Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not reloading content and dig not working

2023-03-19 Thread Nagesh Thati 
HI,
I am still not able to reload the named with the $include file updated
content. Any help would be appreciated.
Thanks.

On Fri, Mar 17, 2023 at 12:43 PM Nagesh Thati  wrote:

> Hi,
> I tried syntax, but it didn't work.
> Thanks.
>
> On Fri, Mar 17, 2023 at 11:41 AM Sachchidanand Upadhyay 
> wrote:
>
>> Hi,
>>
>>   Have you checked the syntax?
>>
>>   try this:
>>
>>*$INCLUDE "/var/named/zones/masters/rpz.local.data";*
>>
>> *Regards,*
>> *Sachchidanand*
>>
>> --
>> *From: *tcpnag...@gmail.com
>> *To: *m3...@m3047.net
>> *Cc: *bind-users@lists.isc.org
>> *Sent: *Friday, March 17, 2023 9:18:32 AM
>> *Subject: *Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not
>> reloading content and dig not working
>>
>> Thanks for the reply Fred Morris,
>> Yes, even after serial number increment and reconfig and reload also not
>> picking up the include file data.
>>
>>
>> On Fri, Mar 17, 2023 at 2:45 AM Fred Morris  wrote:
>>
>>> Hello
>>>
>>> On Thu, 16 Mar 2023, Nagesh Thati wrote:
>>> > [...]
>>> > When named is restarted using systemctl above rpz rules are working
>>> fine,
>>> > but when I add a new rule *nagesh3.com <http://nagesh3.com> A 3.4.5.6
>>> > * manually in
>>> > the include file and run "rndc reconfig and rndc reload", named is not
>>> > picking up the updated include file and *nagesh3.com <
>>> http://nagesh3.com>* rpz
>>> > rule is not working.
>>>
>>> Are you incrementing the SOA serial number?
>>>
>>> --
>>>
>>> Fred Morris, internet plumber
>>>
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>> from this list
>>>
>>> ISC funds the development of this software with paid support
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>> information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not reloading content and dig not working

2023-03-17 Thread Nagesh Thati 
Hi,
I tried syntax, but it didn't work.
Thanks.

On Fri, Mar 17, 2023 at 11:41 AM Sachchidanand Upadhyay 
wrote:

> Hi,
>
>   Have you checked the syntax?
>
>   try this:
>
>*$INCLUDE "/var/named/zones/masters/rpz.local.data";*
>
> *Regards,*
> *Sachchidanand*
>
> --
> *From: *tcpnag...@gmail.com
> *To: *m3...@m3047.net
> *Cc: *bind-users@lists.isc.org
> *Sent: *Friday, March 17, 2023 9:18:32 AM
> *Subject: *Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not
> reloading content and dig not working
>
> Thanks for the reply Fred Morris,
> Yes, even after serial number increment and reconfig and reload also not
> picking up the include file data.
>
>
> On Fri, Mar 17, 2023 at 2:45 AM Fred Morris  wrote:
>
>> Hello
>>
>> On Thu, 16 Mar 2023, Nagesh Thati wrote:
>> > [...]
>> > When named is restarted using systemctl above rpz rules are working
>> fine,
>> > but when I add a new rule *nagesh3.com <http://nagesh3.com> A 3.4.5.6
>> > * manually in
>> > the include file and run "rndc reconfig and rndc reload", named is not
>> > picking up the updated include file and *nagesh3.com <
>> http://nagesh3.com>* rpz
>> > rule is not working.
>>
>> Are you incrementing the SOA serial number?
>>
>> --
>>
>> Fred Morris, internet plumber
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.16.30 - $INCLUDE file in the rpz zone file not reloading content and dig not working

2023-03-16 Thread Nagesh Thati 
Thanks for the reply Fred Morris,
Yes, even after serial number increment and reconfig and reload also not
picking up the include file data.


On Fri, Mar 17, 2023 at 2:45 AM Fred Morris  wrote:

> Hello
>
> On Thu, 16 Mar 2023, Nagesh Thati wrote:
> > [...]
> > When named is restarted using systemctl above rpz rules are working fine,
> > but when I add a new rule *nagesh3.com <http://nagesh3.com> A 3.4.5.6
> > * manually in
> > the include file and run "rndc reconfig and rndc reload", named is not
> > picking up the updated include file and *nagesh3.com <http://nagesh3.com>*
> rpz
> > rule is not working.
>
> Are you incrementing the SOA serial number?
>
> --
>
> Fred Morris, internet plumber
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.16.30 - $INCLUDE file in the rpz zone file not reloading content and dig not working

2023-03-16 Thread Nagesh Thati 
Hi Team,
I have configured a named with rpz,
*options section has,*


*response-policy {zone "rpz.local";} qname-wait-recurse
no;*

*Zone Section in named.conf,*



*zone "rpz.local" {type master;file
"/var/named/zones/masters/db.rpz.local";};*

*Zone file content,*










*> cat db.rpz.local;; rpz.local;$TTL2h ; default TTL$ORIGIN
 rpz.local.@SOA nonexistent.nodomain.none. dummy.nodomain.none. 1
12h 15m 3w 2h; name server is never accessed but out-of-zone NS
 nonexistant.nodomain.none.$INCLUDE /var/named/zones/masters/rpz.local.data*


*Include file content,*


*> cat rpz.local.datanagesh1.com  A 1.2.3.4*
*nagesh2.com  A 2.3.4.5*

When named is restarted using systemctl above rpz rules are working fine,
but when I add a new rule *nagesh3.com  A 3.4.5.6
* manually in
the include file and run "rndc reconfig and rndc reload", named is not
picking up the updated include file and *nagesh3.com * rpz
rule is not working.

Can someone please help me with named reloading from the updated include
file without restarting the named service.

Thanks
Nagesh.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Classless reverse zones CNAME and PTR resolution issue

2022-10-31 Thread Nagesh Thati 
Hello,
I am facing an issue with CNAME and PTR records resolution issues when
classless reverse zones are defined in the BIND 9.16.* version (Without
recursion), but it used to work in 9.11.* version (Without recursion).
Below example shows what reverse zones are created and how the dig output
is giving,

*named.conf:*
*recursion no;*






*zone "22.10.13.in-addr.arpa" IN {type master;file
"/var/named/zones/masters/db.22.10.13.in-addr.arpa";check-names
ignore;zone-statistics yes;};*





*zone "0-25.22.10.13.in-addr.arpa" IN {type master;file
"/var/named/zones/masters/db.0-25.22.10.13.in-addr.arpa";
check-names ignore;zone-statistics yes;};*

*db.22.10.13.in-addr.arpa:*











*$TTL1200$ORIGIN 22.10.13.in-addr.arpa.22.10.13.in-addr.arpa.  IN
 SOA remote1.india.com .
admin.india.com . (2022102807 ;
serial21600 ; refresh3600 ; retry
  604800 ; expire86400 ; minimum)IN
 NS  remote1.india.com
.0-25.22.10.13.in-addr.arpa. IN  NS
 remote1.india.com .2.22.10.13.in-addr.arpa.
   1200IN  CNAME   2.0-25.22.10.13.in-addr.arpa.*

*db.0-25.22.10.13.in-addr.arpa*










*$TTL1200$ORIGIN 0-25.22.10.13.in-addr.arpa.0-25.22.10.13.in-addr.arpa.
IN  SOA remote1.india.com .
admin.india.com . (2022102808 ;
serial21600 ; refresh3600 ; retry
  604800 ; expire86400 ; minimum)IN
 NS  remote1.india.com
.2.0-25.22.10.13.in-addr.arpa.   1200
 IN  PTR 3G00051Phone.india.com
.*

*DIG Output:*






















*[root@remote1]# dig @localhost -x 13.10.22.2; <<>> DiG 9.16.30 <<>>
@localhost -x 13.10.22.2; (2 servers found);; global options: +cmd;; Got
answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32110;; flags:
qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; WARNING:
recursion requested but not available;; OPT PSEUDOSECTION:; EDNS: version:
0, flags:; udp: 1232; COOKIE:
f29427e34cd79c010100635fe20b8accc09065ab6b33 (good);; QUESTION
SECTION:;2.22.10.13.in-addr.arpa.   IN  PTR;; ANSWER
SECTION:2.22.10.13.in-addr.arpa. 1200   IN  CNAME
2.0-25.22.10.13.in-addr.arpa.;; Query time: 1 msec;; SERVER:
127.0.0.1#53(127.0.0.1);; WHEN: Mon Oct 31 14:56:11 GMT 2022;; MSG SIZE
 rcvd: 122*

I am getting the answer as only CNAME, not getting the exact A record for
that IP address. This used to work in BIND 9.11.* version, recently I
upgraded to 9.16.* latest version and from that I am facing this issue.


But when I enable the recursion on BIND 9.16.* then I am getting the
expected answer as below,






















*[root@remote1]# dig @localhost -x 13.10.22.2; <<>> DiG 9.16.30 <<>>
@localhost -x 13.10.22.2; (2 servers found);; global options: +cmd;; Got
answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40386;; flags:
qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT
PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE:
8cee7aad934beda40100635fe32bf7ce38d08006dbd1 (good);; QUESTION
SECTION:;2.22.10.13.in-addr.arpa.   IN  PTR;; ANSWER
SECTION:2.22.10.13.in-addr.arpa. 1200   IN  CNAME
2.0-25.22.10.13.in-addr.arpa.2.0-25.22.10.13.in-addr.arpa. 1200 IN   PTR
  3G00051Phone.india.com .;; Query time: 0
msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Mon Oct 31 15:00:59 GMT
2022;; MSG SIZE  rcvd: 165*

Can someone help me why this behaviour is seen on BIND 9.16.* version.
Thanks,
Nagesh
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named failed to resolve forwarding queries(with global forwarders specified with "forward only") when "server section statement" has forwarder IP

2021-11-24 Thread Nagesh Thati 
Thanks a lot for your quick response. Your answer is helpful.

<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Wed, Nov 24, 2021 at 4:22 PM Tony Finch  wrote:

> Nagesh Thati  wrote:
> >
> > Can anyone tell me why I am getting tsig errors and SERVFAIL errors for
> > non managed zones? Why named using the "server statement" TSIG key in
> > forwarding queries instead of using this TSIG only for ixfr/axfr?
>
> TSIG is a bit confusing to set up because there are a bunch of options
> and the use-cases and pros and cons can be unclear.
>
> The `server` clause has a grab-bag of options that you can specify about
> other nameservers that your server might communicate with for whatever
> reason. If you configure a TSIG key in a `server` clause, it is used for
> all traffic with that server. (There will normally be a corresponding
> config on the other server for traffic in the opposite direction.) It's
> convenient to use for traffic between authoritative servers, because it
> gives you one place to secure refresh queries, notifies, and zone
> transfers. But in a more complicated configuration like yours it can have
> an unwanted effect on other traffic.
>
> Another approach is to configure TSIG for each kind of traffic separately.
> More explicit, but more verbose. The way I like to do this is to have
> `acl` clauses with helpful names, which can then be used in allow-notify
> and allow-transfer options to require TSIG for incoming requests; and
> corresponding top-level `primaries` clauses for use in per-zone
> `primaries` and/or `also-notify` clauses for outgoing requests. I can put
> all this access control stuff into a shared config file used on all my
> servers, and the authoritative TSIG stuff will not affect recursive
> queries.
>
> (For example, at Cambridge we have a mutual secondarying arrangement with
> Imperial College with TSIG and IPv6 and DNSSEC and all that good stuff;
> our recursive servers don't know anything special about the Imperial
> zones, and we don't need or want recursive queries between us to use TSIG.
> Our recursive servers still have the same shared access control config,
> but the Imperial parts are not used there, because none of the zone
> clauses refer to the Imperial acl/primaries names.)
>
> This kind of explicit TSIG configuration doesn't work in all cases: for
> instance, you can't specify TSIG keys in the `forwarders` clause, so you
> have to use a `server` clause to configure TSIG for forwarding.
>
> I haven't answered your specific questions because I'm not sure I
> understand the details of your setup properly, but I hope this more
> general answer is helpful.
>
> Tony.
> --
> f.anthony.n.finchhttps://dotat.at/
> harness technological change to human advantage
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named failed to resolve forwarding queries(with global forwarders specified with "forward only") when "server section statement" has forwarder IP

2021-11-23 Thread Nagesh Thati 
Hi,

I have a BIND master server(10.1.10.110) and slave server(Recursive,
10.1.10.120) and also a global forwarding to another server for non managed
domains.
Forwarding server(10.1.10.25) also a slave for example1.com and example2.com,
which will get zone transfers from BIND slave server.

Below is my named.conf configuration, in the config, for secure zone
transfers I am using "server statement" with a TSIG communication key. With
this configuration when named is loaded in the BIND slave server,
I can only resolve exmple1.com and example2.com on BIND slave server
(10.1.10.120), for other non managed domains I see *SERVFAIL errors*.

Can anyone tell me why I am getting* tsig errors and SERVFAIL errors* for
non managed zones? Why named using the "server statement" TSIG key in
forwarding queries instead of using this TSIG only for ixfr/axfr?




*BIND AUTH Master IP: 10.1.10.110BIND AUTH Slave IP: 10.1.10.120Forwarder
IP: 10.1.10.25*

*named.conf:*

#-
# ACLs
#-


*acl "transfer-core-dns" { 10.1.10.25};*

#-
# Key Definition
#-
key "RNDC-KEY" {
algorithm HMAC-SHA512;
secret
"ykLMNmAECOp4fcBMqIddG17Ubo4sTvm1zb5YSh7HvEjP8F2f+XU9uavOx4hoVBKANDY0tJIRlNOI8U8LaJunDg==";
};
#-
# Controls Definition
#-
acl "RNDC-USERS" {
127.0.0.1;
localhost;
};
controls {
inet 127.0.0.1 port 953 allow { RNDC-USERS; } keys { "RNDC-KEY";};
};

#-
# Logging Definition
#-
logging {
channel named {
file "/var/named/log/named.log" versions 10 size 100M;
severity  dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
named;
};
};

#-
# Global Options
#-
options {
directory "/";
allow-query {any;};
allow-transfer {none;};
blackhole {none;};
dnssec-enable yes;
dnssec-validation no;
listen-on-v6 {none;};
check-srv-cname ignore;
check-mx-cname ignore;
check-mx ignore;
check-names master ignore;
check-names response ignore;
dump-file "/var/named/log/named_dump.db";
lame-ttl 600;
max-ncache-ttl 10800;
minimal-responses yes;
pid-file "/var/run/named/named.pid";
recursion yes;
session-keyfile "/var/run/named/session.key";
statistics-file "/var/named/log/named.stats";
tcp-clients 1000;
zone-statistics yes;
empty-zones-enable no;
rrset-order {
order cyclic;
};
transfers-in 50;
transfers-out 30;
transfers-per-ns 30;
no-case-compress {any; };
allow-recursion {any;};
recursive-clients 1;

* forward only; forwarders {10.1.10.25;};*
flush-zones-on-shutdown yes;
};

#-
# Statistics Section
#-
statistics-channels {
inet 127.0.0.1 port 8080 allow { 127.0.0.1; };
};



#-
# Server Definition
#-
key "COMMUNICATION-KEY" {
algorithm HMAC-SHA512;
secret
"1HVF90bx+6ywx5Ovr1SOCcL2inTDc0gYRoG6BK/TU+g8tAr3j0ptJsZ6OjfNxEYcMGDRt5m5z/it1gPe7+jJqA==";
};




*server 10.1.10.25 { keys  "COMMUNICATION-KEY"; provide-ixfr yes;
request-ixfr yes;};*

#-
# Zone Section
#-
zone "." IN { type hint; file "/var/named/zones/masters/db.cache"; };
zone "example1.com" IN {
type slave;
file "/var/named/zones/slaves/db.example1.com";
* allow-transfer {transfer-core-dns;};*
allow-notify {10.1.10.110;};
notify yes;
masters {
10.1.10.110;
};
check-names ignore;
zone-statistics yes;
forwarders {};
};
zone "example2.com" IN {
type slave;
file "/var/named/zones/slaves/db.example2.com";
allow-transfer {transfer-core-dns;};
allow-notify {10.1.10.110;};
notify yes;
masters {
10.1.10.110;
};
check-names ignore;
zone-statistics yes;
forwarders {};
};

*named.log:*
client: error: query (google.com/NS): query_find: *unexpected error after
resuming: tsig indicates error*
query-errors: info: (google.com): *query failed (SERVFAIL) *for
google.com/IN/NS at query.c:8678
client: error: query (google.com/MX): query_find: unexpected error after
resuming: tsig indicates error
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/MX at query.c:8678
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/A at query.c:7118
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/A at query.c:7118
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/NS at query.c:7118
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/MX at query.c:7118
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Secure Active Directory updates and allow-update-forwarding issues

2021-01-19 Thread Nagesh Thati 
Thanks Mark.

On Tue, Jan 19, 2021 at 6:15 PM Mark Andrews  wrote:

> Forwarding is designed for TSIG and works for SIG(0).  It doesn’t work for
> GSS-TSIG.
>
> --
> Mark Andrews
>
> On 19 Jan 2021, at 22:23, Nagesh Thati  wrote:
>
> 
> Hi,
> I am getting update failed on master DNS appliance when I am using
> allow-update-forwading,
> *updating zone '_msdcs.example.com/IN <http://msdcs.example.com/IN>':
> update failed: rejected by secure update (REFUSED)*
>
> example.com is a active directory enabled zone which has one master and
> one slave. Master appliance is hidden, so active directory sends updates to
> slave appliance using MNAME specified in the zone SOA section.
>
> *master(10.1.10.203) named.conf:*
>
> tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc
> folder we have keytab file
>
> zone "_msdcs.example.com" IN {
> type master;
> file "/var/named/zones/masters/db._msdcs.example.com";
> allow-transfer {10.1.10.144;};
> also-notify {10.1.10.144;};
> notify explicit;
> *update-policy { grant * subdomain _msdcs.example.com
> <http://msdcs.example.com>. ANY; };*
> check-names ignore;
> zone-statistics yes;
> };
>
> *slave(10.1.10.144) named.conf:*
> zone "_msdcs.example.com" IN {
> type slave;
> file "/var/named/zones/slaves/db._msdcs.example.com";
> allow-notify {10.1.10.203;};
> masters {
> 10.1.10.203;
> };
> check-names ignore;
> zone-statistics yes;
> *allow-update-forwarding{10.1.10.158;};*
> };
>
> *10.1.10.158 - AD server*
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Secure Active Directory updates and allow-update-forwarding issues

2021-01-19 Thread Nagesh Thati 
Hi,
I am getting update failed on master DNS appliance when I am using
allow-update-forwading,
*updating zone '_msdcs.example.com/IN ':
update failed: rejected by secure update (REFUSED)*

example.com is a active directory enabled zone which has one master and one
slave. Master appliance is hidden, so active directory sends updates to
slave appliance using MNAME specified in the zone SOA section.

*master(10.1.10.203) named.conf:*

tkey-gssapi-keytab "/etc/krb5.keytab"; -> In the option section, in /etc
folder we have keytab file

zone "_msdcs.example.com" IN {
type master;
file "/var/named/zones/masters/db._msdcs.example.com";
allow-transfer {10.1.10.144;};
also-notify {10.1.10.144;};
notify explicit;
*update-policy { grant * subdomain _msdcs.example.com
. ANY; };*
check-names ignore;
zone-statistics yes;
};

*slave(10.1.10.144) named.conf:*
zone "_msdcs.example.com" IN {
type slave;
file "/var/named/zones/slaves/db._msdcs.example.com";
allow-notify {10.1.10.203;};
masters {
10.1.10.203;
};
check-names ignore;
zone-statistics yes;
*allow-update-forwarding{10.1.10.158;};*
};

*10.1.10.158 - AD server*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Classless Reverse Zones PTR Dig Format Issue

2019-02-06 Thread Nagesh Thati 
Hello,
I have created a network with *199.192.0.0/11 * and
created 4 subnets with */13* mask in that network,
Network: *199.192.0.0/11  : 192.199.in-addr.arpa*,
Subnet1: *199.192.0.0/13  :
0-13.192.199.in-addr.arpa*,
Subnet2: *199.200.0.0/13  :
0-13.200.199.in-addr.arpa*,
Subnet3: *199.208.0.0/13  :
0-13.208.199.in-addr.arpa*,
Subnet4: *199.216.0.0/13  :
0-13.216.199.in-addr.arpa*.
I fallowed the *RFC 2317 to create CNAME and NS records* in parent zone
which is 192.199.in-addr.arpa
When I dig for a PTR for object *199.192.0.2* in below dig format,
#*dig @localhost -x 199.192.0.2 - GOT RESULT*
I am getting the answer, But, when I dig for object *199.200.255.202* in
below format not getting the answer,
#*dig @localhost -x 199.200.255.202 - NO RESULT*
But if I dig in specific format,
#*dig @localhost 202.255.0-13.200.199.in-addr.arpa PTR - GOT RESULT*

My Question is,
Can it be possible to *dig 199.200.255.202* object with *-x* using a *dig
command*, if yes, what changes needs to be done in the parent and child
reverse zones?

Thanks in advance,
Nagesh.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse lookup for classless networks

2018-12-27 Thread Nagesh Thati 
Thanks Mark,
But is there any other way without using any CNAMEs?

On Thu, Dec 27, 2018 at 4:45 PM Mark Andrews  wrote:

> Because it requires the parent zone with the CNAME records to also be set
> up which maps the well known query names to the alternate names.
>
>
> --
> Mark Andrews
>
> On 27 Dec 2018, at 21:01, Nagesh Thati  wrote:
>
> Hello,
> I have been trying to make the reverse zones for the classless networks. I
> was able to create such zones by following an online guide. The guide says
> to create a reverse zone for a classless network as following,
> Network: *28.0.0.0/27 <http://28.0.0.0/27>*
> Reverse Zone: *0-27.128.0.0.28.in-addr.arpa.*
> Example PTR record: *130.0-27.128.0.0.28.in-addr.arpa. PTR
> test.example.com <http://test.example.com>.*
>
> Now the zone is up, but I have problem in looking up the IP address using
> the below method,
> *dig @localhost -x 28.0.0.130*
>
> While the above lookup is not working, the below method is working,
> *> dig @localhost 130.0-27.128.0.0.28.in-addr.arpa. PTR +short*
> *> 3G2Phone.adparent.com <http://3G2Phone.adparent.com>.*
>
>
>
> *Now can someone tell me why the first method is not working, will my
> reverse zone work properly in the real world?*
> Thanks for your help.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reverse lookup for classless networks

2018-12-27 Thread Nagesh Thati 
Hello,
I have been trying to make the reverse zones for the classless networks. I
was able to create such zones by following an online guide. The guide says
to create a reverse zone for a classless network as following,
Network: *28.0.0.0/27 *
Reverse Zone: *0-27.128.0.0.28.in-addr.arpa.*
Example PTR record: *130.0-27.128.0.0.28.in-addr.arpa. PTR test.example.com
.*

Now the zone is up, but I have problem in looking up the IP address using
the below method,
*dig @localhost -x 28.0.0.130*

While the above lookup is not working, the below method is working,
*> dig @localhost 130.0-27.128.0.0.28.in-addr.arpa. PTR +short*
*> 3G2Phone.adparent.com .*



*Now can someone tell me why the first method is not working, will my
reverse zone work properly in the real world?*
Thanks for your help.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: servfail-ttl 0; option in the named.conf global section is crashing the named (BIND 9.10.6)

2018-03-04 Thread Nagesh Thati 
Thanks Cathy.


From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Cathy Almond 
<cat...@isc.org>
Sent: Monday, March 5, 2018 11:53:44 AM
To: bind-users@lists.isc.org
Subject: Re: servfail-ttl 0; option in the named.conf global section is 
crashing the named (BIND 9.10.6)

On 05/03/2018 05:50, Nagesh Thati wrote:
> Hello,
>
> I have added a servfail-ttl 0; parameter in the named.conf file in the
> global section and restarted the named, but named is not coming up and I
> don't see any errors printing in the named.log. When I do a
> named-checkconf on named.conf it is giving error as UNKNOWN OPTION
> servfail-ttl. The version I am using is BIND 9.10.6 stable build. Can
> some one help me on this.
> Thanks.
>
> To fix this bug I have added above parameter   CVE-2018-5734: A
> malformed request can trigger an assertion failure in badcache.c
> <https://kb.isc.org/article/AA-01562/0/CVE-2018-5734%3A-A-malformed-request-can-trigger-an-assertion-failure-in-badcache.c.html>

CVE-2018-5734 affects only the editions listed in the security advisory:

9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, and 9.10.6-S2

These are Supported Preview Editions of BIND provided to eligible ISC
Support customers, not the same as the ones available for download from
our website.

Servfail cache was added to BIND Open Source from BIND 9.11 (although it
was backported to some of the -S editions as a Supported Preview
feature) - see:
https://kb.isc.org/article/AA-01310/109/BIND9-Significant-Features-Matrix.html

This is why the servfail-ttl option is unknown in 9.10.6.

So you're not vulnerable to CVE-2018-5734 - although I see why you might
have thought that you are because the -S editions of BIND have a similar
version numbering scheme to the regular editions, but with -S appended
(it's not often that we have a security issue that affects only those,
but it is still necessary to issue an advisory).

Hope this clarifies (and also sets your mind at rest)?

Cathy
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: servfail-ttl 0; option in the named.conf global section is crashing the named (BIND 9.10.6)

2018-03-04 Thread Nagesh Thati 
Thanks Mark.


From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Mark Andrews 
<ma...@isc.org>
Sent: Monday, March 5, 2018 11:51:06 AM
To: Nagesh Thati
Cc: bind-users@lists.isc.org
Subject: Re: servfail-ttl 0; option in the named.conf global section is 
crashing the named (BIND 9.10.6)


> On 5 Mar 2018, at 4:50 pm, Nagesh Thati <tcpnag...@gmail.com> wrote:
>
> Hello,
>
> I have added a servfail-ttl 0; parameter in the named.conf file in the global 
> section and restarted the named, but named is not coming up and I don't see 
> any errors printing in the named.log. When I do a named-checkconf on 
> named.conf it is giving error as UNKNOWN OPTION servfail-ttl. The version I 
> am using is BIND 9.10.6 stable build. Can some one help me on this.
> Thanks.
>
> To fix this bug I have added above parameterCVE-2018-5734: A malformed 
> request can trigger an assertion failure in badcache.c

CVE-2018-5734 does not apply to BIND 9.10.6 (which doesn’t have a servfail-ttl 
option).

CVE-2018-5734 applies to BIND 9.10.5-S1 to 9.10.5-S4, BIND 9.10.6-S1, 9.10.6-S2 
(these versions have servfail-ttl as a option).

"named -v” will report which version of named you are running.

e.g
% named -v
BIND 9.10.6 
%

Parsing errors messages will be logged in the system log as named has not yet 
got far enough into the startup process to know to log the messages elsewhere.

Mark

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

servfail-ttl 0; option in the named.conf global section is crashing the named (BIND 9.10.6)

2018-03-04 Thread Nagesh Thati 
Hello,

I have added a servfail-ttl 0; parameter in the named.conf file in the
global section and restarted the named, but named is not coming up and I
don't see any errors printing in the named.log. When I do a named-checkconf
on named.conf it is giving error as UNKNOWN OPTION servfail-ttl. The
version I am using is BIND 9.10.6 stable build. Can some one help me on
this.
Thanks.

To fix this bug I have added above parameterCVE-2018-5734: A malformed
request can trigger an assertion failure in badcache.c

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Round-robin

2018-01-24 Thread Nagesh Thati 
You can use BIND's RRSET Order for this,
http://www.zytrax.com/books/dns/ch7/queries.html#rrset-order

On Wed, Jan 24, 2018 at 4:37 PM, gsi  wrote:

> Hello,
>
> I have 2 A records like this :
> wwwA10.1.1.1
> wwwA10.1.1.2
>
> When I request www, I got random answers (10.1.1.1 or 10.1.1.2)
> If I use the sortlist option, I always got the same answer.
>
> My question : how can I have cyclic answers :
> request www --> reply 10.1.1.1
> request www --> reply 10.1.1.2
> request www --> reply 10.1.1.1
> request www --> reply 10.1.1.2
> ...
>
> Thanks,
>
> Guillaume.
>
>
>
> --
> Sent from: http://bind-users-forum.2342410.n4.nabble.com/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Master/Slave communication not working if I use HMAC-SHA* algorithms when views are implemented

2016-10-13 Thread Nagesh Thati 

Hi,

Can anybody implemented master/slave communication with views and 
algorithm HMAC-SHA* algorithms. I tried with all the HMAC-SHA* 
algorithms it didn't work for me, only HMAC-MD5 algorithm worked for 
communication. If anybody has any idea please help me.

Thanks.


--
Thanks,
Nagesh Thati

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users