Re: named and use of resolv.conf? - how to "learn" this

2016-08-09 Thread Cathy Almond 
On 03/08/2016 14:59, Matthew Pounsett wrote:
> 
> 
> On 2 August 2016 at 19:50, Evan Hunt  > wrote:
> 
> On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote:
> > Yes it will.  But, as far as I understand, it uses the recursive code 
> paths
> > to do that, and won't consult resolv.conf.  Yes?
> 
> Correct. However, an option to use the system resolver for this instead
> is a feature request we've been considering.
> 
> The reason: Whenever we find a security bug that affects recursive
> operation only, someone who runs an auth-only server inevitably asks
> whether their system is affected, and we always have to say, "well,
> *probably* not, but recursive code *is* sometimes used in authoritative
> servers in order to blah blah etc" and it might be nice to just say no.
> 
> 
> I'd suggest another reason:  the auth server should be subject to the
> same resolution path/rules as other software in the network.  If, for
> example, I've got some resolution exception configured in my local
> recursive servers (such as a per-zone forwarding rule) it seems likely
> I'd want the authoritative server to follow that without having to also
> configure it into the authoritative server.

Per Tony Finch's later suggestion - you can achieve the equivalent by
setting up global forwarding to your recursive servers from your
authoritative-only server (it'll do it slightly differently than most
resolver stubs though, because it will learn which recursive servers are
most responsive and use those in preference to the order in which they
appear in resolv.conf, and you don't get to set the domain or the
searchlist - but really, those are irrelevant...).

One caveat if we implement this, is that by making named use the local
resolver libs instead of doing its own recursion is that yes, you're
avoiding issues that affect recursive-only behaviour of named, but
instead, you're replacing those with any vulnerabilities or weaknesses
in the libs that the system-provided resolver stub is using.  So it
would likely be a 'use with care and knowledge' type of configurable
option.

(The grass looks greener, but when you come closer...)

Cathy
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and use of resolv.conf? - how to "learn" this

2016-08-03 Thread Matthew Pounsett 
On 2 August 2016 at 19:50, Evan Hunt  wrote:

> On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote:
> > Yes it will.  But, as far as I understand, it uses the recursive code
> paths
> > to do that, and won't consult resolv.conf.  Yes?
>
> Correct. However, an option to use the system resolver for this instead
> is a feature request we've been considering.
>
> The reason: Whenever we find a security bug that affects recursive
> operation only, someone who runs an auth-only server inevitably asks
> whether their system is affected, and we always have to say, "well,
> *probably* not, but recursive code *is* sometimes used in authoritative
> servers in order to blah blah etc" and it might be nice to just say no.
>

I'd suggest another reason:  the auth server should be subject to the same
resolution path/rules as other software in the network.  If, for example,
I've got some resolution exception configured in my local recursive servers
(such as a per-zone forwarding rule) it seems likely I'd want the
authoritative server to follow that without having to also configure it
into the authoritative server.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and use of resolv.conf? - how to "learn" this

2016-08-03 Thread Tony Finch 
Spumonti Spumonti  wrote:
>
> We have an authoritative server and it has a zone with secondary name
> servers owned by another organization.
>
> This authoritative name server needs to send a NOTIFY to these other
> name servers.
>
> I thought it was enough for BIND to use the operating system's mechanism
> for resolving names.

It should be sufficient to configure forwarding in named.conf to match the
system resolver.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Fitzroy: Northwesterly at first in far southeast, otherwise, southwesterly 4
or 5, increasing 6 at times. Moderate, occasionally rough in north. Occasional
rain. Moderate or good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and use of resolv.conf? - how to "learn" this

2016-08-02 Thread Spumonti Spumonti 
On 08/02/2016 04:01 PM, Ray Bellis wrote:
> On 02/08/2016 19:47, Matthew Pounsett wrote:
> 
>> In the authoritative configuration, BIND has no need to do DNS lookups
>> of its own, so it wouldn't be any use there.
> 
> That's not strictly true - BIND will in some circumstances use its own
> internal resolver to handle the host lookups for NOTIFYs and XFRs if
> they're using hostnames instead of IP lists.
> 
> Ray

> 

As is usually the case, the initial message (the one I submitted) did not 
contain enough information. My question originated precisely because of the 
need for BIND to send NOTIFY messages. We allow our server to send queries to 
our local recursive, caching nameservers (which are configured in the server's 
resolv.conf), but queries to other servers were not allowed. We did this 
because we didn't think anything on the server needed to send DNS queries 
anywhere else. From our point of view, it only needed to respond to DNS 
queries. 

So apologies for not providing enough information.
We have an authoritative server and it has a zone with secondary name servers 
owned by another organization.
This authoritative name server needs to send a NOTIFY to these other name 
servers.
I thought it was enough for BIND to use the operating system's mechanism for 
resolving names.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and use of resolv.conf? - how to "learn" this

2016-08-02 Thread Evan Hunt 
On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote:
> Yes it will.  But, as far as I understand, it uses the recursive code paths
> to do that, and won't consult resolv.conf.  Yes?

Correct. However, an option to use the system resolver for this instead
is a feature request we've been considering.

The reason: Whenever we find a security bug that affects recursive
operation only, someone who runs an auth-only server inevitably asks
whether their system is affected, and we always have to say, "well,
*probably* not, but recursive code *is* sometimes used in authoritative
servers in order to blah blah etc" and it might be nice to just say no.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: named and use of resolv.conf? - how to "learn" this

2016-08-02 Thread Lightner, Jeffrey 
On the server running BIND if you're trying to resolve addresses with many 
commands it will use /etc/nsswitch.conf which usually will say to go to "dns" 
first then to "files" if that doesn't work.   The "dns" tells it to use 
/etc/resolv.conf.   Therefore you'd want to add 127.0.0.1 to your list of 
servers in resolv.conf so the sever knows to resolve from "localhost" when 
you're running commands on the local host that is running BIND.   Other servers 
you'd add the public IP of the this server to resolv.conf.



-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Darcy 
Kevin (FCA)
Sent: Tuesday, August 02, 2016 4:19 PM
To: bind-users@lists.isc.org
Subject: RE: named and use of resolv.conf? - how to "learn" this

Is it really necessary to document everything that *isn't* true? That could 
fill volumes...

named is the thing that resolves stuff; /etc/resolv.conf tells processes whom 
to talk to if they want to resolve stuff. Put those things together, why would 
named need /etc/resolv.conf? To talk to *itself*?


- Kevin



-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
Spumonti Spumonti
Sent: Tuesday, August 02, 2016 12:26 PM
To: bind-users@lists.isc.org
Subject: named and use of resolv.conf? - how to "learn" this

(I've done several searches for this first but the general nature of some of 
these terms returned way too many non-relevant responses)

I was recently told that named does not use resolv.conf when resolving names. 
This was not something I was aware of but at this point I accept that. The 
system in question is an authoritative only server, no recursion enabled, that 
for some zones it hosts, lists secondary name servers in other organizations 
(in other words these name servers are in zones NOT hosted on this server)

My real question is: where is this documented? I've read DNS books and scoured 
different sites but couldn't find anything stating this was how named behaved. 
Maybe I just suck at searching for things or was using imprecise terms.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and use of resolv.conf? - how to "learn" this

2016-08-02 Thread Ray Bellis 
On 02/08/2016 22:04, Matthew Pounsett wrote:

> Yes it will.  But, as far as I understand, it uses the recursive code
> paths to do that, and won't consult resolv.conf.  Yes?

I believe that's correct, yes.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and use of resolv.conf? - how to "learn" this

2016-08-02 Thread Matthew Pounsett 
On 2 August 2016 at 17:01, Ray Bellis  wrote:

> On 02/08/2016 19:47, Matthew Pounsett wrote:
>
> > In the authoritative configuration, BIND has no need to do DNS lookups
> > of its own, so it wouldn't be any use there.
>
> That's not strictly true - BIND will in some circumstances use its own
> internal resolver to handle the host lookups for NOTIFYs and XFRs if
> they're using hostnames instead of IP lists.
>

Yes it will.  But, as far as I understand, it uses the recursive code paths
to do that, and won't consult resolv.conf.  Yes?


>
> Ray
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and use of resolv.conf? - how to "learn" this

2016-08-02 Thread Ray Bellis 
On 02/08/2016 19:47, Matthew Pounsett wrote:

> In the authoritative configuration, BIND has no need to do DNS lookups
> of its own, so it wouldn't be any use there.

That's not strictly true - BIND will in some circumstances use its own
internal resolver to handle the host lookups for NOTIFYs and XFRs if
they're using hostnames instead of IP lists.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: named and use of resolv.conf? - how to "learn" this

2016-08-02 Thread Darcy Kevin (FCA) 
Is it really necessary to document everything that *isn't* true? That could 
fill volumes...

named is the thing that resolves stuff; /etc/resolv.conf tells processes whom 
to talk to if they want to resolve stuff. Put those things together, why would 
named need /etc/resolv.conf? To talk to *itself*?


- Kevin



-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
Spumonti Spumonti
Sent: Tuesday, August 02, 2016 12:26 PM
To: bind-users@lists.isc.org
Subject: named and use of resolv.conf? - how to "learn" this

(I've done several searches for this first but the general nature of some of 
these terms returned way too many non-relevant responses)

I was recently told that named does not use resolv.conf when resolving names. 
This was not something I was aware of but at this point I accept that. The 
system in question is an authoritative only server, no recursion enabled, that 
for some zones it hosts, lists secondary name servers in other organizations 
(in other words these name servers are in zones NOT hosted on this server)

My real question is: where is this documented? I've read DNS books and scoured 
different sites but couldn't find anything stating this was how named behaved. 
Maybe I just suck at searching for things or was using imprecise terms.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named and use of resolv.conf? - how to "learn" this

2016-08-02 Thread Matthew Pounsett 
On 2 August 2016 at 12:25, Spumonti Spumonti  wrote:

> (I've done several searches for this first but the general nature of some
> of these terms returned way too many non-relevant responses)
>
> I was recently told that named does not use resolv.conf when resolving
> names. This was not something I was aware of but at this point I accept
> that. The system in question is an authoritative only server, no recursion
> enabled, that for some zones it hosts, lists secondary name servers in
> other organizations (in other words these name servers are in zones NOT
> hosted on this server)
>
> My real question is: where is this documented? I've read DNS books and
> scoured different sites but couldn't find anything stating this was how
> named behaved. Maybe I just suck at searching for things or was using
> imprecise terms.
>

The fact that named doesn't use resolv.conf wouldn't be documented anywhere
because they're unrelated.   Particularly for an authoritative server,
there's not reason for BIND to consult the system stub config, which is
what resolv.conf is (primarily) for.

To use a somewhat exaggerated comparison, documenting anywhere that BIND
doesn't consult resolv.conf would be like documenting that your car doesn't
need a ladder.

In the authoritative configuration, BIND has no need to do DNS lookups of
its own, so it wouldn't be any use there.   And BIND in recursive mode has
a hints list which tells it where the root servers are.  It will use those
to follow delegations to the correct authoritative server for whatever
lookup it's attempting to do.

resolv.conf configures the stub resolver (and occasionally other software
that behaves like a stub resolver) to tell it where the local recursive
servers are.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users