Re: named-checkzone fail
On Wed, Sep 11, 2024 at 3:15 AM Mark Andrews wrote: > > > On 11 Sep 2024, at 16:06, Lee wrote: > > > > On Tue, Sep 10, 2024 at 10:52 PM Mark Andrews wrote: > >> > >>> On 11 Sep 2024, at 12:10, Lee wrote: > >>> > >>> On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote: > >>>> > >>>> Comma is legal in a domain name. It isn’t legal in a host name which > >>>> are a subset of domain names. Named-checkzone is working exactly as it > >>>> should. > >>> > >>> Except this isn't really a domain name - it's a whatever-it's-called > >>> in a response policy zone. As far as I know there's only 4 valid > >>> tokens that can come after CNAME in an RPZ: > >>> ; . RPZ processing returns NXDOMAIN (name does not exist) > >>> ; *. RPZ processing returns NODATA (name exists but no > >>> answers returned) > >>> ; rpz-drop. No response is returned to the user query > >>> ; rpz-passthru. This identifies an exception(a whitelisted name) > > Well you are wrong. I appreciate the correction. I totally forgot about returning a completely different name. > There are 4 special CNAME right hand sides. The rest can be > used to re-write the response. This is documented in chapter 6 of the ARM. > > https://bind9.readthedocs.io/en/v9.18.29/chapter6.html#dns-firewalls-and-response-policy-zones > > A response policy action can be one of the following: > • to synthesize a “domain does not exist” (NXDOMAIN) response > • to synthesize a “name exists but there are no records of the requested > type” (NODATA) response > • to drop the response > • to switch to TCP by sending a truncated UDP response that requires the > DNS client to try again with TCP which must be new. I don't remember this one. > • to replace/override the response’s data with specific data (provided > within the response policy zone) > • to exempt the response from further policy processing > > >>> I missed this the first time through, but the rpz.mozilla zone _is_ > >>> flagged as a response policy zone in named.conf > >>> response-policy { zone "rpz.mozilla"; zone "rpz.zone"; zone > >>> "rpz.urlhaus"; } > >>>break-dnssec yes > >>>recursive-only no > >>>qname-wait-recurse no; > > Well named-checkzone does not read named.conf. Named-checkconf reads > named.conf. > Even if named-checkzone did read named.conf it still wouldn’t have rejected > the zone. > > >>> It seems to me that named-checkzone should be using RPZ syntax instead > >>> of the 'normal' domain name syntax. But it's not worth arguing > >>> about.. the program doesn't check what I think needs checking so I'll > >>> look elsewhere or write my own. > > It is using RPZ syntax. If it wasn’t a valid RPZ zone it would have been > rejected by named. You seem to be missing the point - I was looking for something that would catch my typos. Comma being right next to period on my keyboard and them looking alike .. even when I'm wearing my "computer" glasses; I had a fair number of errors in my zone file that I wanted flagged so I could correct them. > >>> In any case, thanks for the answer. Now that I know that > >>> named-checkzone is working correctly I don't need to waste any more > >>> time with it. > >>> > >>> Best Regards, > >>> Lee > >> > >> The program is called named-checkzone not named-checkrpzzone and even then > >> it would not be an error because you really might want to add CNAMES to > >> ,.rpz.mozilla. > > > > Call it a failure of imagination on my part, but unless comma becomes > > a defined CNAME value in an RPZ file I just can't imagine me _wanting_ > > to add a comma for a CNAME value in an rpz file. > > CNAMEs *are* a defined part of a RPZ file. “,” is not more or less special > that “example.com.” or any other possible domain name on the RHS of the > CNAME. They fall within "to replace/override the response’s data with > specific data (provided within the response policy zone)”. Wasn't it this list that had a very long discussion about underscores in CNAMES? Eventually coming to the conclusion that underscores are perfectly find in CNAMES? So yes, technically a comma in a cname is valid .. but in my case **it's a typo** and I was hoping there was already a program written that would catc
Re: named-checkzone fail
> On 11 Sep 2024, at 16:06, Lee wrote: > > On Tue, Sep 10, 2024 at 10:52 PM Mark Andrews wrote: >> >>> On 11 Sep 2024, at 12:10, Lee wrote: >>> >>> On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote: >>>> >>>> Comma is legal in a domain name. It isn’t legal in a host name which are >>>> a subset of domain names. Named-checkzone is working exactly as it should. >>> >>> Except this isn't really a domain name - it's a whatever-it's-called >>> in a response policy zone. As far as I know there's only 4 valid >>> tokens that can come after CNAME in an RPZ: >>> ; . RPZ processing returns NXDOMAIN (name does not exist) >>> ; *. RPZ processing returns NODATA (name exists but no >>> answers returned) >>> ; rpz-drop. No response is returned to the user query >>> ; rpz-passthru. This identifies an exception(a whitelisted name) Well you are wrong. There are 4 special CNAME right hand sides. The rest can be used to re-write the response. This is documented in chapter 6 of the ARM. https://bind9.readthedocs.io/en/v9.18.29/chapter6.html#dns-firewalls-and-response-policy-zones A response policy action can be one of the following: • to synthesize a “domain does not exist” (NXDOMAIN) response • to synthesize a “name exists but there are no records of the requested type” (NODATA) response • to drop the response • to switch to TCP by sending a truncated UDP response that requires the DNS client to try again with TCP • to replace/override the response’s data with specific data (provided within the response policy zone) • to exempt the response from further policy processing >>> I missed this the first time through, but the rpz.mozilla zone _is_ >>> flagged as a response policy zone in named.conf >>> response-policy { zone "rpz.mozilla"; zone "rpz.zone"; zone "rpz.urlhaus"; } >>>break-dnssec yes >>>recursive-only no >>>qname-wait-recurse no; Well named-checkzone does not read named.conf. Named-checkconf reads named.conf. Even if named-checkzone did read named.conf it still wouldn’t have rejected the zone. >>> It seems to me that named-checkzone should be using RPZ syntax instead >>> of the 'normal' domain name syntax. But it's not worth arguing >>> about.. the program doesn't check what I think needs checking so I'll >>> look elsewhere or write my own. It is using RPZ syntax. If it wasn’t a valid RPZ zone it would have been rejected by named. >>> In any case, thanks for the answer. Now that I know that >>> named-checkzone is working correctly I don't need to waste any more >>> time with it. >>> >>> Best Regards, >>> Lee >> >> The program is called named-checkzone not named-checkrpzzone and even then >> it would not be an error because you really might want to add CNAMES to >> ,.rpz.mozilla. > > Call it a failure of imagination on my part, but unless comma becomes > a defined CNAME value in an RPZ file I just can't imagine me _wanting_ > to add a comma for a CNAME value in an rpz file. CNAMEs *are* a defined part of a RPZ file. “,” is not more or less special that “example.com.” or any other possible domain name on the RHS of the CNAME. They fall within "to replace/override the response’s data with specific data (provided within the response policy zone)”. >> There is no way for the program to know. “.” and “*.” are >> just “special” CNAMEs for the RPZ code to process differently to how it >> processes other CNAMEs in the zone. > > You notice I'm not arguing. .. or suggesting how named-checkzone > could be extended. right? No, you are arguing that is it broken. I’m saying it is not broken and why it is not broken. >> We don’t have “do what I want” software we have “do what is programmed” >> software. > > Ages ago I was a programmer & one group I was in used to joke about > the "doit" processor that magically did we were > having problems with at the time. > > In any case, this took me so long because I've pretty much forgotten > how to program. & while it's ugly as all get-out it seems to do the > job: > > $ ./check-rpzzone /etc/bind/db.rpz-mozilla > OhNoes!!! line 17 invalid CNAME value: broken-cname.net > CNAME , Well ./check-rpzzone appears to be broken if it is designed to process generic RPZ zones. The CNAME is not invalid in a RPZ zone. Now having a CNAME that points into a RPZ zone is a bit strange but it isn’t invalid and it actually works. > $ ./chec
Re: named-checkzone fail
On Tue, Sep 10, 2024 at 10:52 PM Mark Andrews wrote: > > > On 11 Sep 2024, at 12:10, Lee wrote: > > > > On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote: > >> > >> Comma is legal in a domain name. It isn’t legal in a host name which are > >> a subset of domain names. Named-checkzone is working exactly as it should. > > > > Except this isn't really a domain name - it's a whatever-it's-called > > in a response policy zone. As far as I know there's only 4 valid > > tokens that can come after CNAME in an RPZ: > > ; . RPZ processing returns NXDOMAIN (name does not exist) > > ; *. RPZ processing returns NODATA (name exists but no > > answers returned) > > ; rpz-drop. No response is returned to the user query > > ; rpz-passthru. This identifies an exception(a whitelisted name) > > > > I missed this the first time through, but the rpz.mozilla zone _is_ > > flagged as a response policy zone in named.conf > > response-policy { zone "rpz.mozilla"; zone "rpz.zone"; zone "rpz.urlhaus"; > > } > > break-dnssec yes > > recursive-only no > > qname-wait-recurse no; > > > > It seems to me that named-checkzone should be using RPZ syntax instead > > of the 'normal' domain name syntax. But it's not worth arguing > > about.. the program doesn't check what I think needs checking so I'll > > look elsewhere or write my own. > > > > In any case, thanks for the answer. Now that I know that > > named-checkzone is working correctly I don't need to waste any more > > time with it. > > > > Best Regards, > > Lee > > The program is called named-checkzone not named-checkrpzzone and even then > it would not be an error because you really might want to add CNAMES to > ,.rpz.mozilla. Call it a failure of imagination on my part, but unless comma becomes a defined CNAME value in an RPZ file I just can't imagine me _wanting_ to add a comma for a CNAME value in an rpz file. > There is no way for the program to know. “.” and “*.” are > just “special” CNAMEs for the RPZ code to process differently to how it > processes other CNAMEs in the zone. You notice I'm not arguing. .. or suggesting how named-checkzone could be extended. right? > We don’t have “do what I want” software we have “do what is programmed” > software. Ages ago I was a programmer & one group I was in used to joke about the "doit" processor that magically did we were having problems with at the time. In any case, this took me so long because I've pretty much forgotten how to program. & while it's ugly as all get-out it seems to do the job: $ ./check-rpzzone /etc/bind/db.rpz-mozilla OhNoes!!! line 17 invalid CNAME value: broken-cname.net CNAME , $ ./check-rpzzone /etc/bind/db.rpz No complaints, so nothing beyond the 4 valid CNAME values in the file. Yay! I've got a lot more confidence that all of the typos have been corrected now :) Best Regards, Lee > > Mark > > >> If the current origin is example.com. then comma expands to ,.example.com. > >> as it is treaded as a relative name. > >> > >> -- > >> Mark Andrews > >> > >>> On 11 Sep 2024, at 03:55, Lee wrote: > >>> > >>> I had a few typos in an RPZ file where I had a comma instead of a dot. > >>> I tried using named-checkzone to find all the typos but it didn't > >>> complain about anything!? Is that expected behavior? > >>> > >>> And a related question.. can anyone recommend a vim syntax file > >>> checker for bind files? > >>> > >>> $ named-checkzone rpz.mozilla /etc/bind/db.rpz-mozilla > >>> zone rpz.mozilla/IN: loaded serial 2024091001 > >>> OK > >>> > >>> $ cat /etc/bind/db.rpz-mozilla > >>> $ORIGIN rpz.mozilla. > >>> ; > >>> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https > >>> ; return NXDOMAIN for use-application-dns.net name lookup > >>> ; > >>> https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default > >>> $TTL604800 > >>> > >>> @ IN SOA localhost. root.home.net. ( > >>> 2024091001 ; Serial > >>> 604800 ; Refresh > >>> 86400 ; Retry > >>> 2419200; Expire > >>>
Re: named-checkzone fail
> On 11 Sep 2024, at 12:10, Lee wrote: > > On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote: >> >> Comma is legal in a domain name. It isn’t legal in a host name which are a >> subset of domain names. Named-checkzone is working exactly as it should. > > Except this isn't really a domain name - it's a whatever-it's-called > in a response policy zone. As far as I know there's only 4 valid > tokens that can come after CNAME in an RPZ: > ; . RPZ processing returns NXDOMAIN (name does not exist) > ; *. RPZ processing returns NODATA (name exists but no > answers returned) > ; rpz-drop. No response is returned to the user query > ; rpz-passthru. This identifies an exception(a whitelisted name) > > I missed this the first time through, but the rpz.mozilla zone _is_ > flagged as a response policy zone in named.conf > response-policy { zone "rpz.mozilla"; zone "rpz.zone"; zone "rpz.urlhaus"; } > break-dnssec yes > recursive-only no > qname-wait-recurse no; > > It seems to me that named-checkzone should be using RPZ syntax instead > of the 'normal' domain name syntax. But it's not worth arguing > about.. the program doesn't check what I think needs checking so I'll > look elsewhere or write my own. > > In any case, thanks for the answer. Now that I know that > named-checkzone is working correctly I don't need to waste any more > time with it. > > Best Regards, > Lee The program is called named-checkzone not named-checkrpzzone and even then it would not be an error because you really might want to add CNAMES to ,.rpz.mozilla. There is no way for the program to know. “.” and “*.” are just “special” CNAMEs for the RPZ code to process differently to how it processes other CNAMEs in the zone. We don’t have “do what I want” software we have “do what is programmed” software. Mark >> If the current origin is example.com. then comma expands to ,.example.com. >> as it is treaded as a relative name. >> >> -- >> Mark Andrews >> >>> On 11 Sep 2024, at 03:55, Lee wrote: >>> >>> I had a few typos in an RPZ file where I had a comma instead of a dot. >>> I tried using named-checkzone to find all the typos but it didn't >>> complain about anything!? Is that expected behavior? >>> >>> And a related question.. can anyone recommend a vim syntax file >>> checker for bind files? >>> >>> $ named-checkzone rpz.mozilla /etc/bind/db.rpz-mozilla >>> zone rpz.mozilla/IN: loaded serial 2024091001 >>> OK >>> >>> $ cat /etc/bind/db.rpz-mozilla >>> $ORIGIN rpz.mozilla. >>> ; >>> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https >>> ; return NXDOMAIN for use-application-dns.net name lookup >>> ; >>> https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default >>> $TTL604800 >>> >>> @ IN SOA localhost. root.home.net. ( >>> 2024091001 ; Serial >>> 604800 ; Refresh >>> 86400 ; Retry >>> 2419200; Expire >>> 604800 ) ; Minimum >>> IN NS localhost. >>> >>> ; tell Firefox to not use DOH (Dns Over Https) >>> use-application-dns.net CNAME . >>> broken-cname.netCNAME , <= >>> COMMA not a period >>> ; --- end --- >>> >>> $ dig broken-cname.net >>> >>> ; <<>> DiG 9.16.50-Debian <<>> broken-cname.net >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62006 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 >>> >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 1432 >>> ; COOKIE: ad32c4ae2224c66d010066e082286d1625c0e8f2160c (good) >>> ;; QUESTION SECTION: >>> ;broken-cname.net. IN A >>> >>> ;; ANSWER SECTION: >>> broken-cname.net. 5 IN CNAME ,.rpz.mozilla. >>> >>> ;; AUTHORITY SECTION: >>> rpz.mozilla.604800 IN SOA localhost. >>> root.home.net. 2024091001 604800 86400 2419200 604800 >>> >>> ;; ADDITIONAL SECTION: >>> rpz.mozilla.1 IN SOA
Re: named-checkzone fail
On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote: > > Comma is legal in a domain name. It isn’t legal in a host name which are a > subset of domain names. Named-checkzone is working exactly as it should. Except this isn't really a domain name - it's a whatever-it's-called in a response policy zone. As far as I know there's only 4 valid tokens that can come after CNAME in an RPZ: ; . RPZ processing returns NXDOMAIN (name does not exist) ; *. RPZ processing returns NODATA (name exists but no answers returned) ; rpz-drop. No response is returned to the user query ; rpz-passthru. This identifies an exception(a whitelisted name) I missed this the first time through, but the rpz.mozilla zone _is_ flagged as a response policy zone in named.conf response-policy { zone "rpz.mozilla"; zone "rpz.zone"; zone "rpz.urlhaus"; } break-dnssec yes recursive-only no qname-wait-recurse no; It seems to me that named-checkzone should be using RPZ syntax instead of the 'normal' domain name syntax. But it's not worth arguing about.. the program doesn't check what I think needs checking so I'll look elsewhere or write my own. In any case, thanks for the answer. Now that I know that named-checkzone is working correctly I don't need to waste any more time with it. Best Regards, Lee > > If the current origin is example.com. then comma expands to ,.example.com. as > it is treaded as a relative name. > > -- > Mark Andrews > > > On 11 Sep 2024, at 03:55, Lee wrote: > > > > I had a few typos in an RPZ file where I had a comma instead of a dot. > > I tried using named-checkzone to find all the typos but it didn't > > complain about anything!? Is that expected behavior? > > > > And a related question.. can anyone recommend a vim syntax file > > checker for bind files? > > > > $ named-checkzone rpz.mozilla /etc/bind/db.rpz-mozilla > > zone rpz.mozilla/IN: loaded serial 2024091001 > > OK > > > > $ cat /etc/bind/db.rpz-mozilla > > $ORIGIN rpz.mozilla. > > ; > > https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https > > ; return NXDOMAIN for use-application-dns.net name lookup > > ; > > https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default > > $TTL604800 > > > > @ IN SOA localhost. root.home.net. ( > >2024091001 ; Serial > >604800 ; Refresh > >86400 ; Retry > >2419200; Expire > >604800 ) ; Minimum > >IN NS localhost. > > > > ; tell Firefox to not use DOH (Dns Over Https) > > use-application-dns.net CNAME . > > broken-cname.netCNAME , <= > > COMMA not a period > > ; --- end --- > > > > $ dig broken-cname.net > > > > ; <<>> DiG 9.16.50-Debian <<>> broken-cname.net > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62006 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 1432 > > ; COOKIE: ad32c4ae2224c66d010066e082286d1625c0e8f2160c (good) > > ;; QUESTION SECTION: > > ;broken-cname.net. IN A > > > > ;; ANSWER SECTION: > > broken-cname.net. 5 IN CNAME ,.rpz.mozilla. > > > > ;; AUTHORITY SECTION: > > rpz.mozilla.604800 IN SOA localhost. > > root.home.net. 2024091001 604800 86400 2419200 604800 > > > > ;; ADDITIONAL SECTION: > > rpz.mozilla.1 IN SOA localhost. > > root.home.net. 2024091001 604800 86400 2419200 604800 > > > > ;; Query time: 0 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > ;; WHEN: Tue Sep 10 13:30:16 EDT 2024 > > ;; MSG SIZE rcvd: 194 > > -- > > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > > this list > > > > ISC funds the development of this software with paid support subscriptions. > > Contact us at https://www.isc.org/contact/ for more information. > > > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone fail
Comma is legal in a domain name. It isn’t legal in a host name which are a subset of domain names. Named-checkzone is working exactly as it should. If the current origin is example.com. then comma expands to ,.example.com. as it is treaded as a relative name. -- Mark Andrews > On 11 Sep 2024, at 03:55, Lee wrote: > > I had a few typos in an RPZ file where I had a comma instead of a dot. > I tried using named-checkzone to find all the typos but it didn't > complain about anything!? Is that expected behavior? > > And a related question.. can anyone recommend a vim syntax file > checker for bind files? > > $ named-checkzone rpz.mozilla /etc/bind/db.rpz-mozilla > zone rpz.mozilla/IN: loaded serial 2024091001 > OK > > $ cat /etc/bind/db.rpz-mozilla > $ORIGIN rpz.mozilla. > ; > https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https > ; return NXDOMAIN for use-application-dns.net name lookup > ; > https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default > $TTL604800 > > @ IN SOA localhost. root.home.net. ( >2024091001 ; Serial >604800 ; Refresh >86400 ; Retry >2419200; Expire >604800 ) ; Minimum >IN NS localhost. > > ; tell Firefox to not use DOH (Dns Over Https) > use-application-dns.net CNAME . > broken-cname.netCNAME , <= > COMMA not a period > ; --- end --- > > $ dig broken-cname.net > > ; <<>> DiG 9.16.50-Debian <<>> broken-cname.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62006 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1432 > ; COOKIE: ad32c4ae2224c66d010066e082286d1625c0e8f2160c (good) > ;; QUESTION SECTION: > ;broken-cname.net. IN A > > ;; ANSWER SECTION: > broken-cname.net. 5 IN CNAME ,.rpz.mozilla. > > ;; AUTHORITY SECTION: > rpz.mozilla.604800 IN SOA localhost. > root.home.net. 2024091001 604800 86400 2419200 604800 > > ;; ADDITIONAL SECTION: > rpz.mozilla.1 IN SOA localhost. > root.home.net. 2024091001 604800 86400 2419200 604800 > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Sep 10 13:30:16 EDT 2024 > ;; MSG SIZE rcvd: 194 > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkzone fail
I had a few typos in an RPZ file where I had a comma instead of a dot. I tried using named-checkzone to find all the typos but it didn't complain about anything!? Is that expected behavior? And a related question.. can anyone recommend a vim syntax file checker for bind files? $ named-checkzone rpz.mozilla /etc/bind/db.rpz-mozilla zone rpz.mozilla/IN: loaded serial 2024091001 OK $ cat /etc/bind/db.rpz-mozilla $ORIGIN rpz.mozilla. ; https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https ; return NXDOMAIN for use-application-dns.net name lookup ; https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default $TTL604800 @ IN SOA localhost. root.home.net. ( 2024091001 ; Serial 604800 ; Refresh 86400 ; Retry 2419200; Expire 604800 ) ; Minimum IN NS localhost. ; tell Firefox to not use DOH (Dns Over Https) use-application-dns.net CNAME . broken-cname.netCNAME , <= COMMA not a period ; --- end --- $ dig broken-cname.net ; <<>> DiG 9.16.50-Debian <<>> broken-cname.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62006 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1432 ; COOKIE: ad32c4ae2224c66d010066e082286d1625c0e8f2160c (good) ;; QUESTION SECTION: ;broken-cname.net. IN A ;; ANSWER SECTION: broken-cname.net. 5 IN CNAME ,.rpz.mozilla. ;; AUTHORITY SECTION: rpz.mozilla.604800 IN SOA localhost. root.home.net. 2024091001 604800 86400 2419200 604800 ;; ADDITIONAL SECTION: rpz.mozilla.1 IN SOA localhost. root.home.net. 2024091001 604800 86400 2419200 604800 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 10 13:30:16 EDT 2024 ;; MSG SIZE rcvd: 194 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone as library?
Felipe Gasper wrote: > > Is there any public code interface that exposes named-checkzone’s > functionality? > I’d specifically like to have numeric error codes rather than strings. It isn't easy to do that, I'm afraid. There are two places that don't do what you want. The source for named-checkzone is in https://gitlab.isc.org/isc-projects/bind9/-/tree/main/bin/check The file named-checkzone.c has the setup and option handling, and check-tool.c has some of the zone checks - but not all. It deals with things like using the system resolver to check CNAME or MX records that point out of the zone. There are also a load of checks in lib/dns/zone.c - look for integrity_checks() and the various zone_check_*() functions. https://gitlab.isc.org/isc-projects/bind9/-/blob/main/lib/dns/zone.c Both lib/dns/zone.c and bin/check/check-tool.c report their findings by logging; there isn't an intermediate error code that might describe the problem. And BIND's error codes are simple errno-style numbers: they can't say multi-parameter things like "foo.dotat.at/MX points to bar.dotat.at which is a CNAME". Tony. -- f.anthony.n.finchhttps://dotat.at/ North Utsire, South Utsire: Variable 2 to 4. Slight or moderate. Fog patches later. Moderate or good, occasionally very poor later. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkzone as library?
Hello, Is there any public code interface that exposes named-checkzone’s functionality? I’d specifically like to have numeric error codes rather than strings. Thank you! -FG ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What causes named-checkzone to provide ; resign strings?
We have a series of bind9 nameservers (running some 9.9 and some 9.10). On our slave zones, which are all reading identical slave zone files, one of our servers is running the RedHat default bind 9.9.4-74. The other servers are running bind compiled directly from isc's source. When we issue a named-checkzone on any of the ones compiled straight from isc's source, after every RRSIG line, we see a ; resign line that contains the date/time of that resign. When we issue the same command on RedHat's default, we get all of the same information, minus that line. I was wondering if anyone could tell me what exactly produces that line. I see in the bind source code a comment that it is "Only valid if DNS_RDASETATTR_RESIGN is set in attributes." Where would this be set? If it's in the attributes of the signed zone file, I would think that it should be there, as when any other server reads the same files the data appears. Is this some compile time option? Is there a config file somewhere on the Linux server itself that needs to set this? Really any pointer in the right direction would be appreciated. Example of the symptom: first the server running RedHat standard, that does not produce the ; resign line [root@rutl800p slaves]# named-checkzone -j -f raw -o - myzone.com /var/named/slaves/db.myzone.com.signed zone myzone.com/IN: loaded serial 1460033625 (DNSSEC signed) myzone.com. 3600 IN SOA rutl601p.mylocaldomain.com. hostmaster.mydomain.com. 1460033625 7200 3600 604800 3600 myzone.com. 3600 IN RRSIG SOA 13 2 3600 20190716190406 20190616180406 59573 myzone.com. /HXXeswjocBRCgOftRGwX3EeLYSXXBS8r70oJ/K2rZvn301D7XUKr7nf C4QC1bhM+qRIesK0bkCy02KDHR3YVg== myzone.com. 3600 IN NS ns1.mydomain.com. Then the other servers that *do* produce it. [root@rutl801p slaves]# named-checkzone -j -f raw -o - myzone.com /var/named/slaves/db.myzone.com.signed zone myzone.com/IN: loaded serial 1460033625 (DNSSEC signed) myzone.com. 3600 IN SOA rutl601p.mylocaldomain.com. hostmaster.mydomain.com. 1460033625 7200 3600 604800 3600 myzone.com. 3600 IN RRSIG SOA 13 2 3600 20190716190406 20190616180406 59573 myzone.com. /HXXeswjocBRCgOftRGwX3EeLYSXXBS8r70oJ/K2rZvn301D7XUKr7nf C4QC1bhM+qRIesK0bkCy02KDHR3YVg== ; resign=20190716190406 myzone.com. 3600 IN NS ns1.mydomain.com. Stephen Gilbert Systems Administrator P 704-589-0332 E sgilb...@mcclatchy.com W mcclatchy.com [image: McClatchy Facebook] <https://www.facebook.com/McClatchyCo/> [image: McClatchy Twitter] <https://twitter.com/mcclatchy?lang=en> [image: McClatchy LinkedIn] <https://www.linkedin.com/company/the-mcclatchy-company/> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone with multiple $ORIGIN
Ok that was my misunderstanding of named-checkzone. I though I had to check for all $ORIGINs. I haven't played with IPv6 yet. I hope I'll have a chance to do it eventually. Thanks for your time guys! On Mon, Jun 5, 2017 at 9:49 AM, Mark Elkins wrote: > Most certainly - Yes. > > You have a single zone here, thus only: > > named-checkzone example.com example.com.zone > ...should work. > > Wait till you play with a reverse IPv6 zone - where I personally use many > $ORIGIN statements - saves hours of typing and makes reading the Zones so > much easier. > > > > On 05/06/2017 15:40, Bernard Fay wrote: > > I understand what $ORIGIN is doing by reducing the typing and making it > easier to maintain the zone files. > > To Tony, should I understand while using named-checkzone I need to enter > *only* the top domain and named-checkzone will understand the subdomains > defined by the multiple $ORIGIN in the zone file? > > Thanks, > Bernard > > > On Mon, Jun 5, 2017 at 9:18 AM, Tony Finch wrote: > >> Bernard Fay wrote: >> > >> > I took control of a DNS based on Bind 9.9. One of the zone files have >> > multiple $ORIGIN for example: >> >> The key thing to understand is that $ORIGIN just controls how unqualified >> domain names are expanded into fully-qualified domain names. In >> particular, $ORIGIN is completely independent of zone boundaries. >> >> So in the master file you sketched out, >> >> > $ORIGIN example.com >> > ... >> > $ORIGIN sub1.example.com >> > ... >> > $ORIGIN sub2.example.com >> > ... >> > $ORIGIN sub3.example.com >> > ... >> >> The person who wrote the file is using $ORIGIN in order to abbreviate >> unqualified names in subdomains, but the subdomains are all part of the >> same zone. >> >> The other thing to be aware of is that it is possible to write a zone file >> without any fuly-qualified names, which is why you have to specify the >> zone name when loading the file. (This feature is useful for empty zones, >> for example, but it's usually not a good idea for normal zones.) The zone >> name is used to set the default $ORIGIN and for the zone sanity checks. >> >> So, this works... >> >> > While checking the zone file with: >> > named-checkzone example.com example.com.zone >> > named-checkzone returns ok for the first $ORIGIN. >> >> ...because the zone name you specified on the command line matches the >> contents of the master file. >> >> However, >> >> > named-checkzone sub1.example.com example.com.zone >> > named-checkzone sub2.example.com example.com.zone >> > named-checkzone sub3.example.com example.com.zone >> > named-checkzone reports many "ignoring out-of-zone data ( >> example.com)" >> >> this doesn't make sense. The master file is one single whole complete >> zone. The subdomains are not separate zones, and you can't load or check >> part of the file. >> >> So the error message is saying that the SOA record and the apex NS records >> at example.com and loads of other records are not subdomains of the zone >> name that you gave on the commamnd line. I usually encounter this error >> when I have accidentally got my zone name and master file name muddled >> up, and once you get used to the error message it's a useful consistency >> check. >> >> Tony. >> -- >> f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h >> punycode >> Fitzroy: Southwesterly, veering northwesterly, 6 to gale 8, decreasing 5 >> later >> in southwest. Moderate or rough. Rain at first. Moderate or good. >> > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing > listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users > > > -- > Mark James ELKINS - Posix Systems - (South) africa...@posix.co.za > Tel: +27.128070590 <+27%2012%20807%200590> Cell: +27.826010496 > <+27%2082%20601%200496> > For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone with multiple $ORIGIN
Most certainly - Yes. You have a single zone here, thus only: named-checkzone example.com <http://example.com> example.com.zone ...should work. Wait till you play with a reverse IPv6 zone - where I personally use many $ORIGIN statements - saves hours of typing and makes reading the Zones so much easier. On 05/06/2017 15:40, Bernard Fay wrote: > I understand what $ORIGIN is doing by reducing the typing and making > it easier to maintain the zone files. > > To Tony, should I understand while using named-checkzone I need to > enter _only_ the top domain and named-checkzone will understand the > subdomains defined by the multiple $ORIGIN in the zone file? > > Thanks, > Bernard > > > On Mon, Jun 5, 2017 at 9:18 AM, Tony Finch <mailto:d...@dotat.at>> wrote: > > Bernard Fay mailto:bernard@gmail.com>> > wrote: > > > > I took control of a DNS based on Bind 9.9. One of the zone > files have > > multiple $ORIGIN for example: > > The key thing to understand is that $ORIGIN just controls how > unqualified > domain names are expanded into fully-qualified domain names. In > particular, $ORIGIN is completely independent of zone boundaries. > > So in the master file you sketched out, > > > $ORIGIN example.com <http://example.com> > > ... > > $ORIGIN sub1.example.com <http://sub1.example.com> > > ... > > $ORIGIN sub2.example.com <http://sub2.example.com> > > ... > > $ORIGIN sub3.example.com <http://sub3.example.com> > > ... > > The person who wrote the file is using $ORIGIN in order to abbreviate > unqualified names in subdomains, but the subdomains are all part > of the > same zone. > > The other thing to be aware of is that it is possible to write a > zone file > without any fuly-qualified names, which is why you have to specify the > zone name when loading the file. (This feature is useful for empty > zones, > for example, but it's usually not a good idea for normal zones.) > The zone > name is used to set the default $ORIGIN and for the zone sanity > checks. > > So, this works... > > > While checking the zone file with: > > named-checkzone example.com <http://example.com> example.com.zone > > named-checkzone returns ok for the first $ORIGIN. > > ...because the zone name you specified on the command line matches the > contents of the master file. > > However, > > > named-checkzone sub1.example.com <http://sub1.example.com> > example.com.zone > > named-checkzone sub2.example.com <http://sub2.example.com> > example.com.zone > > named-checkzone sub3.example.com <http://sub3.example.com> > example.com.zone > > named-checkzone reports many "ignoring out-of-zone data > (example.com <http://example.com>)" > > this doesn't make sense. The master file is one single whole complete > zone. The subdomains are not separate zones, and you can't load or > check > part of the file. > > So the error message is saying that the SOA record and the apex NS > records > at example.com <http://example.com> and loads of other records are > not subdomains of the zone > name that you gave on the commamnd line. I usually encounter this > error > when I have accidentally got my zone name and master file name muddled > up, and once you get used to the error message it's a useful > consistency > check. > > Tony. > -- > f.anthony.n.finch mailto:d...@dotat.at>> > http://dotat.at/ - I xn--zr8h punycode > Fitzroy: Southwesterly, veering northwesterly, 6 to gale 8, > decreasing 5 later > in southwest. Moderate or rough. Rain at first. Moderate or good. > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone with multiple $ORIGIN
Bernard Fay wrote: > > should I understand while using named-checkzone I need to enter *only* > the top domain and named-checkzone will understand the subdomains > defined by the multiple $ORIGIN in the zone file? Yes, named-checkzone basically just loads the zone file (the whole thing) as if it were being loaded by named. You don't have to have a zone boundary for every subdomain - your zone file has lots of subdomains all in one zone, and this is completely normal. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Irish Sea: Cyclonic 6, becoming northwest 6 to gale 8 later. Moderate or rough. Rain, showers later. Good occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone with multiple $ORIGIN
I understand what $ORIGIN is doing by reducing the typing and making it easier to maintain the zone files. To Tony, should I understand while using named-checkzone I need to enter *only* the top domain and named-checkzone will understand the subdomains defined by the multiple $ORIGIN in the zone file? Thanks, Bernard On Mon, Jun 5, 2017 at 9:18 AM, Tony Finch wrote: > Bernard Fay wrote: > > > > I took control of a DNS based on Bind 9.9. One of the zone files have > > multiple $ORIGIN for example: > > The key thing to understand is that $ORIGIN just controls how unqualified > domain names are expanded into fully-qualified domain names. In > particular, $ORIGIN is completely independent of zone boundaries. > > So in the master file you sketched out, > > > $ORIGIN example.com > > ... > > $ORIGIN sub1.example.com > > ... > > $ORIGIN sub2.example.com > > ... > > $ORIGIN sub3.example.com > > ... > > The person who wrote the file is using $ORIGIN in order to abbreviate > unqualified names in subdomains, but the subdomains are all part of the > same zone. > > The other thing to be aware of is that it is possible to write a zone file > without any fuly-qualified names, which is why you have to specify the > zone name when loading the file. (This feature is useful for empty zones, > for example, but it's usually not a good idea for normal zones.) The zone > name is used to set the default $ORIGIN and for the zone sanity checks. > > So, this works... > > > While checking the zone file with: > > named-checkzone example.com example.com.zone > > named-checkzone returns ok for the first $ORIGIN. > > ...because the zone name you specified on the command line matches the > contents of the master file. > > However, > > > named-checkzone sub1.example.com example.com.zone > > named-checkzone sub2.example.com example.com.zone > > named-checkzone sub3.example.com example.com.zone > > named-checkzone reports many "ignoring out-of-zone data (example.com > )" > > this doesn't make sense. The master file is one single whole complete > zone. The subdomains are not separate zones, and you can't load or check > part of the file. > > So the error message is saying that the SOA record and the apex NS records > at example.com and loads of other records are not subdomains of the zone > name that you gave on the commamnd line. I usually encounter this error > when I have accidentally got my zone name and master file name muddled > up, and once you get used to the error message it's a useful consistency > check. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h > punycode > Fitzroy: Southwesterly, veering northwesterly, 6 to gale 8, decreasing 5 > later > in southwest. Moderate or rough. Rain at first. Moderate or good. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone with multiple $ORIGIN
In message , Bernard Fay writes: > Sorry keyboard problem... > > > I took control of a DNS based on Bind 9.9. One of the zone files have > multiple $ORIGIN for example: > > $ORIGIN example.com > ... > $ORIGIN sub1.example.com > ... > $ORIGIN sub2.example.com > ... > $ORIGIN sub3.example.com > ... > > > While checking the zone file with: > named-checkzone example.com example.com.zone > named-checkzone returns ok for the first $ORIGIN. > > But doing > named-checkzone sub1.example.com example.com.zone > named-checkzone sub2.example.com example.com.zone > named-checkzone sub3.example.com example.com.zone > named-checkzone reports many "ignoring out-of-zone data (....example.com)" > > Using multiple $ORIGIN in a single zone file works but named-checkzone does > not seem to like the idea. > > Is there something wrong by using multiple $ORIGIN in a single zone file or > my understanding of named-checkzone is wrong? Your understanding of what $ORIGIN does in a master file is wrong. It is a way to reduce the amount of typing you do by setting the suffix to be appended to non absolute names though over use will defeat that. $ORIGIN example.com. @ SOA ns hostmaster 0 0 0 0 0 @ NS ns ns A 1.1.1.1 $ORIGIN sub1.example.com. @ A 1.2.3.4 $ORIGIN sub2.example.com. @ A 1.2.3.8 expanded is example.com. SOA ns.example.com. hostmaster.example.com. 0 0 0 0 0 example.com. NS ns ns.example.com. A 1.1.1.1 sub1.example.com. A 1.2.3.4 sub2.example.com. A 1.2.3.8 $ORIGIN doesn't mean start of a zone though every zone has a implict $ORIGIN set when it is being loaded. > Thanks, > Bernard -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone with multiple $ORIGIN
Bernard Fay wrote: > > I took control of a DNS based on Bind 9.9. One of the zone files have > multiple $ORIGIN for example: The key thing to understand is that $ORIGIN just controls how unqualified domain names are expanded into fully-qualified domain names. In particular, $ORIGIN is completely independent of zone boundaries. So in the master file you sketched out, > $ORIGIN example.com > ... > $ORIGIN sub1.example.com > ... > $ORIGIN sub2.example.com > ... > $ORIGIN sub3.example.com > ... The person who wrote the file is using $ORIGIN in order to abbreviate unqualified names in subdomains, but the subdomains are all part of the same zone. The other thing to be aware of is that it is possible to write a zone file without any fuly-qualified names, which is why you have to specify the zone name when loading the file. (This feature is useful for empty zones, for example, but it's usually not a good idea for normal zones.) The zone name is used to set the default $ORIGIN and for the zone sanity checks. So, this works... > While checking the zone file with: > named-checkzone example.com example.com.zone > named-checkzone returns ok for the first $ORIGIN. ...because the zone name you specified on the command line matches the contents of the master file. However, > named-checkzone sub1.example.com example.com.zone > named-checkzone sub2.example.com example.com.zone > named-checkzone sub3.example.com example.com.zone > named-checkzone reports many "ignoring out-of-zone data (example.com)" this doesn't make sense. The master file is one single whole complete zone. The subdomains are not separate zones, and you can't load or check part of the file. So the error message is saying that the SOA record and the apex NS records at example.com and loads of other records are not subdomains of the zone name that you gave on the commamnd line. I usually encounter this error when I have accidentally got my zone name and master file name muddled up, and once you get used to the error message it's a useful consistency check. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Fitzroy: Southwesterly, veering northwesterly, 6 to gale 8, decreasing 5 later in southwest. Moderate or rough. Rain at first. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone with multiple $ORIGIN
Am 05.06.2017 um 14:36 schrieb Bernard Fay: Sorry keyboard problem... I took control of a DNS based on Bind 9.9. One of the zone files have multiple $ORIGIN for example: $ORIGIN example.com ... $ORIGIN sub1.example.com ... $ORIGIN sub2.example.com <http://sub2.example.com> ... $ORIGIN sub3.example.com <http://sub3.example.com> ... While checking the zone file with: named-checkzone example.com <http://example.com> example.com.zone named-checkzone returns ok for the first $ORIGIN. But doing named-checkzone sub1.example.com <http://example.com> example.com.zone named-checkzone sub2.example.com <http://example.com> example.com.zone named-checkzone sub3.example.com <http://example.com> example.com.zone named-checkzone reports many "ignoring out-of-zone data (example.com <http://example.com>)" Using multiple $ORIGIN in a single zone file works but named-checkzone does not seem to like the idea. Is there something wrong by using multiple $ORIGIN in a single zone file or my understanding of named-checkzone is wrong? you strip way too much from your config as well as input/output of named-checkzone and the mess in the quoting above is the result of HTML converted to sane plaintext as typically encouraged on lists what is the purpose of obfuscate 'DNS DATA* that much? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone with multiple $ORIGIN
Sorry keyboard problem... I took control of a DNS based on Bind 9.9. One of the zone files have multiple $ORIGIN for example: $ORIGIN example.com ... $ORIGIN sub1.example.com ... $ORIGIN sub2.example.com ... $ORIGIN sub3.example.com ... While checking the zone file with: named-checkzone example.com example.com.zone named-checkzone returns ok for the first $ORIGIN. But doing named-checkzone sub1.example.com example.com.zone named-checkzone sub2.example.com example.com.zone named-checkzone sub3.example.com example.com.zone named-checkzone reports many "ignoring out-of-zone data (example.com)" Using multiple $ORIGIN in a single zone file works but named-checkzone does not seem to like the idea. Is there something wrong by using multiple $ORIGIN in a single zone file or my understanding of named-checkzone is wrong? Thanks, Bernard On Mon, Jun 5, 2017 at 8:27 AM, Bernard Fay wrote: > Hi, > > I took control of a DNS based on Bind 9.9. One of the zone files have > multiple $ORIGIN for example: > > $ORIGIN example.com > ... > $ORIGIN sub1.example.com > ... > $ORIGIN sub2.example.com > ... > $ORIGIN sub3.example.com > ... > > > While checking the zone file with: > named-checkzone example.com example.com.zone > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkzone with multiple $ORIGIN
Hi, I took control of a DNS based on Bind 9.9. One of the zone files have multiple $ORIGIN for example: $ORIGIN example.com ... $ORIGIN sub1.example.com ... $ORIGIN sub2.example.com ... $ORIGIN sub3.example.com ... While checking the zone file with: named-checkzone example.com example.com.zone ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DANE record rejected by named-checkzone
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/04/2014 11:54 PM, Mark Andrews wrote: > In message <545954b0.8080...@offerman.com>, "Adrian (Aad) Offerman" > writes: > > named keeps refusing my zone file in which I included a DANE > record: > > [root]# named-checkzone offerman.com db.offerman.com > db.offerman.com:59: _443._tcp.offerman.com: bad owner name > (check-names) db.offerman.com:60: _443._tcp.offerman.com: bad owner > name (check-names) zone offerman.com/IN: loaded serial 2014110103 > OK [root]# > > This appears to be caused by the underscores used in the > port/protocol combination. > > Here's what the record looks like: > > _443._tcp IN TLSA3 0 1 > a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce > >> Well that isn't a valid TLSA record. It has a bad hex encoding. >> There are 63 hex digits. Just an error in the cutting/pasting, in the mail message that is. >> TLSA records themselves are not subject to check-names >> processing so I suggest that you look at the reported lines in >> the file to find out what is actually there. > >> In the example below it is the A record which has inherited the >> _443._tcp owner name. Ah, that did the job! :-) Inserting a block of TLSA records at the wrong place screwed up the inheritance for the next record. Thanks! Adrian >> Mark > >> [rock:~/git/bind9] marka% bin/check/named-checkzone c.db >> c.db c.db:1: no TTL specified; using SOA MINTTL instead >> dns_rdata_fromtext: c.db:3: near eol: bad hex encoding >> c.db:4: _443._tcp.c.db: bad owner name (check-names) zone >> c.db/IN: loading from master file c.db failed: bad hex >> encoding zone c.db/IN: not loaded due to errors. >> [rock:~/git/bind9] marka% > >> @IN SOA . . 0 0 0 0 0 @ IN NS . _443._tcp IN TLSA 3 0 1 >> a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce >> IN A 1.2.3.4 > > > It was created first using this: tlsa --create --output rfc > offerman.com later using this: ldns-dane create offerman.com 443 > both resulting in the same record, and both outputs resulting in > the same error. > > I've upgraded the named version (on CentOS 6.6) from 9.8.2 to > 9.9.6, but all to no avail :-( > > [root]# named-checkzone -v 9.9.6-RedHat-9.9.6-0.el6 > > Am I trying to do something here that is not yet supported or am I > overlooking something? -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUe0v1AAoJECfzYtonqXzEKHgIAJyjwFIgXbZ1eO01eR8JO4Au s51DVqywT7/0nVfF55Zi6N8mOi9GygYJjSEFJ4lL6g2BI2TaNVzeAQqGp9oJ8UUf GzJOjLkb7UyPy5OXYjkIj4a2f7t8Eyk7kRXYhfDaPccox87R8NkIWkCftSrfgBEq LwwTlHrtf2QUi5QxzhsNP/ljuC5mF0EW2ipa3kEggTgHwQ3Sg9pSvxWwP8LVFRn4 RW1ng/9iALxrgQLS7qjEc29vTfj0emRskQEXOgS/Ipt0U9b2Ep5l8uHsULH0jNwP BJ5+QPJFETlHd6hqKNjpAsVBrZJ+fY4QgIC8Ig8nkWY4gBLtZ55qkb6zIbOFL4Y= =YVKh -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DANE record rejected by named-checkzone
In message <545954b0.8080...@offerman.com>, "Adrian (Aad) Offerman" writes: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > named keeps refusing my zone file in which I included a DANE record: > > [root]# named-checkzone offerman.com db.offerman.com > db.offerman.com:59: _443._tcp.offerman.com: bad owner name (check-names) > db.offerman.com:60: _443._tcp.offerman.com: bad owner name (check-names) > zone offerman.com/IN: loaded serial 2014110103 > OK > [root]# > > This appears to be caused by the underscores used in the port/protocol > combination. > > Here's what the record looks like: > > _443._tcp IN TLSA3 0 1 > a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce Well that isn't a valid TLSA record. It has a bad hex encoding. There are 63 hex digits. TLSA records themselves are not subject to check-names processing so I suggest that you look at the reported lines in the file to find out what is actually there. In the example below it is the A record which has inherited the _443._tcp owner name. Mark [rock:~/git/bind9] marka% bin/check/named-checkzone c.db c.db c.db:1: no TTL specified; using SOA MINTTL instead dns_rdata_fromtext: c.db:3: near eol: bad hex encoding c.db:4: _443._tcp.c.db: bad owner name (check-names) zone c.db/IN: loading from master file c.db failed: bad hex encoding zone c.db/IN: not loaded due to errors. [rock:~/git/bind9] marka% @ IN SOA . . 0 0 0 0 0 @ IN NS . _443._tcp IN TLSA 3 0 1 a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce IN A 1.2.3.4 > It was created first using this: > tlsa --create --output rfc offerman.com > later using this: > ldns-dane create offerman.com 443 > both resulting in the same record, and both outputs resulting in the > same error. > > I've upgraded the named version (on CentOS 6.6) from 9.8.2 to 9.9.6, > but all to no avail :-( > > [root]# named-checkzone -v > 9.9.6-RedHat-9.9.6-0.el6 > > Am I trying to do something here that is not yet supported or am I > overlooking something? > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUWVSwAAoJECfzYtonqXzEdIsIAIiHdjp726NW57jF6lxF7cFc > oFNFx8uClGHveq6nWjzG9DhplEkFjl8UYMJyfKx3MUlgnKGerREI13WyEwmOrIvk > TigcjVEwb3AnbX7RGtzeyqsSAJesx8JdYgLxpSTltfeNpYwjJ4Irl1YQKw3e6hHY > y8Lcd9gOYYj+weyZv8BoaEIugit/fuxiLOyJ7mqhyHmrDlny1FLbHMOAJzU8WBxx > aa3IUT91RYP5037d4k3Klk+XbieFoiAGSnvHiaqfg8SuXiosiEKAZOfxymb04sqd > a4rDiLv6RkLGR8UIWuNfiXNTyGvcZZeW9micMIHVXk/EeEJ1Y7W6vdbwBDJ8M2s= > =CVi6 > -END PGP SIGNATURE- > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DANE record rejected by named-checkzone
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 named keeps refusing my zone file in which I included a DANE record: [root]# named-checkzone offerman.com db.offerman.com db.offerman.com:59: _443._tcp.offerman.com: bad owner name (check-names) db.offerman.com:60: _443._tcp.offerman.com: bad owner name (check-names) zone offerman.com/IN: loaded serial 2014110103 OK [root]# This appears to be caused by the underscores used in the port/protocol combination. Here's what the record looks like: _443._tcp IN TLSA3 0 1 a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce It was created first using this: tlsa --create --output rfc offerman.com later using this: ldns-dane create offerman.com 443 both resulting in the same record, and both outputs resulting in the same error. I've upgraded the named version (on CentOS 6.6) from 9.8.2 to 9.9.6, but all to no avail :-( [root]# named-checkzone -v 9.9.6-RedHat-9.9.6-0.el6 Am I trying to do something here that is not yet supported or am I overlooking something? -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUWVSwAAoJECfzYtonqXzEdIsIAIiHdjp726NW57jF6lxF7cFc oFNFx8uClGHveq6nWjzG9DhplEkFjl8UYMJyfKx3MUlgnKGerREI13WyEwmOrIvk TigcjVEwb3AnbX7RGtzeyqsSAJesx8JdYgLxpSTltfeNpYwjJ4Irl1YQKw3e6hHY y8Lcd9gOYYj+weyZv8BoaEIugit/fuxiLOyJ7mqhyHmrDlny1FLbHMOAJzU8WBxx aa3IUT91RYP5037d4k3Klk+XbieFoiAGSnvHiaqfg8SuXiosiEKAZOfxymb04sqd a4rDiLv6RkLGR8UIWuNfiXNTyGvcZZeW9micMIHVXk/EeEJ1Y7W6vdbwBDJ8M2s= =CVi6 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind9.9.0 named-checkzone usage message
root@ns0s:~ # named-checkzone usage: named-checkzone [-djqvD] [-c class] [-f inputformat] [-F outputformat] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-n (ignore|warn|fail)] [-m (ignore|warn|fail)] [-r (ignore|warn|fail)] [-i (full|full-sibling|local|local-sibling|none)] [-M (ignore|warn|fail)] [-S (ignore|warn|fail)] [-W (ignore|warn)] [-o filename] zonename filename FWIW, the options [-h] [-L serial] [-s style], as described in Bv9ARM.pdf, page 158, are missing from the usage message. Same with named-compilezone. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone error "NSEC node already exists"
In message , jim writes: > --===8614228914376772213== > Content-Type: multipart/alternative; boundary=00163630e869ed2ed50496c3d6e6 > > --00163630e869ed2ed50496c3d6e6 > Content-Type: text/plain; charset=ISO-8859-1 > > Hi, > > Running BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6 Upgrade. > New setup/install and attempting to setup DNSSEC and clean any dirty data. > Got the zone signed and ran named-checkzone against it and got the following > (11) times: > addnode: NSEC node already exists > The .signed loads but want to have clean before going live and not sure how > to narrow down where these eleven duplicates are coming from? > See these repeated eleven times in debug.log for each start of named, > running debug of 3 >06-Dec-2010 14:43:39.266 database: warning: addnode: NSEC node already > exists Ignore it. It's a artifact of the rbt implementation. The warning has been removed in newer versions. > Sorry, some more stupid questions on DNSSEC that I'm just confused about. > > 1) Do I sign my n.n.n.in-addr.arpa zone just like my domain.edu? > ># dnssec-keygen -r /dev/urandom n.n.n.in-addr.arpa ># dnssec-keygen -f KSK -r /dev/urandom n.n.n.in-addr.arpa ># named-checkzone -t /var/named n.n.n.in-addr.arpa dns.net.domain > runs OK ># dnssec-signzone -g -k Kn.n.n.in-addr.arpa.+005+33126.key -o > n.n.n.in-addr.arpa dns.net-iup Kn.n.n.in-addr.arpa.+005+24720.key Yes. A zone is a zone. There is nothing special about "reverse" zones as far as the DNS is concerned. It the users of the DNS that treat it as special. > 2) After I have my island of security setup and working, register the KSK > public key with educause correct? You register the zones with there parents. If educause is one of the parents then yes, for that zone. > 3) After registered with educause should I stop reading in > /etc/named.iscdlv.key? Publishing signed zones is independent of validating responses. I would stop using dlv when it stops giving a benefit. At the moment there are still lots of zones that can only be validated using dlv. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkzone error "NSEC node already exists"
Hi, Running BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6 New setup/install and attempting to setup DNSSEC and clean any dirty data. Got the zone signed and ran named-checkzone against it and got the following (11) times: addnode: NSEC node already exists The .signed loads but want to have clean before going live and not sure how to narrow down where these eleven duplicates are coming from? See these repeated eleven times in debug.log for each start of named, running debug of 3 06-Dec-2010 14:43:39.266 database: warning: addnode: NSEC node already exists Sorry, some more stupid questions on DNSSEC that I'm just confused about. 1) Do I sign my n.n.n.in-addr.arpa zone just like my domain.edu? # dnssec-keygen -r /dev/urandom n.n.n.in-addr.arpa # dnssec-keygen -f KSK -r /dev/urandom n.n.n.in-addr.arpa # named-checkzone -t /var/named n.n.n.in-addr.arpa dns.net.domain runs OK # dnssec-signzone -g -k Kn.n.n.in-addr.arpa.+005+33126.key -o n.n.n.in-addr.arpa dns.net-iup Kn.n.n.in-addr.arpa.+005+24720.key 2) After I have my island of security setup and working, register the KSK public key with educause correct? 3) After registered with educause should I stop reading in /etc/named.iscdlv.key? thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone Test Runs
For the sake of thoroughness, the -j flag causes named-compilezone to also look at the .jnl files so that the zone you getis as up to date as possible. Martin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone Test Runs
A list member wrote: > named-checkzone doesn't need to read the named.conf file - it just makes > sure that the zone is correct. if you want to check named.conf, you will > need to use named-checkconf > > For checking config, try > > named-checkconf -t [chroot directory] [relative path to named.conf] > > So, for you (if I understand your setup correctly) maybe something like > > named-checkconf -t /var/named /etc/named.conf > > > > For checking zones, try > > named-checkzone -w [working directory] [zonename] [relative path to the > zonefile] This was a good reminder. After re-reading the man page for named-checkzone, I tried named-compilezone and got it to print out a usable zone plus analyse the quality of the records in the zone. It appears that this is good for finding orphaned MX records, etc. named-compilezone -oDOMAIN.ZONE -j -k ignore okstate.edu /var/named/db/zonefilename This compiles a useble zone, ignores name warnings and prints all the dodgy MX records and other possible issues you may have with this zone. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named-checkzone Test Runs
Can you share what you're talking about since it appears you're saying you got the reply off list? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Martin McCormick Sent: Wednesday, October 13, 2010 4:54 PM To: bind-us...@isc.org Subject: Re: named-checkzone Test Runs I wrote: > I am testing bind9.7 and seem to not be correctly defining the > path to the localhost forward and reverse zones which are in > /var/named/etc/namedb/master. After the chroot, they should be > found by a path of named/etc/namedb/master but so far nothing > seems to work. My thanks to a member of this list for helping me better use the available tools. I had been using named-checkzone and named-checkconf for years to check syntax but these do so much more. Many thanks to the ISC community for designing such good applications. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone Test Runs
I wrote: > I am testing bind9.7 and seem to not be correctly defining the > path to the localhost forward and reverse zones which are in > /var/named/etc/namedb/master. After the chroot, they should be > found by a path of named/etc/namedb/master but so far nothing > seems to work. My thanks to a member of this list for helping me better use the available tools. I had been using named-checkzone and named-checkconf for years to check syntax but these do so much more. Many thanks to the ISC community for designing such good applications. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkzone Test Runs
I am testing bind9.7 and seem to not be correctly defining the path to the localhost forward and reverse zones which are in /var/named/etc/namedb/master. After the chroot, they should be found by a path of named/etc/namedb/master but so far nothing seems to work. I have read the man page for named-checkzone and it looks like one might be able to cause it to test load the zone as if one was starting bind which means it has to read the named.conf file. If I could see what path it thinks it is loading from, the fix would be easy. Can it do that? I am not quite sure what a few of the flags are capable of. If it can read named.conf, it should get the zone file name from that. Thank you. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named-checkzone
So I ended up accomplishing this by using vim autocmd. In /etc/vimrc autocmd BufWritePost *.db execute "!/usr/sbin/scripts/checkzonework” if any file that has a .db is edited and written to it calls checkzonework which is a bash script that asks a few questions and calls name-checkzone. Hope this helps someone in the future. paul From: bind-users-bounces+gord.taylor=rbc@lists.isc.org [mailto:bind-users-bounces+gord.taylor=rbc@lists.isc.org] On Behalf Of P.A Sent: 2010, June, 24 3:47 PM To: bind-us...@isc.org Subject: named-checkzone Hi, im trying to get some ideas how I can exec named-checkzone on a zone file that has just been executed. We have com users who edit zone files but forget to run the command when they are do editing the file. Trying to figure out if anyone has a good way of enforcing that the zone gets checked after its been edited. Thanks Paul. ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. L’expéditeur ne renonce pas aux droits et obligations qui s’y rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu’il contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez m’en aviser immédiatement, par retour de courriel ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone
On Thu, Jun 24, 2010 at 04:37:45PM -0400, Paul Amaral wrote: > I was thinking more instantaneous without moving things around. I looked at > vim vimrc autocmd but I couldn't get named-checkzone to execute and I would > still have to somehow have named-checkzone look at the last zone that was > edited. > > Good suggestion though. Check $PATH or use the full file name from "/". -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named-checkzone
On Thu, Jun 24, 2010 at 03:46:37PM -0400, P.A wrote: > Hi, im trying to get some ideas how I can exec named-checkzone on a zone > file that has just been executed. We have com users who edit zone files but > forget to run the command when they are do editing the file. Trying to > figure out if anyone has a good way of enforcing that the zone gets checked > after its been edited. Shell command file that (1) Checks it out of version control [RCS, Subversion, git, whatever] (2) Throws it into ${EDITOR:-vi} (3) Runs named-checkzone using zone name based on file name (4) If it fails, let the user absorb the error msg before goto (2) (5) If it succeeds, ask the user whether to edit again or commit (6) Check it back into version control (7) rndc reload -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named-checkzone
If you wanted to throw CVS into the mix, it would make all this pretty easy. You can have it run scripts on checkin, and you know all the files changed from a cvs diff, so it’s easy to run that through the named-checkzone. CVS doesn’t have to make things much more complicated. You could create a script that when run (ex: vizone zonename) would checkout the zonefiles project, and open a vi for the session. then, when closed, it would checkin the zonefile and run the verification script. Heck, you could just alias “vi” to your script if that is all your user does with vi, or if you use a unique account for DNS changes. t. From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of P.A Sent: Thursday, June 24, 2010 4:38 PM To: 'Taylor, Gord'; bind-us...@isc.org Subject: named-checkzone I was thinking more instantaneous without moving things around. I looked at vim vimrc autocmd but I couldn’t get named-checkzone to execute and I would still have to somehow have named-checkzone look at the last zone that was edited. Good suggestion though. From: Taylor, Gord [mailto:gord.tay...@rbc.com] Sent: Thursday, June 24, 2010 4:32 PM To: P.A; bind-us...@isc.org Subject: RE: named-checkzone My suggestion is to create a backup copy of the (current) zone files in another directory. Only allow the users to edit those files, then execute a shell script that checks them, and only moves them to the production directory once the named-checkzone (and named-checkconf) works correctly. Otherwise, returns an error. The only thing we don't check is that the SOA serial has been incremented because our DNS file editor does that automatically... From: bind-users-bounces+gord.taylor=rbc@lists.isc.org [mailto:bind-users-bounces+gord.taylor=rbc@lists.isc.org] On Behalf Of P.A Sent: 2010, June, 24 3:47 PM To: bind-us...@isc.org Subject: named-checkzone Hi, im trying to get some ideas how I can exec named-checkzone on a zone file that has just been executed. We have com users who edit zone files but forget to run the command when they are do editing the file. Trying to figure out if anyone has a good way of enforcing that the zone gets checked after its been edited. Thanks Paul. ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements quil contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement, par retour de courriel ou par un autre moyen. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named-checkzone
I was thinking more instantaneous without moving things around. I looked at vim vimrc autocmd but I couldn’t get named-checkzone to execute and I would still have to somehow have named-checkzone look at the last zone that was edited. Good suggestion though. From: Taylor, Gord [mailto:gord.tay...@rbc.com] Sent: Thursday, June 24, 2010 4:32 PM To: P.A; bind-us...@isc.org Subject: RE: named-checkzone My suggestion is to create a backup copy of the (current) zone files in another directory. Only allow the users to edit those files, then execute a shell script that checks them, and only moves them to the production directory once the named-checkzone (and named-checkconf) works correctly. Otherwise, returns an error. The only thing we don't check is that the SOA serial has been incremented because our DNS file editor does that automatically... _ From: bind-users-bounces+gord.taylor=rbc@lists.isc.org [mailto:bind-users-bounces+gord.taylor=rbc@lists.isc.org] On Behalf Of P.A Sent: 2010, June, 24 3:47 PM To: bind-us...@isc.org Subject: named-checkzone Hi, im trying to get some ideas how I can exec named-checkzone on a zone file that has just been executed. We have com users who edit zone files but forget to run the command when they are do editing the file. Trying to figure out if anyone has a good way of enforcing that the zone gets checked after its been edited. Thanks Paul. ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. L’expéditeur ne renonce pas aux droits et obligations qui s’y rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu’il contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez m’en aviser immédiatement, par retour de courriel ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkzone
I was thinking more instantaneous without moving things around. I looked at vim vimrc autocmd but I couldn’t get named-checkzone to execute and I would still have to somehow have named-checkzone look at the last zone that was edited. Good suggestion though. From: Taylor, Gord [mailto:gord.tay...@rbc.com] Sent: Thursday, June 24, 2010 4:32 PM To: P.A; bind-us...@isc.org Subject: RE: named-checkzone My suggestion is to create a backup copy of the (current) zone files in another directory. Only allow the users to edit those files, then execute a shell script that checks them, and only moves them to the production directory once the named-checkzone (and named-checkconf) works correctly. Otherwise, returns an error. The only thing we don't check is that the SOA serial has been incremented because our DNS file editor does that automatically... _ From: bind-users-bounces+gord.taylor=rbc@lists.isc.org [mailto:bind-users-bounces+gord.taylor=rbc@lists.isc.org] On Behalf Of P.A Sent: 2010, June, 24 3:47 PM To: bind-us...@isc.org Subject: named-checkzone Hi, im trying to get some ideas how I can exec named-checkzone on a zone file that has just been executed. We have com users who edit zone files but forget to run the command when they are do editing the file. Trying to figure out if anyone has a good way of enforcing that the zone gets checked after its been edited. Thanks Paul. ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. L’expéditeur ne renonce pas aux droits et obligations qui s’y rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu’il contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez m’en aviser immédiatement, par retour de courriel ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named-checkzone
My suggestion is to create a backup copy of the (current) zone files in another directory. Only allow the users to edit those files, then execute a shell script that checks them, and only moves them to the production directory once the named-checkzone (and named-checkconf) works correctly. Otherwise, returns an error. The only thing we don't check is that the SOA serial has been incremented because our DNS file editor does that automatically... From: bind-users-bounces+gord.taylor=rbc@lists.isc.org [mailto:bind-users-bounces+gord.taylor=rbc@lists.isc.org] On Behalf Of P.A Sent: 2010, June, 24 3:47 PM To: bind-us...@isc.org Subject: named-checkzone Hi, im trying to get some ideas how I can exec named-checkzone on a zone file that has just been executed. We have com users who edit zone files but forget to run the command when they are do editing the file. Trying to figure out if anyone has a good way of enforcing that the zone gets checked after its been edited. Thanks Paul. ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements quil contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement, par retour de courriel ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkzone
Hi, im trying to get some ideas how I can exec named-checkzone on a zone file that has just been executed. We have com users who edit zone files but forget to run the command when they are do editing the file. Trying to figure out if anyone has a good way of enforcing that the zone gets checked after its been edited. Thanks Paul. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named-checkzone behavior change?
I see this was intentional. 2800. [func]Reject zones which have NS records which refer to CNAMEs, DNAMEs or don't have address record (class IN only). Reject UPDATEs which would cause the zone to fail the above checks if committed. [RT #20678] From: Jack Tavares Sent: Monday, May 10, 2010 12:54 PM To: Jack Tavares; bind-users@lists.isc.org Subject: RE: named-checkzone behavior change? Correction: I am calling named-checkzone not checkconf. this: named-checkconf -k ignore -n ignore -i none test.net. should read named-checkzone -k ignore -n ignore -i none test.net. the rest of the email is correct From: Jack Tavares Sent: Monday, May 10, 2010 12:49 PM To: bind-users@lists.isc.org Subject: named-checkzone behavior change? I have downloaded 9.7.0-P1 and I am running into something odd with named-checkzone I have a simple zone with an NS record that has no A or record. named-checkzone has flags to ignore this. and this same command (see below) worked in 9.6 but given this zone file test.net. 500 IN SOA d88.test.net. hostmaster.d88.test.net. 2010051001 10800 3600 604800 86400 test.net. 500 IN NS d88.test.net. gives zone test.net/IN: NS 'd88.test.net' has no address records (A or ) zone test.net/IN: not loaded due to errors. Is this a bug? or do I have a flag missing or incorrect? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named-checkzone behavior change?
Correction: I am calling named-checkzone not checkconf. this: named-checkconf -k ignore -n ignore -i none test.net. should read named-checkzone -k ignore -n ignore -i none test.net. the rest of the email is correct From: Jack Tavares Sent: Monday, May 10, 2010 12:49 PM To: bind-users@lists.isc.org Subject: named-checkzone behavior change? I have downloaded 9.7.0-P1 and I am running into something odd with named-checkzone I have a simple zone with an NS record that has no A or record. named-checkzone has flags to ignore this. and this same command (see below) worked in 9.6 but given this zone file test.net. 500 IN SOA d88.test.net. hostmaster.d88.test.net. 2010051001 10800 3600 604800 86400 test.net. 500 IN NS d88.test.net. gives zone test.net/IN: NS 'd88.test.net' has no address records (A or ) zone test.net/IN: not loaded due to errors. Is this a bug? or do I have a flag missing or incorrect? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named-checkzone behavior change?
I have downloaded 9.7.0-P1 and I am running into something odd with named-checkzone I have a simple zone with an NS record that has no A or record. named-checkzone has flags to ignore this. and this same command (see below) worked in 9.6 but given this zone file test.net. 500 IN SOA d88.test.net. hostmaster.d88.test.net. 2010051001 10800 3600 604800 86400 test.net. 500 IN NS d88.test.net. named-checkconf -k ignore -n ignore -i none test.net. gives zone test.net/IN: NS 'd88.test.net' has no address records (A or ) zone test.net/IN: not loaded due to errors. Is this a bug? or do I have a flag missing or incorrect? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users