Re: paypal.com DNSKEY no valid signature found
On 18/03/2022 14:36, Daniel Stirnimann wrote: You might use an operating system / crypto library which do not support SHA1 anymore. paypal.com is signed with RSASHA1. See warnings on https://dnsviz.net/d/paypal.com/YjSWxg/dnssec/ Just curious what answer to you get from your resolver? servfail or a missing ad-bit? Daniel On 18.03.22 15:25, lejeczek via bind-users wrote: Hi guys how to troubleshoot that? ... 18-Mar-2022 14:17:41.725 warning: EVP_VerifyFinal failed (verify failure) 18-Mar-2022 14:17:41.725 info: error:0398:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:959: 18-Mar-2022 14:17:41.725 info: validating paypal.com/DNSKEY: no valid signature found ... I'd imagine must some up-the-chain servers doing something there - my local 'bind' does not point/use any specific forwarders. many thanks, L. It is SERVFAIL 9.16.23-RH on centOS 9 many thanks, L -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
paypal.com DNSKEY no valid signature found
Hi guys how to troubleshoot that? ... 18-Mar-2022 14:17:41.725 warning: EVP_VerifyFinal failed (verify failure) 18-Mar-2022 14:17:41.725 info: error:0398:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:959: 18-Mar-2022 14:17:41.725 info: validating paypal.com/DNSKEY: no valid signature found ... I'd imagine must some up-the-chain servers doing something there - my local 'bind' does not point/use any specific forwarders. many thanks, L. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
On 13/11/2021 07:16, Erich Eckner wrote: On Sat, 13 Nov 2021, Reindl Harald wrote: > Am 12.11.21 um 18:55 schrieb lejeczek via bind-users: >> On 12/11/2021 17:14, Reindl Harald wrote: >>> wouldn't it be easier to setup two different subdomains in which case you don't need delegation at all - your local named would hist the internal subdomain and doing recursion for everything else >>> >>> i mean when it's private and not www why does the world need to know about the subdomain? >>> >> Because I might not be able to control nor have input into local-private bind(s) and thus... >> clients/nodes on private networks would query www/public bind and only then would learn of 'priv.zone.top' and then, via that delegation to my own binds, 'priv.zone.top' would be served to local-private networks. >> - here is where 'views' come to mind, on my binds... > don't get me wrong but when you a) control a local bind where b) a public resolver delegates a subzone you should also be able to control that clients in this network use your named via dhcp The problem arises, as soon as you have some clients *outside* of this local net (inside some other local net), which should also resolve the internal ips - this is, what I have, and why I use a public zone for my private addresses: Most hosts are within my lan behind my own dns server, but some are "outside", but reachable via vpn - but I do not want to route all dns traffic for those through vpn, neither do I want to deploy dns servers for each of those machines. @Erich So that's allowed (& will work?) by bind protocols? On my own bind facing www & serving my subdomain (delegated from public registrar) I resolve to & serve private IPs? That's the easiest way out I was hoping for, in my tricky situation (being a part of large org it's often bureaucracy which defeats everybody) I too employ vpn and for similar reasons I'd prefer my www-facing bind to resolve my private IPs for... who should give a toss but me only? To me it's very basic logic - if a user cannot get to a site - URLs of which only informed regular users should know in the first place - that is my business, right? (and precisely what I want) many thanks, L ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
On 12/11/2021 17:14, Reindl Harald wrote: Am 12.11.21 um 17:48 schrieb lejeczek via bind-users: Hi guys. I'm looking to setup my subdomin in-house and I'm hoping for some wise advises from experts, it's my first foray into this thus go easy on me please. zone.top - is hosted by a public registrar priv.zone.top - I want to delegate to my own bind I'd hope for some generic recipe and pointer to docs, thanks. needs to be done in the parent zone by whoever hosts it Now what I think might be the tricky part though I get that an expert might say - trivial. I am thinking of 'views' or split-horizon or whatever other nomenclature applies, though I hear that that/those are discouraged by experts? Or! might that above be unnecessary(?) if, it's possible and allowed that such public, mine bind will resolve to IPs which are 'private' - all that so my 'priv.zone.top' will resolve to whole www but resources of the zone/domain will be available, as they are, only in/via private networks. Does that make sense? wouldn't it be easier to setup two different subdomains in which case you don't need delegation at all - your local named would hist the internal subdomain and doing recursion for everything else i mean when it's private and not www why does the world need to know about the subdomain? Because I might not be able to control nor have input into local-private bind(s) and thus... clients/nodes on private networks would query www/public bind and only then would learn of 'priv.zone.top' and then, via that delegation to my own binds, 'priv.zone.top' would be served to local-private networks. - here is where 'views' come to mind, on my binds... but to make it even more tricky - but some expert may still say, trivial - currently deployed binds of mine do not support "split-horizon" So.. the easiest way out of which I can think would be to have my binds to simply point to those private/local IPs - here I wonder, as a newbie has to, if that would make DNS protocols unhappy or perhaps I get kicked in the teeth right at start. thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
host your subdomain on your own ?
Hi guys. I'm looking to setup my subdomin in-house and I'm hoping for some wise advises from experts, it's my first foray into this thus go easy on me please. zone.top - is hosted by a public registrar priv.zone.top - I want to delegate to my own bind I'd hope for some generic recipe and pointer to docs, thanks. Now what I think might be the tricky part though I get that an expert might say - trivial. I am thinking of 'views' or split-horizon or whatever other nomenclature applies, though I hear that that/those are discouraged by experts? Or! might that above be unnecessary(?) if, it's possible and allowed that such public, mine bind will resolve to IPs which are 'private' - all that so my 'priv.zone.top' will resolve to whole www but resources of the zone/domain will be available, as they are, only in/via private networks. Does that make sense? many thanks for all the help. L ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
sub-zone on the same server but in different backend - how?
Hi guys. To experts that most likely be silly easy but my brain got tangled up and cannot get around it now(also being a novice) Have a zone on a server, say: - the.zone with "flat" files being the backend for it. Now wanting to have: - sub.the.zone served by the same BIND server, but stored in.. "SQL" backend. How... well how to make that work if at all possible? I'd hope it can be done with some "trickery" in config/zone files if it is not 'easy-peasy' many thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
zone forward to pseudo domain(*.local) does not work
hi guys I'm quite sure I must be missing something trivial, yet my logic here might be failing too... I have a boxA which for local clients resolves mydom.local just fine. And I've a boxB which zone "mydom.local." IN { forward first; type forward; forwarders port 53 { 10.3.1.100; }; }; and here is where I cannot resolve that mydom.local domain. On boxB logs these show: named[20124]: broken trust chain resolving 'mydom.local/A/IN': 10.3.1.100#53 named[20124]: no valid RRSIG resolving 'mydom.local/DNSKEY/IN': 10.3.1.100#53 I checked responses from boxA with +dnssec and as expected these are secure(d). boxA does allow-transfer boxB What is the problem, what I got wrong there? many thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to dynamically change/update (own private) domain record
On 22/09/18 21:58, Mark Andrews wrote: The update policy rules you have don’t allow the apex to be updated. Change the rule types to “subdomain” and the name fields to “dom.local”. fantastycznie! many! thanks may I also ask why cname does not work in my setup? client @0x7f4d84094190 10.3.1.100#12046/key nsupdate_key: updating zone 'dom.local/IN': attempt to add CNAME alongside non-CNAME ignored ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to dynamically change/update (own private) domain record
On 22/09/18 17:04, Reindl Harald wrote: Am 22.09.18 um 17:53 schrieb lejeczek via bind-users: is it possible to update domain(not hosts of/in the domain) records? there is nothing like "not hosts of/in the domain" Something like domain.local A 10.1.1.100 which is simply an A record and not "not hosts of/in the domain" simple, right? I'm trying nsupdate but it refuses to do above what about provide informations like state of the zone file and unaltered input/output of "nsupdate" given that crystal balls are out of order? from my previous post, (different subject): .. I do: > update delete ddd.dom.local. 86400 in a 10.3.1.100 > send and that works, but when I try: > update add dom.local. 86400 in a 10.3.1.100 > send update failed: REFUSED ..and in logs: client @0x7fd7a40f2e40 127.0.0.1#9489/key nsupdate_key: updating zone 'dom.local/IN': update failed: rejected by secure update (REFUSED) ..and zone: zone "dom.local" IN { auto-dnssec maintain; key-directory "myZones"; allow-query { localhost; dom.local; }; #allow-update { key dhcpd; key nsupdate_key; }; update-policy { grant dhcpd wildcard *.dom.local. A CNAME TXT; grant nsupdate_key wildcard *.dom.local. A CNAME TXT; }; # below line would be for a slave/stub secondary server #allow-transfer { localbox; 172.25.12.203; }; type master; file "myZones/dom.local.signed"; }; thanks, L ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to dynamically change/update (own private) domain record
hi guys is it possible to update domain(not hosts of/in the domain) records? Something like domain.local A 10.1.1.100 simple, right? I'm trying nsupdate but it refuses to do above. many thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
domain's own a record(s)
hi everyone I have a quick questionon possibly trivial issue. I do: > update delete ddd.dom.local. 86400 in a 10.3.1.100 > send and that works, but when I try: > update add dom.local. 86400 in a 10.3.1.100 > send update failed: REFUSED ..and in logs: client @0x7fd7a40f2e40 127.0.0.1#9489/key nsupdate_key: updating zone 'dom.local/IN': update failed: rejected by secure update (REFUSED) I'm hoping that I can add another A record to dom.local. What is the problem here? I must be something obvious, right? many thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users