Re: Dig 9.7 DNSSEC output
On Sun, May 9, 2010 at 11:24 AM, Peter Janssen peter.jans...@eurid.euwrote: ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ns.nic.se. 3600IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. TLTnkqESLN7DdoC2urF14ox1JolvUSCySe4oqYfof4ER/ZNNl8DO1P46 mSKpNxf3kNUJWoMkjBjtUgZgiMcVSuD7V6qTHLA2A8tEhnM4pXCeo/yj kirCEzo3YQzcW56BZVXgVe41K3QT4GpIm0rmTyEy+8ZCe7oeMKFem5PL Ibw= ns.nic.se. 3600IN RRSIG 5 3 3600 20100517132001 20100507132001 20273 nic.se. HcUbk9y1aR9zeHOwNsqTtPL97P+ftyoQVAyTZbuPpr6GEzIsKL8MyQoP h4qyAkOHFWC2lgZ4xroHemR9OXa3JCLn1UtYE0UbgszUJWSJcQW+2ho3 GIsfEzVfJwMEomhvPuEyVfNxdaP87ITFTfNJcUvEApHCnYHO0RNgeEL0 l/Y= ns2.nic.se. 3600IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. fGqc3OIwmaYPFJoRrULGaUIRxGV+i6FJkcSZ4HRJL0x+siwVcTrIb+5t ER9woGl9sabyXH9H4aHc90ARABer0RodbnQSZDT7SPamDb97UP1ESBs2 Av9N43nr54M/ctLk8EZc1q7GblBK7inf7iY/AQsHTsFv1BWJOAYw+n4N YaM= ns3.nic.se. 60 IN RRSIG A 5 3 60 20100517132001 20100507132001 20273 nic.se. vTil1+1r3dOyV3zHdd53p2O5qnBHfexdwJVjx2E+G5z5FTqa50YRQYfH JwVHHertJcMo2wek/y2g0GBQJdkFTKwpJZv3IWWp9TYqJ3lCIYzoWxWV pzc7i+m2Ha3HupVY0e/tOJPKsiJu+LnyH3LJ66WV/xCRDjhZ8N6RONl5 xQU= I count 8 RRs. 3 A, 1 , 4 RRSIG. Where are you seeing 9? -- aRDy Music/Rick Dicaire http://www.ardynet.com http://linux.ardynet.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig 9.7 DNSSEC output
On Sun, May 9, 2010 at 11:48 AM, Peter Janssen peter.jans...@eurid.euwrote: as per the header of Dig output… ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 Curious, I too get 9 but only 8 RRs are shown: ; DiG 9.7.0-P1 +dnssec @rdb.ardynet.com ardynet.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 19752 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ardynet.com. IN NS ;; ANSWER SECTION: ardynet.com. 10800 IN NS rdb.ardynet.com. ardynet.com. 10800 IN NS dev.ardynet.com. ardynet.com. 10800 IN RRSIG NS 5 2 10800 2010051512 2010050912 60794 ardynet.com. uEABRGErPScK6zTn8V2aZwWXdC7sc1wh7eFsyGHkwcfGrugsLdFPVSfZ vetCUVXoOj1OnUNPeO5/cMB8Os0NGg== ;; ADDITIONAL SECTION: dev.ardynet.com. 10800 IN A 74.93.245.186 dev.ardynet.com. 10800 IN 2001:470:8:12:def::1000 rdb.ardynet.com. 10800 IN A 74.93.245.185 rdb.ardynet.com. 10800 IN 2001:470:e006::1000 dev.ardynet.com. 10800 IN RRSIG A 5 3 10800 2010051512 2010050912 60794 ardynet.com. OdH4FDSkj8daSKw0ooNX2ZJpjQVtTXI0ev5pblGM0+M/IYccu1fW9Tkk h9N0PPI7/4C2fpitdBbFGCq14hxocg== dev.ardynet.com. 10800 IN RRSIG 5 3 10800 2010051512 2010050912 60794 ardynet.com. ou2/+po9rUY1l8TYy4u23z0GWBuasEib5U1E1f//MJCQ1XRqOKX9h8y2 Gk6R3+lxXlDdoLtww8E2GpVpEK+U1A== rdb.ardynet.com. 10800 IN RRSIG A 5 3 10800 2010051512 2010050912 60794 ardynet.com. jUJ/1Miq+Y3RwFW8AyfCs6vJ+alynM/gzVIBFdn3SoIFzg3AiV4R8zHl sOX5xzP2eVEuQwtq6cDWhFqma3cr/A== rdb.ardynet.com. 10800 IN RRSIG 5 3 10800 2010051512 2010050912 60794 ardynet.com. M9NcSwlhg50H5zRXeB8iKZLFdm1dGmwEg/PIHYgTn9gyoXOcLUWRjK5Q RnPlqRyHoVdkkHyCFumEkMZVyneu1g== -- aRDy Music/Rick Dicaire http://www.ardynet.com http://linux.ardynet.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem with bind stop
2009/7/1 Joan Marc Riera marc.ri...@barcelonamedia.org: we have some troubles with restart and stop. bind does not stop and I think it's because of a wrong kill argument on the stop) case. This isn't a bind problem per se, have you talked to the debian maintainer, or filed a bug report with debian? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
control channel logging
Hi folks, bind 9.6.1...I'm looking in the ARM but I dont see a logging category specific to control channel communications. In syslog I have (generated by an mrtg script): named[7837]: received control channel command 'stats' What category does this fall under? Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9.6.1 stats dump
Hi folks, while looking at a stats dump from bind 9.6.1 I see: ++ Per Zone Query Statistics ++ but there are no stats showing for this, how is this enabled (if at all)? Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nsec and nsec3 records
Hi folks, Can both nsec and nsec3 records be used simultaneously in a zone file, or is it an either/or? Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsec and nsec3 records
On Sat, Jun 13, 2009 at 10:03 PM, Evan Hunte...@isc.org wrote: Why would you want them both? If you don't mind the drawbacks of NSEC, why take on the operational and computational burdens of NSEC3? I don't know why, I'm simply not knowledgeable enough in DNSSEC deployment. Currently I'm using bind 9.4.x, with NSEC records, but looking to move to 9.6.1, in fact my slaves are already 9.6.1, but my master isn't yet. I've recently read where .org has been signed, and using NSEC3. I thought it might be a good idea to resign my zones using NSEC3, but was unaware if both NSEC and NSEC3 were acceptable. Is it too soon to go NSEC3? No doubt a good portion of DNSSEC-aware resolvers arent NSEC3 capable yet, is this something I need to take into account? I use ISCs DLV, is NSEC3 an issue for that? I don't grasp whats going to be involved in a move from NSEC to NSEC3. Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [DNSSEC] SERVFAIL when resolving .gov through DLV
On Tue, May 5, 2009 at 2:34 PM, Stephane Bortzmeyer bortzme...@nic.fr wrote: I get a SERVFAIL when trying to resolve .gov: I get: ; DiG 9.4.3-P2 +dnssec SOA gov. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32204 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;gov. IN SOA ;; ANSWER SECTION: gov.259200 IN SOA A.GOV.ZONEEDIT.COM. govcontact.ZONEEDIT.COM. 1241524864 3600 900 1814400 86400 gov.259200 IN RRSIG SOA 7 1 259200 20090510110105 20090505110105 31802 gov. WR3awt6m9j1C3o72BRR/SdFp5RrSOPLxSGV90DpQ0s+I2d9jp6RvR1vg YFRuPtu2L8r+9/NSwEzOAVvXivEJJYTZYM3olNaO7j+EZHy81vCFW5Wl iwyuo5pl1ITWdam//+m6wd67legEeYJOu4Xn929YQ6AHyNVUT/T7+XxK Cwyp+8IrLb4AhVjWFCKROwfhyIGkmv+uMPe1p3zyT7zcSFB5oYVAYoK1 hBUUEmzYDSi5DHvctA+3tFu/PzVLM3Fz88sB+gDYoMO79dCbMgXegwA7 hKuwhk9SJzu3DylNdZpy4jQOtrtNRUFrCAgBY0bCwmNdfZBe2RSZvBKF O69QUw== ;; Query time: 231 msec ;; SERVER: 192.168.1.6#53(192.168.1.6) ;; WHEN: Tue May 5 14:41:28 2009 ;; MSG SIZE rcvd: 388 Whats missing is the RA flag... -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Postgres v MySQL v Berkely backend for BIND
On Mon, May 4, 2009 at 3:16 PM, Stephen Carville stephen.carvi...@gmail.com wrote: Anyone here have experience or an informed opinion in using a database backend to BIND? I've been using the pgsql sdb backend for 5+ years, wrote my own php front end to it. Its been solid. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ISC DLV dnssec
Hi folks, last night the ISC server responsible for responding to DLV
lookups was apparently down. Since all lookups were failing due to a
lack of response from this server, bind couldn't resolve anything at
all. I had to comment out a couple lines in named.conf to restore
function.
bind-9.4.3-P2
Here's the dnssec configuration lines used in named.conf:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
trusted-keys {
dlv.isc.org. 257 3 5
BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeN
D4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf
8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF
1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh;
};
I'm not sure, but if a lookup fails dnssec auth, shouldn't bind treat
the answer as insecure, and return said answer?
In the scenario described above, I wasn't even able to get answers,
let alone whether said answers could be authenticated.
Bv9ARM.pdf is unclear regarding how bind should behave regarding use
of dnssec-validation directive.
Shouldn't the behaviour for DLV lookups be such that if the query
can't be answered by the DLV server, then fall back to a non-dnssec
lookup?
Perhaps there's a configuration issue I'm using that caused this
unexpected behaviour I describe?
Thanks
--
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC DLV dnssec
On Sun, Apr 5, 2009 at 5:40 PM, Mark Andrews mark_andr...@isc.org wrote: Shouldn't the behaviour for DLV lookups be such that if the query can't be answered by the DLV server, then fall back to a non-dnssec lookup? No. May I ask why? I'm sure something was learned from whatever caused the DLV server to malfunction, but was that kind of malfunction something we can look forward to when . and TLDs are signed? If that kind of breakage in lookups can occur, should there not be a contingency to be able to continue to use the Internet when such breakage occurs? I could see online businesses panicking when something like this happens. There was a fault which caused RRSIG of the key signing key to be missing. The key signing key is the one listed in the trusted-keys clause above. This caused a break in the chain of trust as the DNSKEY RRset could not be validated which meant named could not determine if the answers to the DLV queries were valid or not and in turn the answers to all other queries. Could you provide more details as to what specifically caused the fault? Perhaps then other dns admins may learn something new to look for when having to troubleshoot a similar problem. I know it would help me further understand. Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC DLV dnssec
On Sun, Apr 5, 2009 at 7:02 PM, Evan Hunt evan_h...@isc.org wrote: vigilant; this particular failure won't occur again. And we were already in the process of making dlv.isc.org substantially more robust, so hopefully any similar breakages that might have come along in the future will be stopped before they happen. Excellent. But what about contingencies for continued dns resolution when an unintended break in the chain of trust occurs? I expect this to influence future BIND development too (for example, dnssec-signzone will probably be learning to print a few more warning messages when it sees legal-but-weird input.) This too is excellent, and I'd hope fixes be backported to 9.4 and 9.5 releases as well. Thanks Paul for the response, very helpful and informative! And kudos to the DLV folks for the service! -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC DLV dnssec
On Sun, Apr 5, 2009 at 8:48 PM, Mark Andrews mark_andr...@isc.org wrote: Named is still able to return answers if you tell it not to validate the answers by setting CD=1 in the query. This flag is usually used when you have a validating resolver using another validating resolver to get its answers. When the lookups were failing answers like this were returned. The one thing I didn't do was a direct dig itself. I was tailing dnssec.log and watching the DLV lookups failing, and my web browser was failing to load any site, reporting the hostname couldn't be resolved. Above, you mention setting CD=1 in the query. How is this done by applications trying to resolve hostnames when there's a problem like last nights? Would setting the named.conf directive dnssec-validation no; do this? (as I mentioned previously, I had to comment out dnssec-validation and the trust anchor directive that points to ISC so I could resolve queries) -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: name server zone list
On Fri, Apr 3, 2009 at 10:55 AM, Chris Thompson c...@cam.ac.uk wrote: This one is hardy perennial, of course, but I've been working on an index zone in a certain local DNS context recently, and thinking how convenient it would have been if BIND had provided one for me (under class CHAOS, name zones.bind or something along those lines). I wonder whether this is on ISC's wish-list, and if so, how far down ... The issue with something like this is it apparently requires configuring views in order to be able to load zone(s) of non-default type IN. Configuring views isn't always desired. Perhaps an option to rndc though -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: name server zone list
On Fri, Apr 3, 2009 at 2:08 PM, Alan Clegg alan_cl...@isc.org wrote: The entire list of zones is available in XML format in the statistics channel in 9.5 Yep, you need to parse for it, but it's there... Hah beautiful, why reinvent the wheel :) I've not yet moved to 9.5 simply because I haven't had the time to modify perl scripts I use that read data from a 9.4 stats file and input into mrtg/rrdtool, but with the featureset in 9.5 regarding logging and stats, I'm going to have to make time. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL debugging
On Fri, Mar 13, 2009 at 4:59 PM, JINMEI Tatuya / 神明達哉 jinmei_tat...@isc.org wrote: Please try 9.6.1b1, which we expect to be released next week. It has a new experimental feature just for that purpose: Is this feature going to be back ported to 9.4 and 9.5 releases as well? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Two outgoing queries for each incoming query
On Thu, Mar 12, 2009 at 7:43 AM, My Name mylistuser1...@gmail.com wrote: I want to setup a forwarder and each incoming query (in fact only A or ) should be sent to two different upstream servers. Why? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: automatic resigning in 9.6.x
On Fri, Mar 6, 2009 at 11:46 PM, Evan Hunt evan_h...@isc.org wrote: BIND 9 has, I believe, always had some support for automatic signing in the case of zone updates--at least as far back as 9.3, and I haven't looked at anything earlier. Basically, if you have a signed zone and you insert a new record, that record will automatically have an RRSIG generated for it. Ok...so to implement this in bind 9.4.2-P2, I see the directive sig-validity-interval in the ARM, if I set this to 1, edit zone.db.signed, add a new entry, increment the serial, rndc reload, what tells bind to resign the zone, and when? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec and sdb/dlz
I haven't found any documentation on this, but is it possible to implement dnssec/signed zones if the zone data exists in an sql db instead of a zone file? I know I can modify an sql table for a zone to have additional fields (for sdb use) for the additional RR types, but will the sdb interface recognize these? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: connection timed out; no servers could be reached
On Sat, Mar 7, 2009 at 8:44 PM, Bill Landry b...@inetmsg.com wrote: I have to admit that I am a bit baffled by this one. I can query against my bandwidth providers name servers (Comcast) and get name resolution just fine for the hostname www.malware.com.br: Check firewall settings. Connection timed out is typically a firewall issue. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
arbitrary key names in named.conf
I've been using the key file name as key name in named.conf for simplicity, but I find that distros tend to use a default filename for a host key, so can I just use the key contents and assign it an arbitrary name in named.conf? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
