DNSSEC and child zones on same authoritative NS. Expert help needed.
Let's say I have this setup :
BIND 9.4 named.conf includes a master.zones file with the following:
...
zone ns1.yourdomain.com {
type master;
file master/external/n/ns1.yourdomain.com.signed;
};
zone ns2.yourdomain.com {
type master;
file master/external/n/ns2.yourdomain.com.signed;
};
zone yourdomain.com {
type master;
file master/external/y/yourdomain.com.signed;
};
...
More background for question below:
The yourdomain.com is I gather the zone APEX for all featured zones
above. (Is this the correct use of the term APEX?)
I am learning via trial and error about transitioning from DNS to DNSSEC
and we have these child zones (is ns1.yourdomain.com really a child
zone, as regards the setup above?) that currently have precedence over
the parent zone yourdomain.com for conflicting A records. For example:
If
ns1 A 123.123.123.123
is placed in yourdomain.com zone.
And a similar RR is placed in ns1.yourdomain.com zone, like:
ns1 IN A 10.0.0.1
And named reloaded.
dig @localhost ns1.yourdomain.com A +short
will return 10.0.0.1, the parent A RR is ignored.
Questions:
If I sign these three zones with their own KSK and ZSK pairs will DNSSEC
be broken? Or will it work as above?
Would the chain of trust be broken, unless we provide the external
parent (in this example case .com TLD ) with all public keys? (Or the
keys wrapped in a single key?)
Is this a case where we would use DS RRs or some similar scheme in the
apex zone?
Or should we just not allow child zones at all on our authoritative NS?
That of course would make this mess (and my confusion about it) go away.
But it would be great to hear from a BIND expert about this. And please
correct my probable confusion and incorrect use of DNSSEC jargon.
Best regards,
Gary
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC HW Support
I'd like to get your feedback on the following thoughts regarding DNSSEC HW support. Any layer 2 or 3 devices forwarding frames or packets should not be affected by the implementation of DNSSEC regardless of the type of protocol (TCP/UDP) or the query size (large or small). Layer 4 devices (smart switches) should not be affected by the implementation of DNSSEC using the same logic. My thoughts are these products simply forward data based on an frame, IP address, or protocol and should not be affected by the implementation of DNSSEC. Would you agree? Thanks in advance. I think you are basically correct except for one very important caveat: DNS BGP anycasting (in wide spread use by many large operations,) where you might need to sign zones on the fly with special crypto hardware. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and child zones on same authoritative NS. Expert help needed.
Sam Wilson wrote:
In article mailman.814.1268703621.21153.bind-us...@lists.isc.org,
Gary Wallis wgg1...@gmail.com wrote:
Let's say I have this setup :
BIND 9.4 named.conf includes a master.zones file with the following:
...
zone ns1.yourdomain.com {
type master;
file master/external/n/ns1.yourdomain.com.signed;
};
zone ns2.yourdomain.com {
type master;
file master/external/n/ns2.yourdomain.com.signed;
};
zone yourdomain.com {
type master;
file master/external/y/yourdomain.com.signed;
};
...
More background for question below:
The yourdomain.com is I gather the zone APEX for all featured zones
above. (Is this the correct use of the term APEX?)
Parent, as Mark has already pointed out.
Got that :)
I would be nice to know what a zone apex is since what I have found on
the web so far is pretty self-referential.
I am learning via trial and error about transitioning from DNS to DNSSEC
and we have these child zones (is ns1.yourdomain.com really a child
zone, as regards the setup above?) that currently have precedence over
the parent zone yourdomain.com for conflicting A records. For example:
If
ns1 A 123.123.123.123
is placed in yourdomain.com zone.
Some nitpicking - I'm not a DNSSEC expert and I'm not commenting on that
part of your question. Including this record would normally be an
error. ns1.yourdomain.com is delegated into its own zone and the A
record should be in that zone, not in the parent zone.[1]
And a similar RR is placed in ns1.yourdomain.com zone, like:
ns1 IN A 10.0.0.1
If you place ns1 in the zone ns1.yourdomain.com then the name will be
ns1.ns1.yourdomain.com. If you force the name to be ns1.yourdomain.com
[2] then that A record should override the one in the parent zone (see
[1] again).
Good job! You spotted my error/typo the test setup actually is:
...
@ IN A 10.0.0.1
...
for ns1.yourdomain.com zone file
And named reloaded.
dig @localhost ns1.yourdomain.com A +short
will return 10.0.0.1, the parent A RR is ignored.
Correct - see above
Can't answer your DNSSEC queries, but I'm not sure if they're relevant
if you correct the above.
Regarding my main question:
How to delegate signing authority from parent yourdomain.com to child
ns1.yourdomain.com.
In this case in the same BIND configuration (same named daemon) as shown
above in the named.conf frag.
I also need to know if the initial zone signing has to be changed, i.e.
sign the parent and child zones differently etc.
It seems that I need to provide the child DS record from
dsset-ns1.yourdomain.com that was generated by dnssec-signzone when I
signed the child.
dsset-ns1.yourdomain.com contents:
ns1.yourdomain.com. IN DS 181 5 1
FD110AAAFAC8101DD8EC946FD5B62FDC9B012EA1
That would go in the yourdomain.com parent db file. But I imagine some
other steps are needed and I'm not sure what they are.
I am reading about DS records now. But if anyone has a short how-to (or
listing of bash commands) for this simple case that would be great.
I still have to setup a DNSSEC resolver to be able to test my test
auth DNS server. And will provide results and a how-to if I manage to
get this internal DNSSEC parent-child delegation working on my own.
Sam
[1] UNLESS ns1.yourdomain.com is also the name of one of the nameservers
for a child zone in which case that record would be a glue record which
would be valid in the parent zone. It would normally be superseded by
the corresponding A record in the child zone which is regarded as a more
trustworthy source of data. There are various ways by which a server for
the parent zone can learn the correct data from the child zone.
This is what I know from experience but have never seen written
anywhere. Thx!
[2] You can do that by using the @ sign in the LHS of the A RR, or by
using a fully qualified name (inflexible), or by using the $ORIGIN
directive, or by leaving the name blank at the head of the zone
(slightly risky). Of these @ is the one mostly recommended.
Good. We started using @ several year ago but did not know about all
these details and differences you mention.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Thanks all!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and child zones on same authoritative NS. Expert help needed.
Alan Clegg wrote: Gary Wallis wrote: [other stuff snipped out] Regarding my main question: How to delegate signing authority from parent yourdomain.com to child ns1.yourdomain.com. Insert the DS records from the child into the parent and re-sign the parent. I still have to setup a DNSSEC resolver to be able to test my test auth DNS server. And will provide results and a how-to if I manage to get this internal DNSSEC parent-child delegation working on my own. http://www.isc.org/files/DNSSEC_in_6_minutes.pdf AlanC Test system working. Many thanks to everybody. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: threading and linux (2.6.
Jack Tavares wrote: Hello - What is the default build on linux (2.6) with regard to threads. If I don't explicitly enable or disable threads, does named run threaded or unthreaded? Threaded. Thanks -- jack ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec signing tools
groups wrote: I should have been more specific.. What dnssec tools do the folks at ISC recommend.. I am scheduled for a 5 day class in Arlington, VA in May 2010 Thx Charles Greetings list.. I have recently assumed responsibility and did a complete rebuild of a Master DNS server running 9.6.1.P3. (will upgrade to 9.6.2 when SRPM is available) OS: CentOS 5.4 New to DNS administration but not new to Linux / UNIX.. I am looking at dnssec-tools for signing my 2 zones. Am curious if anyone on the list has used / is using this tool.. Thx Charles Charles, You can do all you need with these two: dnssec-keygendnssec-signzone These ARE from the ISC and come with BIND 9 since I think 9.3. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarded PTR records not working properly
Alexander Fortin wrote: Hi folks. I'm having problems trying to set up a DNS forwarding zone for PTRs records. The weird thing is that normal DNS zones are working fine, but using same configurations for the correspondent *.in.addr.arpa zone doesn't work. Very strange to me seems that queries using host work but with dig they don't. The scenario involves my master DNS server trying to ask those records from a VPN-connected DNS authoritative server (which unfortunately I cannot transfer from). Of course, if I query directly the remote DNS server I get answers for both zones: $ dig @192.168.20.21 hrsrv.mydomain.locale ; DiG 9.5.1-P3 @192.168.20.21 hrsrv.mydomain.locale ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 50067 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;hrsrv.mydomain.locale. IN A ;; ANSWER SECTION: hrsrv.mydomain.locale.3600IN A 192.168.20.11 ;; Query time: 696 msec ;; SERVER: 192.168.20.21#53(192.168.20.21) ;; WHEN: Fri Apr 2 14:45:55 2010 ;; MSG SIZE rcvd: 53 but... $ dig @192.168.20.21 192.168.20.11 PTR Try dig @192.168.20.21 -x 192.168.20.11 Cheers! Gary -- AM Support Staff Unixservice, LLC. +1 310-356-6265 +1 630-206-9449 http://unixservice.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarded PTR records not working properly
Hope this is helpful: Your d.c.b.a.in-addr.arpa zone may not have the correct data in it. Since dig shows no answer for that specific query. If you have not already learn how to use: named-checkconf named-checkzone Check your named.conf and all files therein included, then check again. (Make sure your zone db file serial number is incremented on every change.) Then rndc reload when needed...etc.. Dear Watson, I believe that the problem lies with one or more passive and/or active components plus user error. (Slow day, what can I say :) Cheers! Gary -- AM Support Staff. Unixservice, LLC. +1 310-356-6265 +1 630-206-9449 http://unixservice.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation and recursion
Angela Perez wrote: Hi, I'm just writing to confirm that I have the correct understanding of the relationship between delegation and recursion. A bit of background: I'm responsible for an Internet-facing server that has the following requirements. It should support recursion for known (DMZ) clients and it should not support recursion for unknown clients. It should also delegate subdomains to other name servers in the organisation, for both known and unknown clients. The issue is that if recursion is not allowed for external clients, delegation breaks (i.e. results in No answer from nslookup which I believe is a referral). Which kinda makes sense, if a query that is delegated to another nameserver is classified as recursive rather than iterative. The question is, what is the preferred solution to this situation i.e. an external facing nameserver that should not provide recursion but delegate some of its subdomains to other nameservers that are authoritative for them [subdomains]. A workaround is to set up the external nameserver as a slave for the subdomains but is there any better solution? Thank you in advance for reading my post, and apologise if this is a naive question but I couldn't find an answer in the BIND book or manuals (perhaps the question is ill-posed). Recursion and delegation are covered as separate topics, but from a resolver's perspective they seem to be related (if not the same). --angela ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Angela, You need to implement views. See BIND9 ARM. You probably should use a BIND management system to help you organize all your enterprise NSs and DNS data. See... http://en.wikipedia.org/wiki/DNS_management_software Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multi-mastering with dynamic updates
Phil Mayers wrote: On 17/05/10 16:02, arcan...@free.fr wrote: Hi all, Like a lot of people over the web, I am looking for a clean multi-master (multi-primary) solution that allow dynamic updates. Interesting. What's the use-case for this? From my personal experience the most common use of master only NS systems is for complex view based setups that need to avoid the xfr problems of views to slaves. Of course there are security issues. These are usually dealt with by having at least one (hopefully pristine) hidden master. And like a lot of people over the web, I haven't found anything interesting. Google hasn't been friendly for now :/ I have tried : - bind-dlz over brbd doesn't allow dynamic updates. - rsync the .jnl files needs a rndc reload (it's not clean). - slaughtering virgins for bind's god(s) is a little dirty (well, I haven't tried this [yet]..). - ... Can someone give me a hint ? Google for unxsBind (Bind9+ multi name server set and multiple end user DNS manager), it does use local per master rndc commands but not rsync, instead it uses a different SQL based job queue mechanism for replication of master data that scales very well. You are presumably aware that you can do allow-update-forwarding on slaves and they'll forward UPDATE packets to the master (and presumably then receive NOTIFY and do an IXFR to receive the updated zone)? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Web forwarding in BIND
Hoover Chan wrote: I'm new to this list but have been having trouble looking for information on this topic. A pointer please to information on how to use BIND to translate a domain name to a target URL. For example, www.domain - http://www.someother.domain/folder1/folder2/index.html. Thanks in advance. You need to use Apache rewrite engine. See: http://www.addedbytes.com/for-beginners/url-rewriting-for-beginners/ for a simple intro. Do not worry about the flack you will get, this is a typical DNS beginners/web master confusion. - Hoover Chanhc...@mail.ewind.com -or- hc...@well.com Eastwind Associates P.O. Box 16646 voice: 415-731-6019 -or- 415-565-8936 San Francisco, CA 94116 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Many reports of this type of problem...
DNS people, CentOS 5 BIND rpm (9.3.6-P1-RedHat-9.3.6-4.P1.el5 ) widespread problem reports for a significant number of domains on amazonaws.com. +trace fails but direct dig returns valid data, please look through the output below since it is shorter than trying to summarize: [r...@node1vm unxsVZ]# dig @8.8.8.8 www.nourishinteractive.com ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 @8.8.8.8 www.nourishinteractive.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 40337 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.nourishinteractive.com.IN A ;; ANSWER SECTION: www.nourishinteractive.com. 5753 IN CNAME ec2-174-129-200-33.compute-1.amazonaws.com. ec2-174-129-200-33.compute-1.amazonaws.com. 5754 IN A 174.129.200.33 ;; Query time: 1623 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jun 24 01:53:31 2010 ;; MSG SIZE rcvd: 113 [r...@node1vm unxsVZ]# dig @8.8.8.8 www.nourishinteractive.com +short ec2-174-129-200-33.compute-1.amazonaws.com. 174.129.200.33 [r...@node1vm unxsVZ]# dig @8.8.8.8 www.nourishinteractive.com +trace ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 @8.8.8.8 www.nourishinteractive.com +trace ; (1 server found) ;; global options: printcmd . 61990 IN NS d.root-servers.net. . 61990 IN NS m.root-servers.net. . 61990 IN NS i.root-servers.net. . 61990 IN NS k.root-servers.net. . 61990 IN NS a.root-servers.net. . 61990 IN NS e.root-servers.net. . 61990 IN NS b.root-servers.net. . 61990 IN NS j.root-servers.net. . 61990 IN NS c.root-servers.net. . 61990 IN NS f.root-servers.net. . 61990 IN NS h.root-servers.net. . 61990 IN NS l.root-servers.net. . 61990 IN NS g.root-servers.net. ;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 1456 ms com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. ;; Received 507 bytes from 202.12.27.33#53(m.root-servers.net) in 15032 ms nourishinteractive.com. 172800 IN NS ns3.worldnic.com. nourishinteractive.com. 172800 IN NS ns4.worldnic.com. ;; Received 121 bytes from 192.5.6.30#53(a.gtld-servers.net) in 35649 ms ;; Warning: Message parser reports malformed message packet. ;; Truncated, retrying in TCP mode. ;; communications error to 205.178.190.2#53: end of file www.nourishinteractive.com. 7200 IN CNAME ec2-174-129-200-33.compute-1.amazonaws.com. . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; Received 516 bytes from 206.188.198.2#53(ns4.worldnic.com) in 6955 ms [r...@node1vm unxsVZ]# Anybody have an explanation for this? Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfer issue when using views
--[ UxBoD ]-- wrote: Hi, Am having a issue when transferring a zone from a Win2K8 server and receiving the error: failed while receiving responses: unexpected error Now I know why it is happening, just not how to cure it. We have our primary business zones which are within a view and protected by ACLs. Our clients have their own views but also need to include the slaved Win2K8 domain. When BIND performs its transfers it attempts to pull across the Win2K8 slave for every view! this ends up in the journal being created by one view and then another attempting to overwrite it and getting a serial number mismatch. How can I prevent this so only *our* view attempts the zone transfer ? the other zones should still be able to query the slave information though. I know this may sound heretical but due to the complications encountered when using multiple views (in my case 16). I just decided to have all servers run as masters, and use special DNS admin software for the replication. Works perfect no hassles with VIPs and routing, etc. etc. Cheers, Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPAM advantages (was Re: MySQL BIND SDB)
Chris Buxton wrote: On Nov 16, 2010, at 12:44 PM, Gary Wallis wrote: IPAM is an Infloblox proprietary system that Cricket Liu is involved with. No. IPAM = IP Address Management. It is not a product, but rather a product category. I believe the term was coined by Lucent, or whoever owned QIP at the time, sometime in the mid-90's. (I could be wrong, though.) Infoblox offers an IPAM solution. I will make no comment on its relative merits versus the competition; I work in the industry. The following companies also offer commercial IPAM solutions (list is not exhaustive): BlueCat Networks (Proteus) Men Mice (the eponymous Suite) Vital/Lucent/Alcatel (QIP) BT (DiamondIP) There is at least one real F/OSS IPAM solution, NetReg from Carnegie Mellon University. C/Panel, Webmin, and other systems like that are system management solutions, not IPAM solutions. Regards, Chris Buxton BlueCat Networks Thanks for the correction and the updated list of IPAM software providers. My main point is that I think that Karl was right about the advantages of managed DNS systems. IPAM is much more than DNS management (too much more for some in many cases.) Centralized DNS management is cool, especially FOSS tools that may help you manage a large cluster of ISC/BIND servers. (If we use FOSS BIND why should we support anti FOSS businesses like many mentioned above?) Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DIG Source IP
John Williams wrote: If I have a Linux host with multiple IP's, is there a way to utilize the DIG command such that the query appears like it's coming from different IP addresses? So If I have 10 virtual IP's, is there a way to control the source IP of the query? I've referenced the DIG man page and it doesn't appear to be possible. Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Not supported. But that would be a great feature for dig. Would make testing views on other ACL related issues much easier. Cheers, Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DIG Source IP
Gary Wallis wrote: John Williams wrote: If I have a Linux host with multiple IP's, is there a way to utilize the DIG command such that the query appears like it's coming from different IP addresses? So If I have 10 virtual IP's, is there a way to control the source IP of the query? I've referenced the DIG man page and it doesn't appear to be possible. Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Not supported. But that would be a great feature for dig. Would make testing views on other ACL related issues much easier. Cheers, Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Whoops... -b has been available for some time. OPTIONS The -b option sets the source IP address of the query to address. This must be a valid address on one of the hostâs network interfaces or 0.0.0.0 or ::. An optional port may be specified by appending #port ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transfer with views
Alan Clegg wrote: On 1/1/2011 9:15 AM, Gary Wallis wrote: You will need to setup one virtual IP for each extra view. Not since very versions of BIND that are long-since EOL'd. The FAQ goes into how to use TSIG keys to deal with picking the right one. This is what no one here addresses clearly and upfront: The truth is that when you need N views, BIND transfer is a royal pain, for almost all networks and IT departments. Setting up views correctly is not simple. If you HAVE to do it, it's much easier to do it with BIND than it is to do it with alternative methods (in my opinion). Think about it. Given choices, I think I'm in agreement with you: I'd chose to not do views. Based on the posts here, the OP is going to do views. The best thing to do is provide the best method of replicating those views to the machines that are providing slave services without using external applications. If it were me and I had no other choice than to use views, I'd get into the system and re-wire everything using BIND 9.7.2 and write a set of scripts that used rndc addzone and rndc delzone to control the master and all of the slaves, configure TSIG keys to manage zone transfers between hosts, etc. Cheers! and Happy New Year! May 2011 be the best one before we all perish in the fires of whatever is going to happen in 2012! :) AlanC Much thanks! I will look into the TSIG key method for view transfers, and see if the very conservative (but that I am stuck with) CentOS BIND version supports it. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transfer with views
Alan Clegg wrote:
...
Given choices, I think I'm in agreement with you: I'd chose to not do
views.
Based on the posts here, the OP is going to do views. The best thing to
do is provide the best method of replicating those views to the machines
that are providing slave services without using external applications.
If it were me and I had no other choice than to use views, I'd get into
the system and re-wire everything using BIND 9.7.2 and write a set of
scripts that used rndc addzone and rndc delzone to control the
master and all of the slaves, configure TSIG keys to manage zone
transfers between hosts, etc.
Cheers!
and Happy New Year!
May 2011 be the best one before we all perish in the fires of whatever
is going to happen in 2012! :)
AlanC
Much thanks! I will look into the TSIG key method for view transfers,
and see if the very conservative (but that I am stuck with) CentOS BIND
version supports it.
Cheers!
Gary
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Found it in a Mark Andrews post:
http://www.mail-archive.com/bind-users@lists.isc.org/msg03593.html
Main snippet:
The general and robust solution is:
acl allviewkeys { key A; key B; key C; key D; };
match-clients { key A; !allviewkeys; subnet A; }
match-clients { key B; !allviewkeys; subnet B; }
match-clients { key C; !allviewkeys; subnet C; }
match-clients { key D; !allviewkeys; subnet D; }
This is easily expandable to many views without having to touch
each view when a new view is added. The order of the match-clients
acl is important.
Cheers!
Gary
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Confused about /24 in-addr.arpa NS delegation debug problem
Thanks guys for all the feedback. Yes seems like RIPE is involved, and The Planet (TP) refuses to fix delegation or say they can't 'cause of RIPE, but sounds funny to me, and I know that many TP tech support staffers know next to nil about DNS. Have fun with DNS in 2011. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward using CNAME record
Henry Hartley wrote: My apologies if this gets to the list twice. I tried to post it through the web interface but it seems to have been dropped by whatever screening gets applied. I'm not sure if I've misunderstood the use of CNAME or if I've simply done something wrong. I have two domains that I want to forward. One is working properly and the other is not. In both cases I want users to enter a URL in their browser (www.example.com) and be forwarded to a different system, where the user has their site. In the working case, the forwarding it to web.me.com so I have the following in my zone file: www.example.com. CNAME web.me.com. When you point your browser to www.example.com (obviously not example) the page on web.me.com loads properly but www.example.com is still displayed in the address bar. In the second case, which is NOT working, I have a similar CNAME record but instead of web.me.com, it's on tumblr.com. So, I have this (this is the actual domain): www.ioanamorosan.com. CNAME ioanamorosan.tumblr.com. If you go directly to ioanamorosan.tumblr.com, the site loads, but if you go to www.ioanamorosan.com, you get a tumblr.com 404 error page. The browser still displays www.ioanamorosan.com in the address bar. So, is this a situation where web.me.com is set up to recognize www.example.com properly but tumblr.com is not? Or what? Should I be able to do what I'm trying to do? -- Henry ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Do not confuse your forwarding with HTTP rewriting. One is just about DNS records (CNAME, A or otherwise.) The other happens on the server side (see Apache rewrite engine docs.) Usually both must be setup correctly to achieve your forwarding. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward using CNAME record
Gary Wallis wrote: Henry Hartley wrote: ... In the second case, which is NOT working, I have a similar CNAME record but instead of web.me.com, it's on tumblr.com. So, I have this (this is the actual domain): www.ioanamorosan.com. CNAME ioanamorosan.tumblr.com. If you go directly to ioanamorosan.tumblr.com, the site loads, but if you go to www.ioanamorosan.com, you get a tumblr.com 404 error page. The browser still displays www.ioanamorosan.com in the address bar. So, is this a situation where web.me.com is set up to recognize www.example.com properly but tumblr.com is not? Or what? Should I be able to do what I'm trying to do? About your second case: This is not about DNS but about HTTP. Site tumblr uses the incoming HTTP request to provide content. Since it does not know anything about www.ioanamorosan.com it returns the 404. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward using CNAME record
p...@mail.nsbeta.info wrote: Gary Wallis writes: Do not confuse your forwarding with HTTP rewriting. One is just about DNS records (CNAME, A or otherwise.) The other happens on the server side (see Apache rewrite engine docs.) This is nothing about rewrite, but webserver's virtual host stuff. Regards. Phy, Thanks for your comment but from the OP: When you point your browser to www.example.com (obviously not example) the page on web.me.com loads properly but www.example.com is still displayed in the address bar. The use of the word still clearly points to some type of confusion about rewrite and dns. Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master with mysql backend
fddi wrote: thank you for hte thread you pointed me. Actaully I do not have performance issue, but I just need DNS multi-master. I could succesfully apply mysql-bind patches. I have only one zone with few hosts. thank you very much Riccardo On 2/8/11 3:30 PM, Terry. wrote: 2011/2/8 fddif...@gmx.it: I have considered dlz, but it does mocu more than simply mysql backend and seems too way complicate for my porpouse. At hte end I am considering using this mysql-bind: http://mysql-bind.sourceforge.net/ You may read this one of the mailing list archive: https://lists.isc.org/pipermail/bind-users/2008-April/069884.html Terry. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users A nice way to deal with what Riccardo's needs is to use ISC BIND configured statically (keeps all advantages of a pure BIND system) but from a MySQL database that has web apps for end users to manage their own zone data. BIND was not meant for end users with little to no DNS expertise to manage their RRs. Some middleware is required. This is not a new concept but developed from pure dynamic websites to ones that printed static copies of their pages -now proxies are also used as well as memcache for SQL query caching. See wikipedia for dns management software. Cheers! Gary ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
check-names via command line
Is there a way to check names via the command line (like with a named-checkzone type tool.) I need to validate zone info BEFORE trying to load, log frag: 10-Jul-2012 11:36:02.199 general: zone growXeg.com/IN/external: loading master file master/external/g/growXeg.com: bad name (check-names) 10-Jul-2012 11:38:01.815 general: dns_rdata_fromtext: master/external/g/growXeg.com:3: near 'uk.hostmas...@telxxity.com.': bad name (check-names) (X added for some privacy.) Thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: check-names via command line
On 7/10/2012 13:08, Chris Thompson wrote: On Jul 10 2012, I wrote: On Jul 10 2012, Gary Wallis wrote: Is there a way to check names via the command line (like with a named-checkzone type tool.) [...] Check out the -k option of named-checkzone. It defaults to warn anyway, but you may want to use fail. Well, I have to take that back. As far as I can see the -k option of named-checkzone has no effect at all, despite the man page, at least with BIND 9.8.3-P1. Thank you. Maybe this will be fixed? It would be great to have named-checkzone be an authoritative tool as far as zone: Syntax, rules and other error checking goes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: check-names via command line
On 7/10/2012 17:04, Evan Hunt wrote: Well, I have to take that back. As far as I can see the -k option of named-checkzone has no effect at all, despite the man page, at least with BIND 9.8.3-P1. Thank you. Maybe this will be fixed? It would be great to have named-checkzone be an authoritative tool as far as zone: Syntax, rules and other error checking goes. It works for me. What errors are you trying to check for that named-checkzone -k isn't finding? Solved, version issue, named-checkzone works great thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What happens when one out of three NSs are down?
DNS experts: What really happens in the real world when 1 out of three authoritative NSs are down for 30 minutes due to a datacenter outage? For example, we have 3 NSs: ns1.someisp.net 12.23.34.45 ns2.someisp.net 23.34.45.56 ns3.someisp.net 34.45.56.67 All in different datacenters. All are authoritative for a given zone. All have the same zone data and SOA serial number for the zone. Where the datacenter handling ns3 broke routing (mistake in new router configuration) for 34.45.56.0/24 and ns3 is no longer reachable. I think I have a grasp on the basic theory here, but in practice, the unreachable ns3 nameserver creates problems for a small group of customers trying to reach web sites with zones hosted by these three authoritative NSs. Will round robin glue NS records help? Can quick or automated changes at the registrar of the NS3 IP help? For example to change to a hot spare in some other datacenter? In this case would the running NSs have to have the changed NS A record also match? Any comments and best practice solution info very welcome. Thank you, Gary Wallis ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Public facing authoritative NS all masters
DNS experts, What are the drawbacks, if any, of running only master name servers for the set of authoritative NSs? For example given: [root@rc37 unxsVZ]# dig latimes.com NS +short dns1.tribune.com. dns2.tribune.com. dns4.tribune.com. dns3.tribune.com. Where all 4 dnsN servers are in fact masters (this is just a hypothetical, the NS above are most likely secondary servers) Thank you! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Public facing authoritative NS all masters
Hello, What are the drawbacks, if any, of running only master name servers for the set of authoritative NSs? For example given: [root@rc37 unxsVZ]# dig latimes.com NS +short dns1.tribune.com. dns2.tribune.com. dns4.tribune.com. dns3.tribune.com. Where all 4 dnsN servers are in fact masters (this is just a hypothetical, the NS above are most likely secondary servers) Thank you! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Public facing authoritative NS all masters
Thank you Tony and Joseph, I think you have explained this well, and most importantly, exposed the underlying issues. Best regards, Gary On 7/14/2014 06:27, Tony Finch wrote: Gary Wallis wgg1...@gmail.com wrote: What are the drawbacks, if any, of running only master name servers for the set of authoritative NSs? That depends entirely on how you are replicating the zone data. The DNS's own replication (AXFR, IXFR, NOTIFY, TSIG) is pretty hard to beat: it is fast, secure, and copes gracefully with outages. Tony. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Best practices for ipv6
Hi, This pdf is a very good intro with very valid best practices: http://www.enog.org/presentations/enog-6/196-FerencCsorba-IPv6-Fundm-BestPracts.pdf Cheers! Gary Wallis Unixservice, LLC. On 12/16/2015 00:09, John W. Blue wrote: I have found https://ipv6.he.net to be helpful. John Sent from Nine <http://www.9folders.com/> *From:* Elias Pereira <empbi...@gmail.com> *Sent:* Dec 15, 2015 9:03 PM *To:* bind-users@lists.isc.org *Subject:* Best practices for ipv6 Hello guys, I like to know what are the best practices used or better bind configuration methods with ipv6? Thank you! -- Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 API & GUI
On 7/28/2016 14:00, Chris Buxton wrote: Kirk, Have a look at the commercial offerings. All of them offer a GUI and an API for managing BIND servers, including managing zones and records. Some of them are limited to managing their own appliances. Some of them do offer the ability to overlay on existing BIND servers, too, though. BlueCat Men & Mice Infoblox EfficientIP Vital QIP DiamondIP One more... mysqlBind/unxsBind FOSS/GPL Unixservice.com see wikipedia DNS managment software https://en.wikipedia.org/wiki/MysqlBind I'm sure there are more that I'm forgetting. Please note: I am a current and former employee of two of these vendors. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
