is 10. But bumping it to 128, didn't stop the messages. And, I couldn't find any other sockets this way with QLIM=10. The sockets associated with named ... the tcp domain sockets have QLIM=3 and the rndc socket has a QLIM=128. For these systems, they're all running the system BIND (9.8.4-P2). named 1276 bind 20uIPv4 0xfe00a73697a0 0t0TCP zen:domain (LISTEN QR=0 QS=0 SO=ACCEPTCONN,NOSIGPIPE,PQLEN=0,QLEN=0,QLIM=3,RCVBUF=524288,REUSEADDR,SNDBUF=524288 SS=NBIO TF=MSS=536,REQ_SCALE,REQ_TSTMP,SACK_PERMIT) named 1276 bind 21uIPv4 0xfe00a73693d0 0t0TCP zen2:domain (LISTEN QR=0 QS=0 SO=ACCEPTCONN,NOSIGPIPE,PQLEN=0,QLEN=0,QLIM=3,RCVBUF=524288,REUSEADDR,SNDBUF=524288 SS=NBIO TF=MSS=536,REQ_SCALE,REQ_TSTMP,SACK_PERMIT) named 1276 bind 22uIPv4 0xfe00a738b3d0 0t0TCP localhost:domain (LISTEN QR=0 QS=0 SO=ACCEPTCONN,NOSIGPIPE,PQLEN=0,QLEN=0,QLIM=3,RCVBUF=524288,REUSEADDR,SNDBUF=524288 SS=NBIO TF=MSS=536,REQ_SCALE,REQ_TSTMP,SACK_PERMIT) named 1276 bind 23uIPv4 0xfe00a75223d0 0t0TCP localhost:rndc (LISTEN QR=0 QS=0 SO=ACCEPTCONN,NOSIGPIPE,PQLEN=0,QLEN=0,QLIM=128,RCVBUF=524288,REUSEADDR,SNDBUF=524288 SS=NBIO TF=MSS=536,REQ_SCALE,REQ_TSTMP,SACK_PERMIT) FWIW, the only socket with QLIM=16 on my system is upsd (nut). -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
filter-aaaa-on-v4
I finally turned this feature on when I built bind-9.9.3-P2 Had only gotten the occasional user complaints that some browser/client tries to connect to IPv6 and fails. Because our IT Security group doesn't allow IPv6 and is/was blocking tunneling protocols on campus. As a side effect, my NTP servers are happiersince all #.pool.ntp.org (where # is 0-3) now resolve to usable addresses. Why 4? If you only have one NTP server, you know what the time is, but you don't know if it is correct. If you have two servers, you won't know what time it is. With 3, you can have a pretty good idea of the correct time, until one breaks. So, 4 gives you a good idea of what the correct time is, even if one breaks. Though I had seen another article suggesting the sets of 3's (3,6,9,12) Only 0-3 are defined with the pools, so that's what I go with. Problem is that they have been putting all the IPv6 NTP servers in pool 2, along with some IPv4 ones. And, most of the time when I start ntpd, it picks an IPv6 one from 2. Had a server where one of the others was intermittent, so it was going between 2 or 3 servers (and, of course, I put my NTP servers in Nagios...so I get alerted when this happenswhich had been fine for months, until the system got rebooted for OS updates Just restarted it again, and saw it found 4 servers... wish I had thought of this sooner. Wonder if I should do this at home? Guessing its not enabled in the system bind, so I'll have to switch to using ports. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: filter-aaaa-on-v4
Well, drifting away from bind now - Original Message - FWIW, you could also add -4 to ntpd args or use -4 prefix in ntpd.conf. I was positive that I had that setbut I see now that somebody had made our cfengine system force different options on ntpd, which doesn't include -4...evidently about 2 years ago...and not as part of our ntp promise. And, I had changed the order of some of our cfengine promises recently Oh well, our cfengine's days are numbered. Ran into another oddity in a different cfengine promise today...where I fixed something for a few servers, and it broke a dozen other production servers. (last year this same collection of hacks copied 0 length passwd files everywherethat was no fun recovering from.) Maybe the planned forklift upgrade of our entire enterprise servers will be a good thing, providing we get time to do the same to our processes. Some of the problems with our cfengine, is that it a rushed replace the old way of doing things because the old forgotten server that did it had died (~6 years ago.) So, there was a lot of quick and dirty things being done, and new stuff often mirrors that approach. When I set up cfengine at home, I had started around the idea of following how things were done at work to get it started, but quickly decided to not do it that way. Of course, its taken far longer than I had expected to get to where I'm at with the setup at home and probably still miles away from getting to where I at least want it to be. Though it probably still doesn't quite follow what the designers expect. Some of how I do things at home is trickling back into the system at work, but its clearly too fragile now to be making any more changes to it. As for at homeits strange that the manpage for ntpd on FreeBSD doesn't have -4 (or -6)...but ntpd -h shows it. In fact I see lots of switches the manpage didn't mentionmakes me wonder if I could've solved some other issues I had with it on a gov server we support, without resorting to building openntpd from ports (though the google searches had also pointed to using that to resolve the issue.) Guess ntp.conf manpage mentions -4, but I hadn't thought to look at it before. I'm kind of a newbie on running ntp servers. There used to be 4 hardware NTP sources, but then it became 3, and then 2. We'd have machines that differed enough in time between each other to cause problems...but those were things that happened to provide NTP, so it didn't seem important that we needed more (when they're moving to reduce to fewer systems of greater densities.) I remember now that it there was it was a poster at last year's LISA that talked about NTP servers in 3's. I have toyed with trying to find a cheap Stratum-1 server for home. Off to update my ntp configs at home, at least I have a better feel on how cfengine will behavethough I only have two serversbecause I only have 2 broadband connections...though maybe a new router for one or both is in the works. The router had been rock solid for monthsthink it claimed 240 days uptime (the old router I had cron reboot it once a week, and sometimes it would get to where cron fails...so it goes until I have to reboot it...other times the watchdog kicks in and reboots it...until it reached a point where watchdog reboots were more frequent than 7 days. Approached daily. My other broadband connection is still using the same old router [years ago I had purchased a pair of new routers...left them on a shelf for year before finally switching both over]) Anyways...a couple weeks ago I decided to update the firmware, even though it even said if things are working fine there's no reason to update. Now I can't log into itthough its still running fin e, I just can't make any configuration changes.) Though doing IPv6 at home might be a bit more work than I have free time for. Though recalling picking up a router last yeardoesn't sound like it does IPv6. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ZSK rollover weirdness
- Original Message - On Fri, Sep 6, 2013 at 1:32 PM, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: So, can I just remove the Revoke line (is there an option in dnssec-settime to do this?) and have things fixed... guess dnssec-settime -A none -R none will remove itbut guessing there's more to fixing my current mess? Adding the revoke bit was not useful, but wasn't in and of itself harmful. The harmful part, and what likely was the cause of validation errors, was that you began exclusively signing your zone contents before it had been pre-published long enough for versions of the DNSKEY RRset without the key to expire in cache. Here's what I see: 2013-09-04 19:15 UTC only ZSK with id 14565 exists and is signing zone http://dnsviz.net/d/ksu.edu/UieG7w/dnssec/ 2013-09-05 01:38 UTC new ZSK with id 44538 is signing, as is now revoked key 14565 (now with id 14693) http://dnsviz.net/d/ksu.edu/UifggA/dnssec/ Somewhere between that roughly six-hour period, the new ZSK was introduced and the RRSIGs made by the new ZSK became the only useful ones since the old key had been marked as revoked. Now consider a validating resolver that retrieved the DNSKEY RRset at 2013-09-04 19:15 UTC. The TTL suggests it can be cached for 24 hours--that is, 18 hours after DNSViz first notes the presence of the new ZSK and RRSIGs that can only be validated by that new ZSK. This example validating resolver will now have issues validating names in ksu.edu until the cache expires 24 hours after new ZSK was introduced. Such is the window for failure. Regards, Casey Yeah, there were two problems at play here...I mentioned that the activation of the new new key and revocation of the old key ended up on the same day (made worse because -A was also added, fortunately the 'd' was omitted, or it would've been a more widespread and noticeable disruption)...and that it got introduced in a quick mod in late Marchwith no testing. This is not the first problem I've had to fix (though my fix also broke something else, which I didn't notice because it didn't break until I deployed the script into production. Probably could've been avoided if the PHONY targets in the Makefile had been declared as .PHONY) And, that the '-R' was subtracting what I had for '-I', with some adjustments. This was back when the idea was that I shouldn't be the only person that knows everything about our DNS, that was before I found myself to be the only one left. They used joke if I left, they'd have to close the University because I'm the only one knows about the obscure stuff that others dislike...like nagios, cacti, cfengine, NTP, DNS, email. Guess they were right, we're still open now that its just me I had rather arbitrarilyset -D to +120d, subtracted 15 days to get -I of +105deven though I knew 3 months is usually greater than 90d. But there would still be over a week for -I comes after the new ZSK. Though it did occur that 90d was bad for -R...(there were many commits to subversion as it was tweaked...) The second problem was that last October/November was when we started feeling the pain of DDoS attacks on our nameservers. Guess it was my fault that I had upgraded the servers to faster hardware, and gigabit NICs. At that time due to licensing for a security appliance, our 10gig pipe was capped to 2gig. Though our F5 is only capable of 1gig and two of my authoritative-only namservers are in the datacenter behind it (which wasn't too bad as until recently the datacenter is only on a 2gig link to our 10gig core.) So the maximum traffic that could hit my nameservers is 2gig...which was also the maximum for our campus By spring this was happening quite regularly...and starting to cause noticeable problems. They have since upgraded the license to allow up to 4gig in and out of campus... No word on whether a new F5 will happen, twice I was asked to get quotes but then meetings were cancelledalso don't know what had become of the datacenter network audit, which was reorganize vlans in the datacenter(there's 41 vlans tagged to the F5, and probably more than that in additional vlans (though some seem kind of silly, like cluster interconnects) Current F5 can do up to 2gig, though would have to switch from fiber links to bonded copper...and not sure if the packet capture box in front of the F5 can handle that. So, during the summer, the IT Security group decided to block port 53 at the border, a nd then allow only known (outside facing) authoritative servers to get connections on port 53 (at least they seem to have understood that DNS is both tcp and udp) However, they didn't know about the unknown authoritative-only nameserverthe one that our off campus second receive notifies from and are supposed to do zone transfers with. Was one of the first things I noticed when the comcast DNS problem was reported in the evening
ZSK rollover weirdness
Getting resports of people with certain ISPs (like comcast) can't resolve my domains now. Did a dnsvis on my domain and the error is: RRSIG ksu.edu/A by ksu.edu/DNSKEY alg 8, key 14693:The RRSIG was made by a revoked key. Which makes no sense, because I have no key with that id in my key repository. The files in my repository are: Kksu.edu.+008+09339.key Kksu.edu.+008+09339.private Kksu.edu.+008+14565.key Kksu.edu.+008+14565.private Kksu.edu.+008+29826.key Kksu.edu.+008+29826.private Kksu.edu.+008+31279.key Kksu.edu.+008+31279.private Kksu.edu.+008+44538.key Kksu.edu.+008+44538.private Kksu.edu.+008+51720.key Kksu.edu.+008+51720.private Kksu.edu.+008+51909.key Kksu.edu.+008+51909.private Which represents all the Alg 8 keys since we switched to it from 7 on Jun 1st. Haven't decided on adding to current automation to clean up the old keys, or find different automation. The old 7 keys weren't deleted, I just moved aside (my record that we went signed on Jul 28, 2010, and first delegated subdomain was signed Nov 3, 2011even though it didn't work correctly until last December, when I upgraded from 9.7.6-P4 to 9.9.2-P1, since the main feature of the subdomain is a wildcard record NSEC3...the mailer is supposed masquerade everything in the subdomain as the subdomain, but sometimes host names leak out... :) But, dnssec-signzone says this: Fetching KSK 31279/RSASHA256 from key repository. Fetching ZSK 14693/RSASHA256 from key repository. Fetching ZSK 44538/RSASHA256 from key repository. Verifying the zone using the following algorithms: RSASHA256. Zone fully signed: Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 1 revoked ksu.edu.signed The current ZSK is 44538 ; This is a zone-signing key, keyid 44538, for ksu.edu. ; Created: 2013090109 (Sun Sep 1 04:00:00 2013) ; Publish: 20130901090007 (Sun Sep 1 04:00:07 2013) ; Activate: 20130901090007 (Sun Sep 1 04:00:07 2013) ; Revoke: 2013120209 (Mon Dec 2 03:00:00 2013) ; Inactive: 2013121609 (Mon Dec 16 03:00:00 2013) ; Delete: 2013123009 (Mon Dec 30 03:00:00 2013) ksu.edu. IN DNSKEY 256 3 8 AwEAAet97mpbg2GBaA5EhJxPbygYOFIrrjLSV/dAvyEDRSdcyqMjfZXt qQNj9lw0GY9Hc9s8vi3W2NApa2z3Ky+OO6SEMhsubN0bLnE76SAL01kW KZ8yrs/tu6/Rr7+NEB4Wa978pyosLIHtzF9WYlrY8bcPhQT21bgYonZJ R8r+6EXF And, the prior ZSK was 14565 ; This is a zone-signing key, keyid 14565, for ksu.edu. ; Created: 2013060109 (Sat Jun 1 04:00:00 2013) ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013) ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013) ; Revoke: 2013090109 (Sun Sep 1 04:00:00 2013) ; Inactive: 2013091509 (Sun Sep 15 04:00:00 2013) ; Delete: 2013092909 (Sun Sep 29 04:00:00 2013) ksu.edu. IN DNSKEY 256 3 8 AwEAAc1HU7nrlgFeGLZSgHCytd+BItSNgR5gY4iemDCAX9+z+cpyq/Pe 52kLuFxDjCj89EzdjKFDGAkPRDPImWlTQLCr3WQl8g5SIOs67bBR72hv q2tHmgpK+/j9Z4yqLRyld/Kpl2FRNWc7dvqh8i+Sd0or5WrLO3ocftS1 t3rQaznB I'm running bind-9.9.3-P2 Where is 14693 coming from? And, how do I get it work right. This problem also affects my other signed domains. Fetching ZSK 38373/RSASHA256 from key repository. Fetching ZSK 43247/RSASHA256 from key repository. Fetching KSK 52261/RSASHA256 from key repository. Verifying the zone using the following algorithms: RSASHA256. Zone fully signed: Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 1 revoked k-state.edu.signed There is no 43247 Kk-state.edu.+008+06129.key Kk-state.edu.+008+06129.private Kk-state.edu.+008+22785.key Kk-state.edu.+008+22785.private Kk-state.edu.+008+23166.key Kk-state.edu.+008+23166.private Kk-state.edu.+008+38373.key Kk-state.edu.+008+38373.private Kk-state.edu.+008+41019.key Kk-state.edu.+008+41019.private Kk-state.edu.+008+43119.key Kk-state.edu.+008+43119.private Kk-state.edu.+008+52261.key Kk-state.edu.+008+52261.private The prior ZSK was 43119 None of the Alg 7 keys have these IDs as well. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ZSK rollover weirdness
- Original Message - Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: And, the prior ZSK was 14565 ; This is a zone-signing key, keyid 14565, for ksu.edu. ; Created: 2013060109 (Sat Jun 1 04:00:00 2013) ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013) ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013) ; Revoke: 2013090109 (Sun Sep 1 04:00:00 2013) ; Inactive: 2013091509 (Sun Sep 15 04:00:00 2013) I think your problem here is that the inactive date is after the revoke date, so the key will still be used to sign the zone after it has been revoked. ; Delete: 2013092909 (Sun Sep 29 04:00:00 2013) ksu.edu. IN DNSKEY 256 3 8 AwEAAc1HU7nrlgFeGLZSgHCytd+BItSNgR5gY4iemDCAX9+z+cpyq/Pe 52kLuFxDjCj89EzdjKFDGAkPRDPImWlTQLCr3WQl8g5SIOs67bBR72hv q2tHmgpK+/j9Z4yqLRyld/Kpl2FRNWc7dvqh8i+Sd0or5WrLO3ocftS1 t3rQaznB Where is 14693 coming from? It is the same key as 14565 but the addition of the revoke bit has changed the tag. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. Okay, I found where it says 128 is added. As for the timing, the documentation says: Publish: date key is to be published. After this date, the key will be included in the zone but not used to sign it. default is now. Activate: date key is to be activated. After this date, the key will be included in the zone and used to sign it. default is now. Revoked: date key is to be revoked. After this date, the key will be flagged as revoked. It will be included in the zone and used to sign it. Inactive: date key is to be retired. After this date, the key will still be included in the zone, but it will not be used to sign it. Delete: date key is to be deleted. After this date, the key will no longer be included in the zone. That makes it sound like Revoke comes before Inactive, so the dates are right. IIRC, the 2 week spacing comes from the zone TTL being 4 weeks. So what could be causing other ISPs like comcast to not work now? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ZSK rollover weirdness
- Original Message - On Fri, Sep 6, 2013 at 10:22 AM, Evan Hunt e...@isc.org wrote: The revoke bit has no defined meaning for a ZSK. While it's true the revoke bit really has no use for a true ZSK (i.e., a key where there's another key, a KSK, that is used to authenticate it), RFC 5011 doesn't distinguish based on either signing roles (ZSK/KSK) or presence of the SEP bit [1]: A key is considered revoked when the resolver sees the key in a self-signed RRSet and the key has the REVOKE bit (see Section 7 below) set to '1'. Once the resolver sees the REVOKE bit, it MUST NOT use this key as a trust anchor or for any other purpose except to validate the RRSIG it signed over the DNSKEY RRSet specifically for the purpose of validating the revocation. In other words, if the revoke bit is set, that key is no good for signing anything other than itself, which is why DNSViz complains about it. And just to clarify, the use of the SEP bit is purely an administrative/user convention or hint, but is not considered during validation [2,3]. Thus whether a key is action as a ZSK or a KSK really depends on how they are used. Casey [1] http://tools.ietf.org/html/rfc5011#section-2.1 [2] http://tools.ietf.org/html/rfc6840#section-6.2 [3] http://tools.ietf.org/html/rfc4034#section-2.1.1 It's used for updating trust anchors via RFC 5011. The code allows you to set it (just as it allows you to use a ZSK as a KSK), but I don't recommend it. Unless there are resolvers that have managed-key trust anchors configured for ksu.edu , you shouldn't bother with the revoke bit for your KSK either. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. So, is the problem that everything is still being signed by the revoked key, along with the current key. Or that due to the 7 second delay in the publish/activate and there being 31 days in july and august...and the old key was revoked 7 seconds before the new key became active? Which didn't happen because I did the alg 7 to 8 transition, so June/July/August ZSK started later, so ended a bit into September. Hmmm, this is interestingRevoke doesn't exist in my older keys... Revoke only appears with old key and current keys. Wonder what caused it to appear Looks like when I suggested we change from annual KSK rollover to every 3 years (which was good, because the sysadmin in another department that interacts with our registrar...left and now those interactions are done through our business office because registrars also need to get paid every yearand that former sysadmin was the last to have direct spending ability, left over from when she used to be a manager. Hopefully in 2015 when we do our KSK rollover, they understand all the aspects of interacting with a registrarbeyond buying and renewing domains. And, perhaps someday fix the missing NS for some domains, or the incorrect glue for others.)... The dnssec-keygen calls acquired -A and -R switches. And, the intent was for -A to be +7d, but the d got missedso that's why its 7 seconds after creation. So, can I just remove the Revoke line (is there an option in dnssec-settime to do this?) and have things fixed...or do I need to do some kind of emergency ZSK rollover to get things sane again? Though why is the only a problem with Comcastthe other report named Xfinity as the ISP, which is Comcast ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ZSK rollover weirdness
- Original Message - So, can I just remove the Revoke line (is there an option in dnssec-settime to do this?) and have things fixed... guess dnssec-settime -A none -R none will remove itbut guessing there's more to fixing my current mess? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
- Original Message - On 1 August 2013 18:58, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: Did I miss something... what does ICMP ping have anything to do with bind? Yes, you missed the actual question. The use of the word 'ping' is a misnomer, what he really meant to say that from a host on the internet he is receiving an internal 192.168.x.x IP address as the response (he pinged a FQDN which in turn does a lookup to obtain the IP). Without seeing the full config (which has been asked for) it's pointless speculating on possible reasons for this as there are quite a few. Steve so totally a red herring yet...the thing that is weird is that if he's ping'ing from the Internet side and getting the internal IP, how does ping succeed in sending and receiving 3 packets? VPN? Anyways, at this point...I would speculate the problem is this: acl internal { localhost; 200.57.66.77/28; 192.168.0.0/23 }; since typical example of doing this kind of thing might be: view internal { match-clients { internal; } // view statements zone mydomain.com { type master; // private zone file including 192.168.x.x hosts file mydomain.com.hosts.lan; }; // additional zone clauses } view external { match-clients { any; } // view statements zone mydomain.com { type master; // public only hosts file mydomain.com.hosts; }; // additional zone clauses } And, that he's only testing from another IP in 200.57.66.64/28 Since ping times are really short too. Lawrence ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Internernal view is answering to external ping
- Original Message - Post your*full* config not half of it. How the hell do you expect people to identify problems unless you give them the neccessary details. Do you give you car mechanic only access to the boot when you have a engine problem? You said you created views yet you didn't send anything that described how the views were configured. Mark Also, be sure to change any secret authentication string so that it is not archived for the world to see. --Barry Finkel ___ Did I miss something... what does ICMP ping have anything to do with bind? You can even ping computers when the system is otherwise completely unresponsive. And, bind doesn't do anything that would affect network interfaces behave (a host based firewall would though) This sounds more like a network configuration problem. my guess its a dual homed server, and the internal IP is its primary interface and its responding with primary rather than the same IP. Alternatively, its a NAT situation...and the NAT isn't doing translations of the ICMP correctly? Lawrence ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND slave stops updating from master after 1-3 days
- Original Message - I think that's what you asked for. In case I misunderstood, here's a zone entry from the slave's named.conf (this immediately follows the options block in my first email: zone example.com { type slave; file /var/named/slaves/example.com.db; masters { 10.0.1.1; 10.0.2.1; 10.0.3.1; 10.0.4.1; 10.0.5.1; }; }; Should probably have the 10.10.10.1 master here, rather than the slave nameservers that are configured not to allow transfers. L ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND slave stops updating from master after 1-3 days
Oh, guess I got it mixed up because the slave is saying it got non-authoritative answers from 10.0.x.1.. where I think of the master should at least be authoritative for its domain. - Original Message - Hey Lawrence, this is the zone entry as seen on the 10.10.10.1 slave. The 10.0.x.1 IPs are the addresses of the masters. On Tue, Jul 30, 2013 at 4:43 PM, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: I think that's what you asked for. In case I misunderstood, here's a zone entry from the slave's named.conf (this immediately follows the options block in my first email: zone example.com { type slave; file /var/named/slaves/example.com.db; masters { 10.0.1.1; 10.0.2.1; 10.0.3.1; 10.0.4.1; 10.0.5.1; }; }; Should probably have the 10.10.10.1 master here, rather than the slave nameservers that are configured not to allow transfers. L -- Best Regards, Brandon W. Tier 3 System Administrator InMotion Hosting Inc. 888-321-4678 757-416-6575 (Int'l) NEW: 24x7 EMAIL and PHONE Technical Support Did you know? We'll Build, Update and Promote Your Site for You! Visit www.inmotionhosting.com/webdesign Answers to commonly asked questions, as well as other useful tools, can be found at http://support.inmotionhosting.com How am I doing? Please feel free to email my manager at manager_feedb...@inmotion.net -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Updated to bind 9.9.3-P2
From 9.9.2-P2...I had build 9.9.3, but just as I was about to deploy came the announcement to either go to 9.9.3-P1 or stay with 9.9.2-P2. All the picky messages of this version.there were the no SPF/SPF records for SPF/TXTbut I thought I already had SPF everywhere...but turned out there was one zone file the main SPF record had both types, but the rest were only of TXT kind. Not sure if I just missed it when I had adding SPF types long agoor somebody had hacked them out on me. And, I hadn't noticed because I hadn't had need to make changes to those SPF recordswhere I have had to tweak the top level SPF record now and thensuch as adding new mailservers or switching to ironport or change ~all to -all. But, it also complained about the formerly delegated subdomains that have now become include files.All I had done was remove the SOA and NS records dnssec-signzone: warning: ol$$$.ksu.edu:12: record with inherited owner (u$$$.n$$$.k-state.edu) immediately after $ORIGIN (ol$$$.k-state.edu) dnssec-signzone: warning: oe$$$.ksu.edu:9: record with inherited owner (u$$$.n$$$.k-state.edu) immediately after $ORIGIN (oe$$$.k-state.edu) Not sure how it came up with the message, but in these files (not including the extensive comments) were of the form: TXT who we are @A a.b.c.d www A a.b.c.d ... While there were plenty of other such files where it didn't complain...but the TXT line was commented out. Elsewhere we publish a template of what a zone file should look like...with SOA, NS, and the commented out TXT line, should the department/unit want something there. Putting an @ in front made the warnings go away. And, then also after all the found SPF/TXT record but no SPF/SPF record messages, there was also the message: Jul 30 15:07:00 ns-1 named[29380]: [ID 873579 daemon.warning] pri/$$.$$$.ksu.edu.signed:10: signature has expired The file timestamp was Feb 13, 2013. Yeah, I guess the signature had expired. The zone file hadn't been changed since December 5, 2012. But, the system is supposed to do periodic refresh signings It used to do it on the 1st and 15th of every month...but it was then changed to do it every two weeksor it was supposed to. But, I guess I neglected to confirm that the convoluted command sequence I had come up under bash, would work under cron and /bin/sh December 5 being when I thought I needed to jump from 9.7.6-P4 to 9.9.2-P1before taking some time off before leaving for LISA And, knowing that 9.9 was a desired upgrade given that this is a DNSSEC NSEC3 signed zone file where a wildcard recorded was desiredso it had been taken out until I did upgrade. Which is odd, because as I type this...I realize that another unit (library/ezproxy) has a wildcard DNS record also DNSSEC NSEC3 signedand they hadn't mentioned any problems to me. Though they hadn't been using a wildcard certificate for the service for some time (ipsCA certs not being widely recognized anymore being the reason wasn't enough to stay with free for .edu certs...which they had found included wildcard certs.) So they had probably had a workaround for the one external resource that was SSL, they were working on a wildcard cert now as there are now more than two external resources requiring SSL. And, that somebody that knows the cost of incommon certs has started working for them 9.9.3 also marks the switch to compiling it 64-bit instead of 32-bit for Solaris. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I change the zone file from command line?
___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about cache reload
- Original Message - I have just set up DNSSEC on bind 9.9.3. I had set up the zone and put a DS record out at the registrar. Several days later I found that I had set up the keys incorrectly using only NSEC verses NSEC3 so i changed the keys. I deleted the old keys and DS record, and had bind resign everything and put out the new DS record. I used some testing sites and things looked good. I then got a message from an administrator at a remote site running bind in strict mode stating my DNSSEC was broken. It turns out he had cached the old info and it had not updated. From this I am guessing that bind does not flush cache if there is a problem like this, it just fails to resolve. The other question I am attempting to research is what is the best way to do the yearly rekeying and updating of the DS records at the registrar to avoid this in the future. Maybe in preparation for the change, lower the validity period to reduce cache lifetimes. Not sure if the full procedure for Emergency Key Rollover would work in this case. Since there's something about mixing algorithms? Because I had problems when I was switching from RSASHA1-NSEC3-SHA1 to RSASHA256... which is odd, because the registrar had apparently done itor maybe they had problems that they didn't pass along...though I didn't follow their scheme as closely (partly because I lack the ability to instantly update my DS records.) ... EDUCAUSE is in the process of transitioning the DNSSEC signature ... for the .edu zone from RSA-NSEC3-SHA1 (algorithm 7) to ... RSA/SHA-256 (algorithm 8). Here are the steps that will occur: ... .. The algorithm rollover will begin with pre-signing records .. with new ZSK key, using the RSA/SHA-256 algorithm. This .. period is expected to begin on November 19, 2011 and will .. last for nine days. .. .. The pre-signing period will be immediately followed by the .. publication of the DNSKEY records for the new KSK and ZSK .. keys in the .edu zone. Once resolvers have the new KSK’s .. DNSKEY record cached, the DS record for the new KSK will .. be published in the root zone and the previous DS record .. will be removed. .. .. The records in the .edu zone will be signed with both .. old and new algorithms with both ZSK and KSK keys for a .. period of 14 days. After this period, the old ZSK and the .. old KSK will have their DNSKEY records removed from the .. .edu zone. The old ZSK will continue signing for three .. more days to allow time for all caching resolvers to have .. purged the old ZSK’s DNSKEY record from their caches. .. .. Immediately following this three-day period, the rollover .. will conclude with a period when the signatures with the .. old ZSK will be systematically and gradually removed .. from the .edu zone. This period is expected to last .. between four and seven days. Lawrence ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about cache reload
- Original Message - Firstly you should not use NSEC3 unless you NEED to use NSEC3, NSEC is more than sufficient for most zones. NSEC3 is more expensive for both servers and clients. 99.999% of zones (forward and reverse) DO NOT need to use NSEC3. They derive NO benefit from NSEC3 compared to using NSEC. In most case NSEC3 is actually a negative as not only is is more computationally expensive it is harder to debug. NSEC3 is pointless for IP6.ARPA, IN-ADDR.ARPA and any other similarly structured zones. The structure defeats any attempt to prevent zone walking. For most forward zones preventing zone walking does NOTHING except give warm fuzzy feelings. It does NOT make your machines any safer. Yes I know that this is against all the advice you have received in the past but really it doesn't appreciably help and you are deluding yourself if you think it does. Mark I remember when I first started working on DNSSEC...on whether NSEC3 should be done or not. signing the zone was taking either forever or forever-plus. Moving my master server from a V240 to a T2000 helped But, we then got some outside secondaries. And, initially they didn't support NSEC3. That would have to wait until they upgraded their server hardware/OS before they would build bind with that support? So, I thought that answered whether we would do NSEC3 or not. But, then our IT Security group weighed inso we're doing NSEC3. We'll just hold off on having outside secondaries. Though since then, we've only had one major interruption of our connectivity...and its was due the packet inspection appliance that IT Security runs. The log volume in it had filled up, so it stopped passing traffic. It did expose some problems with in local DNS resolution, that someday I should do something about. T2000 was still taking what was considered to be too longpeople around here expect that when I make complete their dns change request, that they can immediately look up host and see the new IP. Ignoring that they queried all the caching servers on campus before the request was done, so the old info will be there for up to 1 day. Some people will request that the TTL be lowered in advance of the change, though they don't necessarily allow a day between the two. Later I had the choice of moving to a T5120 or an X4100, where I found that the X4100 was faster than the T5120. My master server is currently an X4170. And, later our automation includes flushing our zones from the caching servers Also have a script to flush other zones when needed, but that process can't tell what zones were updated...so it can't tell what zone to flush. (one is see if files associated with our signed zones changed, do signing, call rndc reload and then over time flush caching servers in some order...the other is if any file has changed, do rndc reload) Wonder what I'll have when we scrap some 400+ Solaris servers ... by year end? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov
- Original Message - On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote: On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote: Hello; Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version -- bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving ic.fbi.gov that seems to be DNSSEC related. Am fairly certain of this because if I set dnssec-enable and dnssec-validation to no (have them at 'yes' normally), resolution succeeds. If I run a dig @nameserver ic.fbi.gov from a client machine, dig just hangs for a bit then eventually times out. dig @nameserver fbi.gov works fine This is one of the weirder ones I've seen. . . there are TXT and MX records for ic.fbi.gov, both correctly signed: ;; ANSWER SECTION: ic.fbi.gov. 261 IN RRSIG MX 7 3 600 20131014154120 20130716154120 32497 fbi.gov. kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw= ic.fbi.gov. 261 IN MX 10 mail.ic.fbi.gov. ic.fbi.gov. 261 IN RRSIG TXT 7 3 600 20131014154120 20130716154120 32497 fbi.gov. iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY= ic.fbi.gov. 261 IN TXT v=spf1 a mx ptr:mail.leo.gov mx:mail.ic.fbi.gov ip4:153.31.119.132 a:mail.leo.gov include:mail.leo.gov mx:mail.leo.gov ?all There's also an NSEC3 record for ic.fbi.gov, asserting that there are only MX, TXT and RRSIG records for it: 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 370 IN NSEC3 1 0 10 BBAB 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG However, that NSEC3 record is not signed. If you ask for ic.fbi.gov with checking disabled but also request DNSSEC records, you'll get it. If you ask with checking enabled, you won't, because it can't be validated. This seems to be true for the whole fbi.gov zone, at least the records I checked. So any query to fbi.gov that returns a record will be okay, anything that doesn't will end up with a SERVFAIL. Bill. Thanks for the replies, all. Am trying to find a hostmaster contact at fbi.gov to make them aware. In the meantime, I'll convince Sendmail to not try to look up this domain during sender verification. :) Ray ___ Try contacting dotgov.gov regist...@dotgov.gov or 877-734-4688 or 703-948-0723 They'll have phone numbers for the people they need to contact for fbi.gov to get things fixed. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS and Remote Host over VPN
You probably have a split-tunnel VPN, so using local DNS is only resolving what external users can see. Change your client to use the internal DNS server to have it resolve internal view hosts. - Original Message - Hi Steve this is the output commands: dig pc12.mydomain.com ; DiG 9.6-ESV-R4 pc12.mydomain.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 28662 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;pc12.mydomain.com IN A ;; AUTHORITY SECTION: mydomain.com 1800IN SOA server.pc12.mydomain.com. hostmaster.pc12.mydomain.com. 2013070968 10800 3600 604800 3600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jul 10 11:41:05 2013 ;; MSG SIZE rcvd: 113 nslookup pc12.mydomain.com Server: 127.0.0.1 Address:127.0.0.1#53 ** server can't findpc12.mydomain.com: NXDOMAIN Thanks for the advice, I got both commands for testing dns On 10/07/2013 11:39 AM, Steven Carr wrote: On 10 July 2013 17:34, IT Support it.compilat...@gmail.com wrote: I already add a address record on my internal view for that remote host, if I ping this host by IP address i got answer, but if i ping the same host by name i got this message: ping: unknown host In future please copy/paste the commands you have ran and the output so we can see the exact responses. What response do you get when you run a `dig` or `nslookup` for the hostname? (Ping does not test DNS, it may attempt a DNS query but it does not fully test DNS). Did you try the FQDN of the host? Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv4-mapped reverse lookups
Well, it seems to work testing it... But, the systems that are having trouble are still having trouble. Though taking a closer look at the logs of one of the systems, the problem started in April 2009 (and the system was rebooted shortly after that point, and the problem continued...) Since it was only brought to my attention yesterday, and the admins that were regularly using it after the problem started aren't here anymorejust another thing left for us to find later. And, I guess I haven't used it that muchprobably since I stopped updating bind for servers of that OS version. Something about bind not liking openssl-0.9.7d anymore. - Original Message - In message 9efac3c5-c5be-43f8-b7f4-2be8ba30d...@isc.org, Mark Andrews writes: One could also look at the dns64 reverse code to do this. It synthesises cname records on the fly. Mark e.g. zone f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa { type master; database _dns64 dns64 . .; }; One can also spectify the MNAME and RNAME fields of the SOA record along with the NS name by replacing the last two fields of the database description. database _dns64 dns64 ns.example.net. hostmaster.example.net.; Mark ; DiG 9.10.0pre-alpha +norec -p -x :::1.2.3.4 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 48724 ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;4.0.3.0.2.0.1.0.f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. IN PTR ;; ANSWER SECTION: 4.0.3.0.2.0.1.0.f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 600 IN CNAME 4.3.2.1.in-addr.arpa. ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#(127.0.0.1) ;; WHEN: Tue Jul 09 12:21:46 EST 2013 ;; MSG SIZE rcvd: 342 On 09/07/2013, at 8:27, Mark Andrews ma...@isc.org wrote: Getnameinfo and gethostbyaddr are supposed to lookup the in-addr.arpa recor ds instead of ip6.arpa records for mapped addresses. If you only have a limit ed range of addresses one could use $generate to add cname records which map from ip6.arpa to in-addr.arpa. Mark On 09/07/2013, at 8:12, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: For reasons unknown, some old Solaris servers are suddenly seeing connecti ons to them as ipv4-mapped ipv6 (ie: :::10.20.30.40 ) Which is causing p roblems because it needs the reverse lookup to be right. So while we struggle between spending time to investigate why or continue to try to get people to upgrade from these old forgotten servers. Is there an easy way for me to provide reverse lookups for those? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr ibe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri be from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews
ipv4-mapped reverse lookups
For reasons unknown, some old Solaris servers are suddenly seeing connections to them as ipv4-mapped ipv6 (ie: :::10.20.30.40 ) Which is causing problems because it needs the reverse lookup to be right. So while we struggle between spending time to investigate why or continue to try to get people to upgrade from these old forgotten servers. Is there an easy way for me to provide reverse lookups for those? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary DNS question...
Oops, images were too bighere's links. - Original Message - All very interesting, but I'm afraid at my level of expertise on DNS, I'm not following. If I'm broken, how do I attempt to fix? Someone mentioned that our ns1.starionhost.net was not authoritative. How does one even decide that? As far as I know I haven't had any issues until now... On Jun 26, 2013, at 12:38 AM, Frank Bulk frnk...@iname.com wrote: Do you have a box such as a firewall or load-balancer sitting in front of ns1? On 26.06.13 01:46, SH Development wrote: No, the box is hanging right off the internet on a static IP. there's apparently something wrong about your server or its firewall. The DNS responses (at least for the SOA) come out broken (at least they get invalid here), however I have no idea in which way they are broken. Maybe someone with better DNS knowledge could look at output I have posted before. Available at https://lists.isc.org/pipermail/bind-users/2013-June/090970.html or pcap format at http://test.fantomas.sk/74.87.108.83.dns.pcap I had poked around with some of the online DNS checking tools, and found one (dnsvis.net) that reported a response from ns1.starionhost.net, but apparently I never hit send and I cleaned out my drafts folder this morning. Below is what I saw for responsesthough not sure if its right or wrong for an authoritative nameserver to have 0 authority records in the response. http://tardisi.com/u/7 Since I also linked the result for my own domainwhich shows ns-1.ksu.edu and ns-3.ksu.edu are also doing that (which I attribute to having minimal-responses set.) http://tardisi.com/u/6 Might require deeper analysis I recall a problem with a delegated subdomain where the NS we were pointed at were answering but non-authoratively. (which I suppose I could kluge them in as a forward zone, as I'm doing for another groups ADthough there is now talk of whether that AD should have me be secondaries to them, which I suppose I should find out what's involved in that.) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Loopback configuration
It doesn't change the statement if the mailserver is requiring its forward and reverses to match. Our DNS at work provides reverses for portions of 10/18, 172.16/12 and 192.168/16 for various reasons, including that our backup system requires forwards and reverses to match. - Original Message - 192.168.0.101 is in the non-routeable address block https://en.wikipedia.org/wiki/Private_network On Sat, Jun 22, 2013 at 2:00 PM, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: None of what you've described seems to have anything to do with bind But, if you are running bind... there are a number of ways that you could have bind return the internal IP to internal users, and return the external IP to everybody else. Can even do this if your internal DNS server is not connected to the external DNS servers in any way ( Hard to say why your mail server was killed by the host file overrideperhaps its using the external names to know what its external IP is, and it suddenly ceased to be an external. Or perhaps it requires forward and reverse lookups to be correct, and you don't have your DNS configured to return the correct fqdn for 192.168.0.101. Probably not, because there's no reverse for 184.70.190.126hmmm, maybe it doesn't like that there's no longer an MX record for any of the domains now...where MX points to a different IP (184.70.190.122). - Original Message - Hello, I have a new router that is apparently making it impossible for me to view my personal sites from behind the router by domain name, a function that is necessary. I can see the sites by local 192.168 ip address and port number and others have confirmed they are available on the www, so the server is running and named is resolving properly outside the LAN. This is the hosts.conf, where I think my error might lie: ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost web2 255.255.255.255 broadcasthost ::1 localhost fe80::1%lo0 localhost 184.70.190.122 mail.normanfournier.com mail web1-ext 184.70.190.126 web2.normanfournier.com www web2-ext 192.168.0.1 nf-telus-gw-int 192.168.0.100 norman-desktop 192.168.0.101 ns2 184.70.190.122 ns1 I *added* these lines to the bottom of hosts.conf 192.168.0.101 creativeprocess.biz 192.168.0.101 thecocoapod.com 192.168.0.101 rogueagent.ca 192.168.0.101 e4edmonton.com 192.168.0.101 brandasset.net 192.168.0.101 greaterthanhtml.com 192.168.0.101 kawacatoose.com I rebooted and something killed my mailserver when I did this, and I still could now view the sites by domain name behind the router, so I reverted to the old file. Is here another place I should add the domain names, is there an error in my syntax (this has worked perfectly before) or it this the entirely wrong place to be looking to solve this problem? Thank you. Norman ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary DNS question...
IN SOA ns1.starionhost.net. info.starionhost.net. 2008 3600 ;; AUTHORITY SECTION: starionline.com.86400 IN NS ns1.starionhost.net. starionline.com.86400 IN NS ns2.starionhost.net. ;; ADDITIONAL SECTION: ns1.starionhost.net.86400 IN A 74.87.108.83 ns2.starionhost.net.86400 IN A 64.136.200.138 ;; Query time: 74 msec ;; SERVER: 64.136.200.138#53(64.136.200.138) ;; WHEN: Sat Jun 22 20:51:12 2013 ;; MSG SIZE rcvd: 157 C:\ And confirmed here: http://dns.squish.net/traverses/79b8efe4a31e6ddfce28f6abac444601 Frank -Original Message- From: bind-users-bounces+frnkblk=iname@lists.isc.org [mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of SH Development Sent: Thursday, June 20, 2013 10:03 PM To: bind-users@lists.isc.org Subject: Secondary DNS question... Our secondary DNS machine went down (and unnoticed for 24 hours). Today, we had multiple people calling about email that hadn't come in, and trouble with outgoing emails not going out. Our primary DNS was up the whole time. So my question is, why would my secondary being down, and only my primary being up cause so many problems? I thought the whole idea behind having two DNS servers on different networks was to never have a failure like this. My understanding was that when DNS is queried, the one that responds fastest is the information that is used. If the secondary is down, then the primary would by default always be fastest (and only). I think I reasonably understand basic DNS and the setup, but this has me thinking that something isn't set up right. Can anyone shed any light on what might have happened here? Could my primary not be responding as it should? All the tests I have run on it show that it is responding normally. Jeff ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 2.1a3 on centos 6.4
that I'm getting no errors, but it as some of the errors are correctable, I would expect them to still exist (vs errors that perhaps a newer nslint might better understand and have eliminated from the report). I know nslint but work, so it has got to be something I'm doing, but I just don't see it. Any suggestions would be appreciated. thank you, Brian --- Brian R Cuttler brian.cutt...@wadsworth.org Computer Systems Support (v) 518 486-1697 Wadsworth Center (f) 518 473-6384 NYS Department of Health Help Desk 518 473-0773 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --- Brian R Cuttler brian.cutt...@wadsworth.org Computer Systems Support(v) 518 486-1697 Wadsworth Center(f) 518 473-6384 NYS Department of HealthHelp Desk 518 473-0773 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDoS or Hijacking? Some tips for you delete poisoned cache
- Original Message - https://www.isc.org/blogs/hijacking-dns-error-ddos-what-happened-and-what-you-can-do/ From ISC Support Engineering staff Yeah...yesterday I did an 'rndc flush' on all my caching servers. I have a script to do 'rndc flushname domain' on all our servers, but at the time it seemed flush was the way to go. The flushname script exists to speed up our caches picking up changes to our zones, even though a lot of our caching nameservers are also authoritative for a subset of our domainswhen I took over DNS, everything was authoritative and recursive caching, and open to the worldrerolling servers has been a slow process. I still haven't gotten all the 'new' servers deployed to where they need to be, and the hardware will be EOL early next year. Plus there's the move to where Solaris will only be used for specific applications rather than for everything coming -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to suppress ADDITIONAL SECTION per zone
I thought I had read somewhere (which I can't locate), that additional-from-auth can be used in global or view scope. - Original Message - On 21.06.13 02:00, blrmaani wrote: The additional-from-auth yes_or_no ; option is a global option. I would like to know if there is a per-zone configuration to do the same in BIND9 configuration? I couldn't find it in BIND9 ARM. What is the point of your question? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: long SPF txt record
3.1.3. Multiple Strings in a Single DNS record As defined in RFC 1035 sections 3.3.14 and 3.3, a single text DNS record (either TXT or SPF RR types) can be composed of more than one string. If a published record contains multiple strings, then the record MUST be treated as if those strings are concatenated together without adding spaces. For example: IN TXT v=spf1 first second string... MUST be treated as equivalent to IN TXT v=spf1 firstsecond string... SPF or TXT records containing multiple strings are useful in constructing records that would exceed the 255-byte maximum length of a string within a single TXT or SPF RR record. - Original Message - Our email group wants to change the current SPF txt record and replace it with one that is 274 characters. How can I put it in so that it works correctly? Thanks --cwk == Charles Koehler Network Operations - IT Infrastructure UCSF 500 Parnassus Ave P7-14 San Francisco, CA 94143 Email: charles.koeh...@ucsf.edu Office: 415.476-8767 Mobile: 650-204-0499 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Health Check feature in BIND ?
- Original Message - Dear All, I was just thinking whether it is possible to have a some type of health checking of servers through BIND DNS Server and DNS Server should replied to clients based on that only. i.e., Suppose I have two entries of www record for domain xyz.in having ip address 10.1.1.10 and 10.2.2.10. Now I want that my DNS Server should check whether the server is up or not before replying to clients. If one is down, then DNS server should reply the IP address of the second one. Although this is not a DNS Job and we should use Load-Balancer for this. But I just wanna to check whether this feature is available in Bind or in any Open-Source Program which in turn can be combined with BIND to achieve the desired result. Well, doesn't DNS kind of already do this...if the first DNS server isn' up, then the user's resolver will timeout and try the next resolver OTOH, for Load-Balancer we use a BigIP LTM, where I have a pool with two DNS servers and use the DNS_Monitor script F5 (which basically does a 'dig @node lookup-name | grep expected-response /dev/null' ) Works pretty well, one of the nodes is usually the first one I do when there's a bind update. Additionally I hit all my DNS servers from nagios with the check_dns plugin. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What happens when one out of three NSs are down?
- Original Message - Any comments and best practice solution info very welcome. Folks with significant requirements with regard to high availability are likely to put a hardware loadbalancer running a VIP which receives DNS requests and balances it onto a pool of reals (aka the boxes running nameservers), including liveness checks so the LB will transparently migrate around a nameserver which is down. Speaking of using a load balancerI have wondered about putting our BigIP in front of our authoritative only nameservers, hadn't thought about doing it for HA. But whether it would help against DDos? I know there's a DNSFloodProtection iRule, and wonder if the BigIP does any protection of its own (or is it just the SYN flood DDoS that it does). Though I recall that they had published that GTM v11 has DNS DDoS protections, but our current platform is limited to 10.2.4 and we only have LTM. Though if I did put the BigIP in front, would the DDoS traffic towards the nameserver VIPs, impact other services on the BigIP? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Build BIND 9.9.3-P1 on Solaris 10 with 'cc', using OpenSSL built with 'gcc'?
That seems oddthough I haven't tried building 9.9.3-P1 yet. But, all the previous releases built with gcc. Our Solaris package build/management system only has gcc. BIND 9.9.3 was the first BIND that got built 64-bit, which did take a little extra work in getting it find our 64-bit builds of openssl and zlib. Which was basically to have it look in /usr/local/lib/(amd64|sparcv9) instead of just /usr/local/lib (had found in config.log that it was complain about architecture mismatch.) - Original Message - Is there any way to build BIND 9.9.3-P1 on Solaris 10 with 'cc', using OpenSSL built with 'gcc'? There are many other packages that use OpenSSL that only build with 'gcc', but BIND 9.9.3-P1 won't compile on Solaris 10 with 'gcc' (I think it did previously, as my notes have 'CC=gcc' set in the 'configure' statement, but the 'README' says building with gcc is not supported unless gcc is the vendor's usual compiler). Building with 'gcc' fails when trying to test whether 'openssl' works, and has other complaints before that. It appears to build with 'cc' if OpenSSL is disabled, which disables DNSSEC (OK for now as we don't use it, yet). Thanks, Mike -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: architecture question
Years ago we decided to create a private TLD of .campus What we did was make all our caching nameservers also be authoritative for this private TLD. And, this worksexcept for delegated subdomains, which are handled through using forwarding zones. later when the needed to be able to get real certificates for the systems, we went to split DNS -- for a number of subdomains, with .campus becoming campus.ksu.edu -- which has caused all sorts of problems... When we went split, all the names in .campus were copied over (minus their subdomain). And, it was decided that no more new hosts in .campus (except for the subdomains delegated to ADS - ads.campus users.campus - and the subdomin for network devices - net.campus) Used to be iso systems were in the as.ksu.edu subdomain, so later then got hosts in the as.campus subdomainbut shortly after the creating of .campus, we went to functional hostnaming servers used to have theme names, like hawkeye, radar, klingeror eagle, hawk, falcon this switched to iso-xxx type names. So iso-xxx.as.campus became iso-xxx.campus.ksu.edu We tried to make .campus go away, (which would've helped the search problem, since as.campus, cc.campus, foo.campus would compress into just campus.ksu.edu), but there are systems that would require the application to be reinstalled from scratch to make the change. Just like there's no more cns department, but our netbackup server was installed with a cns subdomain name. And, just about every resolv.conf has 6 entries in its search. Something about Oracle stuff needs search to have all the subdomains in it. So, along will come a request to add another entry to search (the big reason is the upgrades from Oracle 10 to 11 and needing those CRS ipswhich can't be in the same .campus domain as the rest of the system so need to add new subdomain to the list. Somebody will see cns.ksu.edu and say that hasn't been around for yearsremove that. And, then suddenly Oracle RMAN backups start failing - Original Message - I am building a lab environment where there are several separate domains, all of them ending in .local I've setup a server for the .local TLD, but I'm undecided (or perhaps ignorant) as to the best way to have the individual domains (domain1.local, domain2.local, etc) refer to the local zone on my TLD server. Currently I've also created a root server and set the root hints on domain1.local's dns server to refer to it. This works for local resolution, but this means that domain1.local can't perform Internet lookups. Thanks for any help, Jeremy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
That's kind of how we do our DR... I have things scripted so that every update to our zone, results two versions of the zone file...the master server signs the first one and does its usual notifies, then the master signs the second and its scp'd to secondaries in another network. In the event we lose our connectivitywe can direct the remote slave to take over with with the alternate signed zone file. So that our main web presence will resolve to servers at our DR site.which we don't yet have :) - Original Message - You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS attack Bind 9.9 - P2
- Original Message - From: Lawrence K. Chen, P.Eng. lkc...@ksu.edu So does rate limiting cover when the attacker walks my DNS zone to attack an IP? that depends on what is meant by rate limiting and walking a DNS zone. Simple rate limiting that counts all requests ostensibly from a single IP address regardless of (qname,qtype) differs from response rate limiting (RRL) which counts distinct responses. Walking a zone can differ from walking a zone's valid names (perhaps based on NSEC RRs or arithmetic as in a reverse zone). Well, if you had left the context of my reply in, it would be clear that I was referring to the RRL patch. And, I said in my message that I don't know the details of the walkingthe person relaying the incident to me didn't specify the kind of walking, which is why I said, I'm curious what kind of walking it was doing. Because I wondered whether all/mostly NXDOMAIN/NSEC3 responses would get limited. I've played around with simple rate limiting before...on some caching servers...what a mess that turned out. Since it was one host that was mainly being bad, it was easier to just block it From what I was told of the incident...queries coming were from all over (from valid ranges), but the responses were all going to one IP. So, IT Security didn't think they could do anything about it...except to ask why do we have DNS servers that are accessible from the Internet, and can they be blocked. ;-o ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDOS attack Bind 9.9 - P2
- Original Message - Patch BIND to include the RRL (Response Rate Limiting) patches (http://www.redbarn.org/dns/ratelimits), blackhole/ignore those clients requesting. The fact that Response Rate Limiting (RRL) does not blackhole/ignore clients is a feature and why it is a better mitigation for DNS Reflection DoS attacks than mechanisms that do blackhole/ignore clients. The apparent DNS clients in DNS reflection attacks is usually not the source of the evil requests, but forged by bad guys trying to attack the nominal clients. Because RRL limits rate of any particular response sent to any particular client address block, the client is generally able to get responses for its legitimate requests and often will not notice the attack. Naively blackholing/ignoring the forged client as with common firewall rules does stop attacks, but lets the bad guy deny name service to the client. Breaking host name resolution has been a part of many security attacks over the years. ... So does rate limiting cover when the attacker walks my DNS zone to attack an IP? According to IT Security two my on campus authoritative only nameservers were used where they seemed to be walking our DNS zone with the target an IP in sprint's network. I'm curious what kind of walking it was doingdid they harvest what names exist or did they just try names in sequence...and not care if a lot of the responses are DNSSEC assured denial of existencesuppose the latter would qualify as a type of response that can be limited? ... ] Many people will not compromise critical daemons by using third party ] *unofficial* patches. I don't know the status of the CZ-NIC Knot DNS or the NLNetLabs NSD RRL code. Perhaps that either of those is third party or unnofficial, although I have the impression that is at least partly wrong. The BIND RRL patch on http://www.redbarn.org/dns/ratelimits are unofficial, and so it is reasonable to be skeptical and wait for an official release. However, for obvious reasons it is not really accurate to label the BIND RRL patch as third party. Pre-pre-release is a more accurate characterization of the BIND RRL. Please note that users of the FreeBSD bind98 and bind99 ports can get the RRL code without messing with the patch command. See https://www.google.com/search?q=site%3Afreebsd.org+bind+rrl Currently the official position that I'm working under is to wait for official inclusion of the feature. On the otherhand, I've been wanting to do a refresh of DNS infrastructure (2 Solaris10-SPARC and 16 Solaris10-x64 - hardware is a couple of V240's, a couple of X4170's and the rest are X4100's) To something all FreeBSD based. In the meantimeI'm debating the impact of setting minimal responses on my authoritative-only nameservers. 4 of the Solaris10-x64 servers are my authorititative only nameservers... and one is my stealth master. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: This didn't work....
. ads.foo.example.com. 3600IN NS dc3.ads.foo.example.com. ads.foo.example.com. 3600IN SOA dc3.ads.foo.example.com. hostmaster. 1334667 900 600 86400 3600 if I ask dc3.ads.foo.example.com what dc3.ads.foo.example.com is, it answers a.b.c.f if I ask dc3.ads.foo.example.com what dc2.ads.foo.example.com is, it answers a.b.c.d and a.b.c.e if I ask dc3.ads.foo.example.com what dc1.ads.foo.example.com is, it answers a.b.c.g Another department on campus had ns-1.bar.example.com listed as their NS (with us as secondaries for them), but then they said they that their primary NS was failing on bond, so they wanted to switch to bund. But, neither names were known to my predecessor. And, their MX was apparently the same as their NS. ... so poof they disappeared in a puff of magic smoke, well at least their website still workedor rather their old one. I couldn't email them to ask what they were talking about. And, nobody seemed to know anything about this department. Would see the occasional admin asking how they were supposed to deliver mail to the domain Apparently some kind of tech transfer group that has changed names a bunch of times, but still keep all their old domains around. It was only recently they finally asked why their subdomain had vanished completely...before it just seemed stale. Well, I upgraded from 9.7 to 9.9, and it nuked all the old secondary zone files. :) Though it does appear that if they say ns-1.bar.example.com is their NS, it should exist on their NS...while I can resolve bar.example.com, I can't resolve ns-1.bar.example.com, even though it worked because the subdomain resolved. ns-2.bar.example.com is not listed as NS and I have no glue record for it, but it resolves to the IP that was given to me as ns-1.bar.example.com. Only came across this fact when I was named-compilezone to view secondary files, and it complained that ns-1.bar.example.com has no A or record. And, it is certainly permissible for them to have provided IPs for dc2.ads.foo.example.com dc2.ads.foo.example.com to have a the glue records. There are a number of subdomains that already exist and apparently work $ORIGIN net.example.com. @ NS net1 @ NS net2 net1 A a.b.c.g net2 A a.b.c.h Though named-compilezone complained : zone example.com/IN: net.example.com/NS 'net1.net.example.com' (out of zone) has no addresses records (A or ) zone example.com/IN: net.example.com/NS 'net2.net.example.com' (out of zone) has no addresses records (A or ) But, turns out this seems to be the only non-central AD in our main zone file that seems to work fine from my window-less and Window-less cubicle (in the basement of the library.) I know college of engineering has a bunch of AD server, possibly in each of their departmentsbut the college has their own pair of authoritative nameservers for most of their departments, and various other domains. Mechanical and Nuclear engineering was an exception, they used to do it themselves but then they had us take their subdomain back a couple years ago...and recently they stopped doing their own email. And, it appears that its a similar case here againthe names net1/net2 don't exist in net.example.com, but net1v/net2v exist and those are what point to the IPs provided. Interesting about the messages named-compilezone emitted wonder why they hadn't come up before. Suppose its something that 9.9.2-P2 does nowthat 9.9.2-P1 didn't? Though checkzone is something we have turned off and don't do regularly, because there's a lot of stuff in our zone file it doesn't like...like underscores in host names. Or no clue records for nameservers claim to have them. We don't allow IPv6 across the borderIT security blocks the tunneling protocols. John So, I then tried: $ORIGIN ads.foo.example.com @ NSdc2 NSdc3 dc2A a.b.c.e dc3A a.b.c.f Which didn't help anything Anyways...I guess at this point the problem lies with the ADS setup -- -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
This didn't work....
Had a strange problem where our servers couldn't resolve hosts in an AD subdomain. This was in the zone file: $ORIGIN foo.example.com. ... ads NS ads.foo.example.com ... ... ... ads A a.b.c.d ... ... ... They said if you used their ADS for lookups, things worked...except they can't resolve anything else using it. (there appears to be a problem with DNS interference from their firewall.) Plus, if it worked...they wouldn't be able to resolve hosts in our internal view But, they can't resolve hosts in their ADS domain using our DNS. It's not clear where the users are w.r.t. this firewall. But, since we can reproduce the issue...guessing outsideits probably a datacenter firewall rather than the department. So, got the NS changed...though they said the way it was done is how Microsoft says their supposed to do it. Evidently... on their side it resolves ads.foo.example.com resolves to a.b.c.d a.b.c.e - dc2 a.b.c.f - dc3 So changing to: $ORIGIN foo.example.com ... ads NS dc2.foo.example.com. NS dc3.foo.example.com. dc2 A a.b.c.e dc3 A a.b.c.f ... Still doesn't work'dig +trace ads.foo.example.com' worked, but 'dig ads.foo.example.com' doesn'tand 'dig +trace host.ads.foo.example.com' appears to work, but 'dig host.ads.foo.example.com' doesn't. Meanwhile somebody else happened to be doing a network capture, and they see dc2.foo.example.com replying to our caching dns servers, but the dns servers aren't answering. I then notice that the dig responses aren't authoritative. How do you have an AD domain where your AD servers aren't authoritative for itself? I assume that's the problem now...or is there something else on my end that I should be looking at? Meanwhileif things do start workingthe 'host.foo.example.com' that started this problem will resolve to a 10.b.c.d address. Which is another problem I've been trying to quash... -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
- Original Message - In our case it would be impossible for the University's public web presence and the AD domain controllers to be the same machines. It is conceivable that we could do some magic in load balancers to divide traffic appropriately, but I'd rather not do that if I don't have to. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ But, assuming that your web presence is on the load balancer...there wouldn't be any trick to putting AD controller(s) on the same IP...since AD controllers listen to ports other than 80/443. At our university (www.)ksu.edu is 129.130.8.49 and (www.)k-state.edu is 129.130.8.50on this IP, the load balance has port 80 mapped to a pool of webservers handling http, and port 443 is mapped to a different pool of webservers handling https (they should be the same servers now, but there was a time when the webteam was switching webserver apps, that SSL continued to be handled by the old servers since the private keys were internal to that application.) The instability of our web presence was attributed the high activity content that was largely http. until about 2.5 years ago, we were still using Netscape Enterprise Server v4.1! And, there were things specific to that version that precluded moving to newer NES/iPlanet/SunOneWS finally with to apache when a mod was written to recreate those featuresand bugs. Though our AD controllers are not behind our load balancer, but someday the windows group mightnow that they want to be considered an enterprise server tech groupand cause all sorts of confusion with the already existing enterprise server tech group (unix/linux)...and shed their old name of lantech, from when they were the netware group What we do have on this IP, is ports 5222 and 5223 being sent to another pool. OTOH, I am doing some magic on the load balancers...because different URI paths are going to different pools, because some important section was mocked up using technology that is not our standard webserver but then is announced to the world as a path under our main web site. The web team is has been talking about replacing our main web presence with varnish caches, which would give them the ability to do this themselves...rather needing me to maintain the TCL file that makes the magic. But, its been taking them a long time for some reason(years). I have a personal setup, which is a pair nginx servers reverse proxying to various other servers that's working pretty slick The use of separate IPs for ksu.edu k-state.edu is a left over from how things used to be donebut the site now uses a multiname cert with those 4 names and others... since it was cheaper to cram as many different names into a single cert (and we're doing SSL proxy on our load balancer -- so the load balance can works its magic...) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
- Original Message - On Apr 5, 2013, at 3:48 PM, wbr...@e1b.org wrote: Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. Yes, sadly I've lost that technical battle with marketing several places now. And then there's theses folks: http://no-www.org/ Oh wow! Gee, thanks for that… Sad panda, W Wow...didn't know that site existed I've thought for a long time that all websites have to start with 'www.' was pretty antiquated. And, such most of the sites I have set up don't use are that way. Especially the domain I got for my url shortener OTOH, our old webmaster is now working in marketingwhen it was mandated that all DNS requests would automatically have the www. version created or vice versa, depending on what was requestedalso they automatically get both ksu.edu and k-state.edu forms, even if they only asked for one. And, it just happens automatically with their request and isn't indicated that it happened So, up until a couple years ago...our webmail address had always been, and only webmail.ksu.edu. But, under the new directionit has to work as webmail.ksu.edu, www.webmail.ksu.edu, webmail.k-state.edu, www.webmail.k-state.edu. and SSL certs to work for all those. And, then somebody mentioned that m. was the prefix for mobile websites. So, now we support m.webmail x2, www.m.webmail x2, and m.www.webmail x2...and ssl for all. in fact the wholeeverything has to have multiple names is causing problems, because now we need ssl certs to work for multiple names because people aren't typing just the name and getting redirected to the one https:// form that exists. They'll https to one of the variants and complain they got a cert error and demand it be fixed. Rather than use the one form that has always been used to get to the site, and the one form that is published. Of course, sometimes the getting both ksu.edu and k-state.edu form is automatic, because their subdomain is an include file that is included in both files. Though there are others, where the information had been entered by hand into both zones. And, occasionally typos have gone undetected for years, because they never asked for the k-state.edu form...and it never worked because of a typo...until suddenly it does Of course, there are also places in the files where the ksu.edu form has a different IP address than the k-state.edu form (by one) The use of multiname certs to address this problem has only been a recent thing here, and it doesn't seem to be widely known. Though apparently, my hosting provider doesn't support theserequiring me to buy unique IPs for each certunless I happen to buy my cert from them...in which case theirs will work both with and without the 'www.' Though I have 3 domains pointed to the same site Also it seems that if I signup for cloudflare and move my NS to them, I can use just my domain name. Except that my hosting provider has partnered with them, so that NS can stay with thembut then I can no longer use just my domain name (because they'll then use the CNAME method that cloudflare offerswhich can't be done for the apex of my domainso I can't use cloudflare. Though DoS'ng my site was getting dropped of sharply a few days ago. My site was seeing about 30x more traffic than usual. I meant to see if there was anything piling on things at work...but guess I was busy enough to look, and nobody has asked me about the systems I take care of. In November our authoritative-only nameservers were getting DoS'dthey saw 1 gigabit of traffic coming in for each of the IPs of our nameservers. Only thing I could see in the logs was the nameserver couldn't reply to queries during the times. I knew our pipe was big, but didn't realize it was big enough to have a sustained and solid 1 gigabit of junk at the my nameservers. Hopefully they'll continue to exempt my DNS vlan (which has both authoritative-only nameservers and the recursive caching servers) from the packet inspection device that they say might've helped. Because it was hard enough trying to explain the DNS interference it was causing. (and does cause to DNS servers elsewhere on campus) P2P isn't only thing on the Internet that are large UDP packets that look encrypted (which is the main purpose of the device -- like, they only update the signature file on the device when they see an uptick in DMCA notices 8-) The main thing was there would be messages for managed-keys-zone and then after a day or so, bind would stop resolving queries completely. Restarting it, would make it work again until it stops againand so on. So, I decided the workaround was to
Re: Blocking private addresses with a optionq
- Original Message - From: Lawrence K. Chen, P.Eng. lkc...@ksu.edu ... So, being able to filter out these 'bad' things when responding queries against that data might be a good thing. RPZ might be used for such things. However, by design RPZ rewrites entire responses. It is triggered by individual records in a response, but changes the entire response and not just individual records within the response. To use RPZ for such filtering, you would probably use views with a response-policy{} statement in the external view to be filtered. The RPZ rules could be triggered by rpz-ip records for 10.0.0.0/8 or similar. The rules might rewrite responses to a CNAME or to sets of A and records suitable for outsiders. That sounds a lot more fragile and error prone than distinct zones for insiders and outsiders specified in the view statements. However, RPZ might be good as a failsafe against leaks (perhaps rewriting to NXDOMAIN). Vernon Schryverv...@rhyolite.com Since this problem has started increasing again, I went to look to see how to use RPZ First thing that got my attention was that The rules encoded in a response policy zone (RPZ) are applied only to responses to queries that ask for recursion. But, these are authoritative only nameservers So, would RPZ work in this case? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Precautions for upgrading from 9.7.7 to 9.9.2-P2
- Original Message - In message 22783305.318587.1364508740276.javamail.r...@k-state.edu, Lawrence K. Chen, P.Eng. writes: Hmmm, I forget just what all I muttered when I upgraded from 9.7 to 9.9.2-P1. I think the main beef I had was doing it the day before I left for LISA'12. ... guess I didn't join this list until around that time. As, I recall...the main thing that tripped me up was change in empty-zones be havior. It needs to be explicitly disabled (either totally or just for the z ones you use). Which is only a issues if you have a forward zone below a empty zone without a intervening master/slave/stub zone. As I have stated before forward zones were designed for two purposes. * performance increases by accessing a centralised cache * work around firewall issues Forward zones were not designed to graft on internal namespaces. That they sometimes succeed at doing this is down to good luck. Forward zones work by redirecting where a recursing request is sent. The do not create a delegation in zones loaded onto the nameserver. Basic zone management (master/slave) zones is capable of grafting on namespaces and if you don't want to have a full zone transfered to slaves then stub zones were designed to allow you to graft on a namespace. But, before 9.9, the default behavior was all emtpy zones except RFC1918. In 9.9, the default behavior became all empty zones including RFC1918. Plus the forward zones that I have are only for forward DNS lookups. The (windows) servers are in a tightly firewalled vlan...so that insecure processes can continue until somebody gets around to securing them. Seems the admin assigned to fix that either gets fired or quits. But, the hosts in those subdomains aren't confined to defined subnet(s)...so there are just master/slave zone definitions for our IP spaces. Though there's a subset of caching servers that have forwards to direct zen.spamhaus.org/dbl.spamhaus.org lookups to our rbldnsd server And, the forward zone definitions are at the end of my configuration fileso after all the master and slave zone blocks. All the RFC1918 address are covered by master/slave zone definitions on my DNS servers. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward First on Master Zone (bypass SOA)
- Original Message - On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: I’ve spent hours researching a way to accomplish this without any luck. Is there any way to accomplish what I’m trying to do? No, not unless you want to monkey around with static zones and $INCLUDE directives -- something like this: Internal zone file: $INCLUDE internal.zone.apex $INCLUDE example.com.common-records $TTL 86400 some.internal.hostA 192.0.2.1 [...] External zone file: $INCLUDE external.zone.apex $INCLUDE example.com.common-records $TTL 86400 some.external.hostA 192.0.2.254 [...] where the *.zone.apex files look something like this: $TTL 86400 @ SOA [... 7 data fields ...] NS ns1.example.com. NS ns2.example.com. MX 10 mx1.example.com. This way, you mostly maintain 3 files of DNS records for the zone -- external, internal, and common. Note that this is not compatible with dynamic zones. If you need to support dynamic zones (and who doesn't, these days?), you're out of luck. Chris Buxton BlueCat Networks I/we maintain a 'single' zone file (with help of subversion/cfengine) which is then processed into 4 different zone files through a Makefile on my master nameserver. Basically, the as-is zone file is the external view state. All the internal (campus) view lines/$includes are prefixed with: ;CAMPUS; where sed removes those comments to generate the 'campus' view zone file. There there are lines that will have different comments after the line. one is ;GUEST_NETWORK and another is ;DISASTER_RECOVERY sed script will replace the IP part of ;GUEST_NETWORK with the IP of a static page informing the user that the resource is available from the guest network. (this is for services where we couldn't have the service owner to do this within their application.) And, ;DISASTER_RECOVERY replaces the IP with the IP of the server at our DR site. With the intent that the result is sent by alternate means to our off-campus secondaries, where they can switch to using this fileetc. Due to DNSSEC, we have to generate a DR version of our zone file (instead of have secondary edit the transfer file and present that.) These are also based off the external view (since internal services aren't exposed to the guest network, and DR is an alternate external). All the different zone files are signed using dnssec-signzone with the '-N unixtime' optionto avoid serial number issues. (especially now that I'm not the only one handling dns requests) Before split-DNS, we had created our own TLD ... but the problem with that was we couldn't buy SSL certificates for these services, and there was no interest in having our users to accept self-signed certs or to add a private CA to everything so the TLD became a subdomain that was only in the internal view (originally)...though later added a stub in the external view to publish an MX record so that users/apps sending mail without setting a correct from address would still work. (sure I've told people they need to do this lots of times...but then an important app was upgraded and the setting lostbut it needed to work anyways.) Though there were some issues the stub, that were helped by upgrading to bind 9.9 wildcards and DNSSEC :) Fortunately, I don't have to support dynamic zones on the central serverits a delegated subdomain. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to optimize dns requests
Think you can only get aa if the the server is an authority I've been playing around with a local forward first caching server so I tried it. First run: % dig mail.com ; DiG 9.9.2-rpz.066.22-P1 mail.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20016 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mail.com. IN A ;; ANSWER SECTION: mail.com. 86400 IN A 213.165.66.221 ;; Query time: 183 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 15 13:16:06 2013 ;; MSG SIZE rcvd: 53 Second run: % dig mail.com ; DiG 9.9.2-rpz.066.22-P1 mail.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 51884 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mail.com. IN A ;; ANSWER SECTION: mail.com. 86395 IN A 213.165.66.221 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 15 13:16:11 2013 ;; MSG SIZE rcvd: 53 And, when I tried some of our normal caching servers...the results were similar, with Query times of up to 3 ms. Until I found one that hadn't cached yet it. ; DiG 9.6-ESV-R4-P1 mail.com @dns-6 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 61026 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.com. IN A ;; ANSWER SECTION: mail.com. 86400 IN A 213.165.66.221 ;; AUTHORITY SECTION: mail.com. 86400 IN NS dns.gmx.net. mail.com. 86400 IN NS ns.gmx.net. ;; Query time: 377 msec ;; SERVER: 129.130.139.154#53(129.130.139.154) ;; WHEN: Fri Mar 15 13:17:49 2013 ;; MSG SIZE rcvd: 84 Subsequent dig took 0ms. Tried add +aaonly ; DiG 9.9.2-rpz.066.22-P1 +aaonly mail.com @dns-6 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44400 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mail.com. IN A ;; ANSWER SECTION: mail.com. 86215 IN A 213.165.66.221 ;; AUTHORITY SECTION: mail.com. 86215 IN NS dns.gmx.net. mail.com. 86215 IN NS ns.gmx.net. ;; Query time: 0 msec ;; SERVER: 129.130.139.154#53(129.130.139.154) ;; WHEN: Fri Mar 15 13:20:54 2013 ;; MSG SIZE rcvd: 95 but dig against one of the authority section servers ; DiG 9.9.2-rpz.066.22-P1 mail.com @ns.gmx.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2703 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mail.com. IN A ;; ANSWER SECTION: mail.com. 86400 IN A 213.165.66.221 ;; Query time: 120 msec ;; SERVER: 213.165.64.2#53(213.165.64.2) ;; WHEN: Fri Mar 15 13:21:05 2013 ;; MSG SIZE rcvd: 53 - Original Message - On 15.03.13 15:25, Abdellatif ... wrote: I want to optimize the call to remote dns server to resolve domain names each time needed. What i want to do is that if the hostname is requested for the first time than call the remote dns (for example 8.8.8.8) to resolve it, once called then recorded for later use in such way when next time the seem domain name is requested for resolve than the cached ip is grabbed without need to call remote dns to maximize speed to optimize network traffic. This is how BIND normally works. It doesn't seem to use the cache, here is the call of dig mail.com : ; DiG 9.8.1-P1 mail.com [...] ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 this is clearly a cached answer (aa flag is missing). How did you come to the conclusion that caching does not work? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit
forwarding query-source (was Re: name caching and forwarding)
This reminds me of a problem that I've been having, that came up again recently. I thought I had read somewhere the query-source default is to try making queries from all the IPs on my system. And, my DNS servers have two IPs on themusing policy based routing, the first IP routes out on my fast though less reliable internet connection and the second IP routes out on my slower but reliable (though the router is acting up on this link now) internet connection. Currently all my caching DNS servers are set up this way. Though things might change when I get reorg'd into new IP space (and going from a.b.c.0/24 to x.y.z.0/25) Problem I found was that when my fast internet connection goes downqueries stop working. Had to explicitly set query-source to use the second IP. A while back, I discovered that my two DNS servers were both using the slower connection. But, I've been testing a DNS server on my dev system. (the prod servers are Ubuntu 10.04LTS...rndc status says 9.7.0-P1, dev system FreeBSD-9.1R so its BIND is 9.8.3-P4) Will start building new prod servers as FreeBSD-9.1R soon. So, I thought I could trick my caching servers to handle the dual routing that I wanted, by setting the two prod servers to 'forward first' to my dev server, which sends its queries out on fast connection and assume that they would query out over the slow connection if the 'forward first' doesn't yield an answer. But, then the other day, my dev server went down hard and it took a long time to re-import all its zpools before booting all the way back up. (I was in the process of destroying a 1TB dataset on a 5TB raidz w/dedup). There were some problems with chrome lookups timing out on my laptop (since the dev server was first in the resolv.conf) but retrying the page would work, but didn't think much further about it...and hoped things would be recovered in the morningwell, it took a bit longer than that to recover. And, then I was surprised by a flood of email. My mailservers weren't able to resolve addresses because the forwarder wasn't responding I suppose its because its udp it isn't quick about deciding that there's no service to answer. Does this timeout problem also impact forward only and a list of forwarders? I have a set of servers with 10.x.x.x IPs with local caching DNS servers configured to forward only to a pair of caching DNS servers with public IPs. So, how would I make forwarding not prevent resolution? Or can I get bind to try both IPs in trying to do queries? -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about dns query distribution
Are these authoritative nameservers or resolving DNS servers? If the latter, its probably because everybody has resolv.conf's listing ns1.tbd.com first and ns2.tbd.com second. We used to have 3 recursive/caching servers x.x.x.2, x.x.x.3, x.x.x.4. x.x.x.2 would get heavily used , with the other two practically being idle. Later the networking group changed DHCP to hand out x.x.x.3 as the first nameserver. So '2' mainly sees queries from most systems not using DHCP and '3' mainly sees queries from systems using DHCP. And, most of my systems use '4' :) They had talked about having DHCP use 3 first or 4 first for different parts of campus, but... they probably don't want to touch it, since it hasn't been updated since it was turned on 6+ years ago (its running ISC dhcpd v3.0.4.) Though '4' is out in our powerplant where it only has 100BaseT. '2' '3' are in our datacenter with gigabit. They all used to live out in the powerplant originally. But, as the old hardware started failing, I scrounged up some old servers in the datacenter to replace them, but didn't get very far on doing the physical replacement process Perhaps I'll do better as these current hardware nears EOL. - Original Message - Recently noticed that for 2 nameservers ns1.tbd.com and ns2.tbd.com (names are changed to protect the innocent) the first nameserver consistently receives twice as many queries as the 2nd nameserver. Who can tell me why queries are distributed this way? Any ideas? I assume it's something relatively simple. Thank you. Marty ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: high volume from outside our networks question
I think this is one of those reasons why mixing caching/recursion with authoritative is bad. I think the option needed is 'additional-from-cache no;', but its only effective if 'recursion no' is done in global options ... or in a view? Hmm, wonder if view is the answerperhaps try something like: view trusted { match-clients { trusted; }; recursion yes; allow-recursion { trusted; }; #allow-query-cache is then defaulted to same match as allow-recursion } view untrusted { match-clients { any; } recursion no; additional-from-cache no; } - Original Message - acl trusted { xxx.xxx.xxx.0/20; xxx.xxx.xxx.0/23; xxx.xxx.xxx.0/22; xx.xxx.xxx.0/23; xx.xxx.xxx.0/23; xx.xxx.xxx.0/23; x.xx.xxx.0/21; x.xx.xx.0/24; xxx.xxx.xxx.0/24; localhost; localnets; }; options { // Relative to the chroot directory, if any directory /etc/namedb; pid-file /var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; allow-recursion { trusted; }; allow-query { any; }; allow-query-cache { trusted; }; Its standard conf with the default stuff in it as well as a 24 zones or so in it. On Wed, Jan 30, 2013 at 3:30 PM, Steven Carr sjc...@gmail.com wrote: So the response you received wasn't recursed ;; WARNING: recursion requested but not available, so at least that ACL is holding up, but it could be that the response you got is still being served from your DNS server's cache. Can you share the exact configuration statements you have implemented for allow-recursion and allow-query-cache and are these options in the view stanza or in the global options? Best practice is that authoritative and recursive DNS servers should be completely separate. Steve -- Richard Carroll richcarr...@gmail.com 785-288-1144 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to measure the impact of enabling DNSSEC?
On 01/28/2013 18:10, Brian Kroth wrote: I've had a very similar experience where I'm at. At least from the NIST presentation, I got information on how to contact somebody about these problems since its usually hard to send email to the listed RNAME. Can you share? It's true that usually it's some sort of email at that same domain, but if the resolving the domain isn't working, how are you going to get email there? Q: Is there a contact for people on the outside to contact these operators when their domain disappears, because can't send email to the listed POC because their domain isn't resolving. Scott Rose @ NIST: Yes, there is. It is one of those things that most people outside of the government don't know about, which is sad. The registrar for the government has a helpdesk, that is 'regist...@dotgov.gov'. They have the database for all the current POCs and the current operator is Verisign so it is a 24/7 helpdesk. And, they can contact/call the operator and explain what kind of problems people are seeing with their domain and what the solutions are. There is also a phone number for them on their website, so you could call them. Which is 877-REG-GOVT (734-4688). -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: key rollover with BIND 9.9
- Original Message - What are other people using to automate key rollovers with 9.9? I use cron to generate new ZSKs at regular intervals (1st of every 3rd month, with a 10 day window.) and do periodic resigns (every payday, and rely on the tools to handle the rollover correctly. Though my crontab formula breaks in 2016, because 2015 will have 53 weeks.) The only time the tools balked, was when I switched from NSEC to NSEC3 But, that was back with 9.7 and before I knew about the problem with wildcards and NSEC3, where upgrading to 9.9 was needed. Instead we got rid of the wildcard. The wildcard exists only in the external view, because we didn't want the names of internal hosts exposed...but users kept sending mail with the internal host nameso we put a wildcard MX in the external view. But, now we don't allow them to send mail out with an internal host name. Which reminds meI'm not getting emails from our F5 anymore, because I'm guessing the postfix settings got reset after the upgrade so its not using its outside name anymore. Yup/etc/postfix/canonical isn't saved in the ucs. Plus it doesn't autostart after an upgrade either :) -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to measure the impact of enabling DNSSEC?
- Original Message - On Wed, Jan 23, 2013 at 11:38 AM, Augie Schwer augie.sch...@gmail.com wrote: On Tue, Jan 22, 2013 at 2:32 PM, Mark Andrews ma...@isc.org wrote: In message ca+fq9b-ym5w+ndxzzndzwnnqk-v29s19enb_myjbk-jrgbj...@mail.gmail.com, Augie Schwer wri tes: Would measuring the number of SERVFAIL entries in the query-errors category be a good indicator of what impact enabling DNSSEC has? DNSSEC is like wearing a seatbelt. 99.99% of the time it has no impact. And like a seatbelt it can save you (reject spoofed answers) or hinder you (lookups fail due to the zone not being re-signed) on rare occasions. That makes sense to me; I was looking for a way to quantify the affect enabling DNSSEC validation in a Bind server. Measuring SERVFAILs seems to be a good proxy to measure DNSSEC's impact. Thanks for the reply. SERVFAILS are not rare and come from many things. Looking at the delta after enabling validation might be interesting, but in my experience you are unlikely to see any difference beyond the jitter that will always be there. Except for a couple of major goofs early on by a few large orgs (e.g. NASA), the impact of validation is about zip. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com I heard a presentation from NIST on the .gov DNSSEC deployment last month...which was quite interesting on the kind of DNSSEC errors they been having. For me, users will frequently show up complaining at certain times of the year that they can't get to a .gov site from campus, but the site works fine on their home computer. Usually, when I dig through the logs, I will see its either they've stopped signing their zone or they got the rollover wrong. Of course, the users blame me for having DNSSEC validation on for our DNS servers and not that the .gov site made an error. Especially since they've waited to the last minute to submit a grant proposal to some .gov and waiting for the .gov site to fix the problem would probably take to long. At least from the NIST presentation, I got information on how to contact somebody about these problems since its usually hard to send email to the listed RNAME. OTOH, our domain went dark on August first of this yearbecause a non-DNS administrator takes care of all the registry accounts (because we don't have the authority to pay for registrations.) And, even though the DS line I sent her had the number for RSASHA256...she picked the wrong number on the registry's site. Not entirely sure...but got the impression that the website form said 8 - RSASHA256 so it should've been obvious. But, I've never seen that page. This was the first year that we have published our DS with our registry. Though things didn't break completelybecause I maintain our record on ISC's DLV. And, resolvers set to use DLV could validate our domain. Things from my home were kind of weird, because I found out that one of my broadband connections uses DLV while the other doesn't. What was fun was that I had done a 2 month window for the KSK rolloverBut, the person that updates our registry record waited to the end of July to finally update it. I did the DLV update on July 1st. Mainly because the year before I had used a shorter window, and I forgot to update DLV which I seem to recall required a bit of extra work to get it to validate my domain with them again. Plus I was doing a transition from RSASHA1 to RSASHA256. Not sure how I'm going to do rollover next yearI debating going to a longer lifetime KSK. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
replysize problem
Anybody know anything about F5 Big-IPs? I was doing the replysize test on various DNS servers that I maintain, and found two are reporting a replysize limit less than 3843 (the result that I get for all my other DNS servers.) And, with those two, they will alternate between a limit that is a few bytes short of 3843 to only being 1086 bytes. Have had the IT security people look over the firewalls and our Procera (which is known to consider DNSSEC to be encrypted udp bittorrent, and block it) to see if there's something different that's affecting just those two servers. But, they say that there isn't anything different now in the configurations for these two DNS servers and the rest of my DNS servers. So, the only other difference I can think of is, is that these two servers are in a pool behind our F5. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Local Lookups Fail When the Net is down.
: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users