Using TCP for checking

[Mark Elkins]

I'm involved in the CO.ZA Registry. In the process of registering a
domain name in the co.za zone - we do a bunch of DNS checks using
'dig'. 

for each nameserver, 
  a) check that the zone exists (fetch the SOA), 
  b) fetch the NS RRSet count and compare entries.
  c) if Nameserver inside the domain being registered (glue needed)
i) check the reverse glue (can be multiple v4 + v6 addresses)
ii) check each reverse has a forward


Currently - many of these (dig-9.4.1) checks include the flags +time=9
+retry=5..

..the assumption being that for any 'dig' action - try, timeout 9
seconds - repeat another 5 times... - so a totally failed lookup would
take 54 seconds... however - an ethernet trace/dump seems to indicate
queries go out one after the other - with little inter-query delay..

If we do a lookup with UDP - a low but significant number of 'digs' fail
- which results in our checks failing - and the registration checking
process delaying that particular registration for a few hours.

If we switch to using TCP for 'dig' lookups  - the failure rate
basically disappears to Zero. This would result in happier customers
(less registration delays).

I've always been taught (and teach others) to use UDP and not TCP for
DNS queries - but in the case of a registry checking for info like we do
- would it not be politically correct to instead do TCP checks?

What does the net-dns wisdom say?

My current thought is to do a UDP check (don't change timeout/retry from
default) and only if that fails - retry immediately with a TCP Check.
Others in my group are for using TCP immediately.

-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [DNSSEC] SERVFAIL when resolving .gov through DLV

[Mark Elkins]

Does work with bind 9.6.0 - as NSEC3 is available...
;  DiG 9.6.0-P1  +dnssec @127.0.0.1 SOA gov.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 41388
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov.   IN  SOA
...
(Waiting on 9.6.1 via gentoo!)

On Tue, 2009-05-05 at 13:45 -0500, Jeremy C. Reed wrote:
 On Tue, 5 May 2009, Stephane Bortzmeyer wrote:
 
  This is a BIND 9.5.1-P1, Debian package. It is configured to use ISC's
  DLV:
 
 https://www.isc.org/node/437
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tcp versus udp

[Mark Elkins]

On Wed, 2009-05-06 at 07:59 +0200, Stephane Bortzmeyer wrote:
 On Wed, May 06, 2009 at 12:00:12AM -0400,
  Danny Mayer ma...@gis.net wrote 
  a message of 39 lines which said:
 
  That's nonsense.
 
 That's Peter Dambier. If you try to fix every mistake he makes, you're
 not over soon...

Some people are there to make us question and test our understanding.

One place that TCP may make sense - if you are involved in a registry
system and the process involves actually checking the information that
you are given, including nameservers (do they exist, do they serve that
zone - correctly?) - it may make a lot of sense to do TCP Digs for the
information (though that should probably be after a failed UDP dig - as
a number of people do insist on disallowing Port 53 TCP).
-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [DNSSEC] SERVFAIL when resolving .gov through DLV

[Mark Elkins]

On Tue, 2009-05-05 at 13:45 -0500, Jeremy C. Reed wrote:
 On Tue, 5 May 2009, Stephane Bortzmeyer wrote:
 
  This is a BIND 9.5.1-P1, Debian package. It is configured to use ISC's
  DLV:
 
 https://www.isc.org/node/437

Question on using trusted-keys:

There are two public sources of trusted-keys - ISC's DLV via 
http://ftp.isc.org/www/dlv/dlv.isc.org.named.conf and Iana's ITAR via
https://itar.iana.org/anchors/anchors.xml (though this needs to be
'expanded').
One might also have one's own personal list for local use?


Some sections in named.conf should logically only be there once (eg,
options and logging), some should be there multiple times (zone
definitions).

Can trusted-keys be defined multiple times? - or should there only be
one trusted-keys section? I know multiple keys in one trusted-keys
section works just fine - which might imply one can only have one
trusted-key definition?

A 'man named.conf' is not immediately obvious about this.

-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automating a KSK rollover

[Mark Elkins]

I've added some automation around signing zones. For the KSK - it has a
default life of 12 month. I'm looking at having two valid KSK's running
with an overlap of 6 month. This means updating dlv.isc.org every 6
months, adding a new key, removing the old key and leaving the key thats
6 months old. My system should remind me when to do this. Of course -
I'm still in the first 6 month cycle - so there is only one KSK for now
- so I'll only be adding a KSK next maintenance cycle.
This is fine for a few domains but I agree it would be painful for many
domains.

I'd like to see a system that I can tickle - so that it fetches the new
KSK from me (all automated).

Now that my zone is 'secure' - I could use it to distribute a public key
(PGP - whatever). I still have the TXT DLV record in my zone. Just
thinking out-loud - as I'm interested too.

One day - I'd expect this to be built into Registry/Registrar EPP type
interfaces - fine except I like to host my own DNS.


On Sat, 2009-07-04 at 22:36 -0700, Shane W wrote:
 Hello all,
 
 So I just did a KSK rollover, just to get a feel for how
 it's done, updating dlv.isc.org in the process. My question
 though is one of administration. When a domain rolls its
 ksk, will it be necessary to manually login to a website
 and paste the new keys, login again a month later and
 delete the old ksk? How will this work for sites hosting
 many domains? Is there some sort of standardized way as yet
 to communicate key changes to an upstream zone or in this
 case a lookaside provider?
 
 Shane

-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSKEY Validation

[Mark Elkins]

OK - so I accept that the algorithm will change.

What about some sort of validation of the base-64 part of the key?
Is there a checksum byte/word?
Is there a way of checking that the length is correct?

On Tue, 2009-07-14 at 10:56 +1000, Mark Andrews wrote:
 In message 4a5b1bdc.3090...@gis.net, Danny Mayer writes:
  Stephane Bortzmeyer wrote:
   On Sun, Jul 12, 2009 at 08:42:27PM +0200,
Mark Elkins m...@posix.co.za wrote 
a message of 31 lines which said:
   
   Arg 3 should be 5 (or maybe 3) - the algorithm.
   
   No, you must bnot use a hard-wired list in your code, because the list
   of algorithmps registered at IANA can change.
  
  It better not otherwise you would have horrendous interoperability problems.
  
  Danny
 
   Change includes extend. :-)
 
   Mark
  
  -- 
  This message has been scanned for viruses and
  dangerous content by MailScanner, and is
  believed to be clean.
  
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSKEY Validation

[Mark Elkins]

On Tue, 2009-07-14 at 17:50 +1000, Mark Andrews wrote:
 In message 1247555725.13064.4.ca...@ilinux, Mark Elkins writes:
  OK - so I accept that the algorithm will change.
  
  What about some sort of validation of the base-64 part of the key?
  Is there a checksum byte/word?
  Is there a way of checking that the length is correct?
 
 Have you thought of reading the RFCs which describe these records?
 The answers to your questions are in the RFCs.

For the record - have been looking at various definitions and at some
RFC's - but the 'right thing' has not jumped out at me yet. Could some
kind soul please point me at the latest RFC that describes the base-64
part of the DNSREC resource record - how to checksum it and calculate
that the length is correct.
Or - are there stand-alone tools for this?
http://www.dnssec-deployment.org/tracker/ has lots of good stuff - but
I'd rather not have to download everything to try it.

 
 Mark

Anyone know how to get dnskeys into .ORG - I've had no answer yet from
i...@pir.org.

-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Format of 'dig -k' TSIG key file?

[Mark Elkins]

On Thu, 2009-07-30 at 17:40 -0400, Joseph S D Yao wrote:

 What does work is:
   dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone 
 @other.example.zone
 but I really, really find this not altogether pleasant.

This gets a bit more funkie when you are not using the default
key-algorithm of hmac-md5 - which you probably should not be using any
more...

 Plus, I'm curious to know what 'dig -k' really wants to see.

Uses the original key files.. fine on the machine that they were created
on - but there are always at least two machines involved with any one
key! 

I've been thinking about this.
I'd like to see intelligence that allows 'dig' to look inside the
'named.conf' file (following any include statements) for the same key
info that 'named' uses.

Why: The '-y' option is used with zone transfers. That usually means
someone is setting up a secondary and trying to get TSIG to work. They
probably have already set up key stanzas in the config file - so trying
to use those keys would help debugging? They can always fall back to
providing the full tupple of info for the '-y' option.

If only the key-name is specified with the '-y' option, Dig should then
knows to look for a matching key stanza in the named-config-file.
This would at least avoid the need to having the key-secret on the
command line (along with the correct key-algorithm).

dig -C named-config-file ('c' is already used) - tells dig to look
elsewhere for the config file.

-- 
  .  . ___. .__  Posix Systems - Sth Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, SCO ACE,
Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: is TSIG key rollover possible?

[Mark Elkins]

Don't think TSIG Key roll-over is possible - in the DNSSEC sense. Don't
think it is as necessary either. I have separate TSIG relationships
between my Primary and Secondary peers. I use the same TSIG for all
zones that are on both peers - the TSIG is to secure the path between
the two peers. I also have 'ssh' access to the peers and in order to
perform a 'roll-over' would be logged in (ssh) to both sides of a single
pair of peers when doing the update. The job thus would be..

a) change the config files on both sides
b) signal named to reread its config - on both sided

In total - I directly look after just eight such pairs of peers - not
that hard. I change the signatures every 9 months.

The only Gotcha to changing from hmac-md5 to one of the other algorithms
is that when checking AXFR's with 'dig'  you now need to add a third
argument to the '-y' option - the algorithm to use. [-y [hmac:]name:key]

In real life - I run an ISP and offer paid for 'secondary' nameserver
services to my clients (ie those with their own hosted servers). I thus
dress all this up with Web pages and a database backend. TSIG is a free
option - all made nice'n'easy (change your named.conf to look like
this... cut-n-paste) even with e-mail reminders to change old
signatures. Almost no one uses the TSIG option - no one seems very
interested. (Hey mark - that's a very cool feature - I'll see if I have
the time to get around to it one day)

On Wed, 2009-09-16 at 17:08 +1200, Sebastian Castro wrote:
 Hi everyone:
 
 I was reading the document Deprecation of HMAC-MD5 in DNS TSIG and TKEY
 Resource Records
 (http://www.ietf.org/id/draft-ietf-dnsext-tsig-md5-deprecated-03.txt)
 and I thought Darn, I must be prepared to do a TSIG renovation, so
 started researching how to do it.
 
 First step was checking if BIND supported a different algorithm, but the
 BIND ARM for BIND9.5 and 9.6 indicates The algorithm, hmac-md5, is the
 only one supported by BIND. That seemed strange, considering the
 document indicated above was originally proposed in 2008. So I used the
 source and found out other algorithms are supported in 9.5 and 9.6, so
 there is a mistake in the documentation.
 
 Anyway, TSIG rollover is an operation needed as indicated on RFC 2385:
 
  RFC 2385 quote -
 6.2. Secret keys should be changed periodically.  If the client host
has been compromised, the server should suspend the use of all
secrets known to that client.  If possible, secrets should be stored
in encrypted form.  Secrets should never be transmitted in the clear
over any network.  This document does not address the issue on how to
distribute secrets. Secrets should never be shared by more than two
entities.
  RFC 2385 quote -
 
 but again the documentation indicates: Multiple keys may be present,
 but only the first is used.
 
 So, to coordinate the retirement of an old TSIG key and the introduction
 of a new one, it seems a close coordination between peers is needed in
 order to make it work, within a 'maintenance window' where the
 operations using the TSIG are not executed (in my particular interest,
 zone transfers)? Is it not possible to gradually introduce a new key,
 use both for a period of time and later retire the old one, similar to
 what is done in DNSSEC?
 
 Any experience on this matter that could be shared publicly or privately
 will be appreciated.
 
 Kind Regards
 Sebastian Castro
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reasonable setup of a dnssec aware recursive resolver

[Mark Elkins]

On Mon, 2010-03-29 at 11:17 +0200, Mark Elkins wrote:
 I'm trying to come up with an interim solution for my ISP's DNS
 Recursive Resolver that is DNSSEC aware.
 
 My thoughts so far:-
 Use BIND 9.6.1-P3 (this is the latest version named that Gentoo Linux
 gives me).

Ouch! - bitten by the signing of ARPA
 /etc/bind/named.conf.trust:225: configuring trusted key for 'ARPA.':
algorithm is unsupported.
-and- 
* No specific action is requested of operators. This message is
* for your information only.
* The ARPA zone is about to be signed using DNSSEC. The technical
* parameters by which ARPA will be signed are as follows: 
* KSK Algorithm and Size: 2048 bit RSA

I thought unrecognised algorithms were meant to be ignored?
Time to try Bind 9.7.0-P1 ??

 In order to fetch both iTAR and DLV signatures - use a patched version
 of WGET that is dnssec aware.
 
 Once a week (is this frequent enough?) fetch the DNSSEC signatures from
 iTAR and ISC/DLV, convert the iTAR xml stuff into Signatures, append the
 DLV signature and then include this file into my named.conf
 configuration.
 (named.conf:   include named.conf.trust-anchors; )
 
 In named.conf -- options, add:
 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside . trust-anchor dlv.isc.org.;
 
 This appears to be working for me.
 Questions are - how frequently should one fetch these trust-anchors? I'd
 have though once a week was enough but have read of situations where
 people using ISC's DLV have had past problems.
 
 I'm hoping that by using both iTAR and DLV - that I won't have this
 problem - have not noticed anything personally yet.
 
 I call this an interim solution - interim until the root is signed
 with live data and contains the data that ITAR is currently being used
 to store. I don't see ISC's DLV disappearing overnight just because the
 root is signed either...
 
 I'm only doing the 'wget-ting' from one location, then distributing
 internally from there - in order to reduce loads.
 
 What other suggestions do people have to achieve something similar?
 
 ps - I find the CZ DNSSEC Validator (addon) plugin to Firefox very
 inspiring! Anyone aware of something similar for IE?
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Key ID from DNSKEY - how?

[Mark Elkins]

I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to
do this in PHP as this is inside some existing PHP (Web) scripts but I
guess calling a C program would not be too inconvenient.

I'd like to index records (ie DNSKEY and DS Records) according to their
Key-ID - and present them grouped by Key-ID. DS keys are usually
presented with their Key-ID - so are less problematic.

Side issue - the RFC description for a DS Record on the wire
gives the first 16 bytes as the Key-ID, followed by (8-bit)
Algorithm, (8-bit) Digest type and (32 bytes - or so) Digest. Is
all this info encoded into the Base-64 stuff that one can see as
ascii in a zone? ... or is the base-64 ascii stuff just the
Digest?

I'd love to be able to validate both DS and DNSKEY records that
people give me but I am still floundering around amongst the
DNSSEC RFC's...

I understand that key-ID's are not necessarily unique but as I'd usually
not have more than about 4 or so in any one domain - I'm hoping that
statistics will be with me 99.95% of the time. 

Anyway - does anyone have existing code snippets that might assist me?
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC Keys - and trying to not leaving them around

[Mark Elkins]

There are some parts of Key management with DNSSEC that I don't quite
get - so I'm hoping for some feedback. I'm using BIND 9.7.2-P3 and
running dnssec-signzone  -3 abcd -o example.com -p -t -A example.com

I believe that:-
1 - The KSK is used to sign the ZSK.
2 - The ZSK is used to sign the rest of the data in the zone.

(I'm a little unclear which parts of the KSK are needed to sign the ZSK
and which parts of the ZSK need to be around to sign the rest of the
zone)

On a virgin zone - you'd need the private parts of the ZSK and KSK's
available (either in the local directory or as the arg to a -d).
Technically - the public parts (*.key) could be in the zone to be signed
- so don't need to be available any more. (ie - there was a cat K*.key
 zone)

Doesn't seem to work like that - as I'm getting the error (for each key)
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file co.za/NSEC3RSASHA1/64250: file not found

(64250 is the ZSK)
If I also have the *.key parts in the same directory - all works OK.

So the error message is lying to me!!! ??? - Bug?

   ---

So now I want to resign the zone. Its already signed. How can I do that
without having to have the Private KSK still around. I'd have thought
that I'd just perhaps need the Private ZSK around to re-sign new zone
data.

(here I removed the KSK Private file - 9983)
I think this works - but I get the message:
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading
private key file example.com/NSEC3RSASHA1/9983: file not found

So why is dnssec-signzone worried about the private part of a KSK that
it (I believe) should not need? Bug?

   

My zone changes quite a bit - so what I was thinking to do is Sign a
very basic copy of the zone (SOA, NS records - not much else) - then
move the Private KSK's off the disk completely - then add in my
dynamic data and re-sign as often as I need (whenever my dynamic
data changes) with just my Private ZSK available.

After about 6 month (whatever) - I can then create a new KSK - bring
back my original 'off-disk' Private KSK - sign a new basic copy of my
zone - take the two Private KSK's offline and go through the whole KSK
roll-over process. ie - I only have the private part of the KSK on the
disk for a very short time - usually its off-site. I should be able to
generate my very basic zone on a completely different server - perhaps
not connected to the Internet at all - and just (via USB stick) copy
over the basic signed zone every six months?

I'm just worried about the earlier error messages

Can someone please explain? (What is needed when)
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv4 IPv6 named processes on a dual stack host

[Mark Elkins]

On Tue, 2011-05-24 at 13:22 -0500, Timothy Stoddard wrote:

 Has any one run into a issue with two named processes running on the
 same host.  We want to begin serving up DNS on our IPv6 address space
 and do not want to duplicate each of our DNS servers.  We have started
 two named processes one with -6 option.  All seems to be working.  I
 am concerned how journal files will be handled.  Question will the
 -4 named process coexist with -6 on the same box???

Are you nuts?!?

Are you planning on just serving IPv6 answers over IPv6 transport
and IPv4 answers over IPv4 transport?

Please don't try - run dual-stack (every box runs both addressing) and
have a single instance of BIND listening on both IPv4 and IPv6
transports serving both types of addresses as needed.

Your forward zone files should containing both IPv4 and IPv6 addresses
(as appropriate).
You'll obviously just need to add a suitable zone or two for your IPv6
reverses! (to match your IPv4 reverses).

-- 
  .  . ___. .__  Posix Systems - Sth Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to Setup a Name Servers visible on Internet?

[Mark Elkins]

Eric,

Did you know that UniForum SA (the CO.ZA administrators) provide free
DNS classes for people that live in South Africa? (Intro and Advanced).

So you'd need to get over to Johannesburg and/or Cape Town and pay for
some accommodation - but the courses are free. You can see and book for
the courses via the CO.ZA Web site. Courses are run twice a year.


On Tue, 2011-06-14 at 14:25 +0200, eric...@kom.za.net wrote:
 On 14/06/2011 10:15, Stephane Bortzmeyer wrote:
  On Tue, Jun 14, 2011 at 09:58:36AM +0200,
   eric...@kom.za.net eric...@kom.za.net wrote
   a message of 80 lines which said:
 
  sorry for that, please see below the content for my reverse file 
  data:
 
  File: /var/cache/bind/metropolitanbntu.co.za.inv:
  ...
  41.134.194.90.  IN  PTR ns1.metropolitanbuntu.co.za.
 
  Then, BIND is perfectly right, 41.134.194.90 does not belong to
  0.0.10.in-addr.arpa...
 
  10.0.0.80.  IN  PTR ns1.metropolitanbuntu.co.za.
 
  More subtle here: you should have learn about PTR records before
  trying it (may I suggest Liu  Albitz' book?) 10.0.0.80 should have
  been written just 80 (thus forming the name 80.0.0.10.in-addr.arpa).
 
 Thank you in advance!
 
 I order the book and waiting for the delivery,
 
 I also fund a PDF copy on internet.
 
[outputs deleted]

-- 
  .  . ___. .__  Posix Systems - Sth Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Format of the IPv6 reversed zone

[Mark Elkins]

On Thu, 2011-07-28 at 14:07 -0400, Khuu, Linh Contractor wrote:
 Hello,
  
 I’m new to IPv6 configuring in BIND. I need help. The forward zone is
 simple enough with  record, but the reversed zone is a bit
 confusing to me.
  
 For example, I want to add a hostname of www.example.com to
 2001:1930:c00::2. This IPv6 address is /48.
  
 How can I add this IPv6 address in a reversed format?
  
 $ORIGIN 0.0.0.0.0.0.0.c.0.3.9.1.1.0.0.2.ip6.arpa. IN SOA
 ..
  
 @ NS dnstemp1.example.com
  
 What should I put for the PTR??? 
  
 Is the reversed for IPv6 in the ip6.arpa file or IP6.int file???


I have '2001:42a0::/32', in 'named.conf - I have...
zone 0.a.2.4.1.0.0.2.ip6.arpa {
type master;
file pri/db.0.a.2.4.1.0.0.2.ip6.arpa;
};

Top of the file could look like
$TTL 7200
@   IN SOA  blah. usual stuff..


Then - networks are all /64's - so - using the $ORIGIN variable...
do something like this per network 

; 2001:42a0:0:ff02::/64, Some description of this network
$ORIGIN 2.0.f.f.0.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   IN  PTR  cisco.posix.co.za.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   IN  PTR  dns1.posix.co.za.

or simply delegate them off
; 2001:42a0:1:82::/64, another network
2.8.0.0.1.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa. NS  dns1.posix.co.za.
  NS  dns2.posix.co.za.

'dig -x' is your friend for expanding the address!

eg - dig -x 2001:42a0:1:82:: +noall +question
...then cut'n'paste!
 
  
 Thanks,
 Linh Khuu
 
  
  
  
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

[Mark Elkins]

On Wed, 2011-09-28 at 16:19 +0200, feralert wrote:

 The thing is that i want users redirected to 'www.domain.com' even
 when they just type the domain name 'domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
 for 'www.domain.com'.
 
 
 domain.com   A1.1.1.1
 www.domain.com   A1.1.1.1
 
 OR
 
 domain.com   A1.1.1.1
 www.domain.com   CNAME  domain.com

If named.conf is correctly set up with the domain name - then
you could use

$TTL 3600
@   IN  SOA ...the SOA info
IN  NS  Nameserver record lines
IN  A   1.1.1.1
www IN  A   1.1.1.1

Last line can be converted to a CNAME...
www IN  CNAME   domain.com.

When you include IPv6 addresses into the mix...
using a CNAME saves you entering the same IPv6 address twice - so then
there really is a saving - especially when you include other alternative
labels like 'mail', 'pop', 'smtp', 'ftp' - etc - do them all as CNAMES!

$TTL 3600
@   IN  SOA ...the SOA info
IN  NS  Nameserver record lines
IN  A   1.1.1.1
IN  2001:1:1::80
www IN  CNAME   domain.com

What I think is your real problem
Regardless of whatever which way you decide - apache will be given the
original name - DNS will not re-write that.. so you have to spell out
both names in your apache configuration files...

So (playing with virtual hosts)
NameVirtualHost 1.1.1.1

VirtualHost 1.1.1.1
  ServerName domain.com
  ServerAlias www.domain.com
  ...
/VirtualHost

-and later for IPv6 - duplicate the above...
(this line next to the other NameVirtualHost
NameVirtualHost [2001:1:1::80]

VirtualHost [2001:1:1::80]
  ServerName domain.com
  ServerAlias www.domain.com
  ...
/VirtualHost

-- 
Mark Elkins m...@posix.co.za
Posix Systems

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Signing Key Questions

[Mark Elkins]

Played with OpenDNSSEC - and was a bit disappointed. Actually flew to
Sweden and attended the course. It works - but acts like a black box -
you don't have any finger-poking ability when things go wrong (for fun -
we deleted a key out of the HSM - bad idea!)

I don't like having to run everything Dynamic - which seems to be how
ISC and Bind is currently heading.

I eventually sat down and wrote a Bash Script. Its periodically called
from Cron. It understands Static zones with None (no DNSSEC), NSEC and
NSEC3 forms of DNNSEC. It kinda knows what a dynamic zone is - and does
mainly hands off. It manages Serial Number detection and Updating via
keeping a CheckSum of the zone and comparing/detecting changes - so you
can use the script on non-signed zones - just change the Data - it'll
update the SOA Serial and do an RNDC RELOAD for you.

You can look at it on www.posixafrica.com - there is a presentation
there as well that I did at an AfriNIC conference.

I personally use the script for my primary domain (posix.co.za) and
several others. No problems so far

ZSK's are totally automated, KSK's which generate the DS records are
automated if you run Children of parents under your control (Reverse IP
addresses!). There is a method of running a command for Parent zones -
which could be for example to run an EPP client to update the DS records
at the Registry. OpenDNNSEC comes with such a client.

You asked about ZSK's - I run a cron driven rollover so no ZSK is more
than 34 days old (age of the file holding the key - could be modified to
read Meta-Data?). New ZSK's are created every 17 days (old one's
deleted). KSK's are never older than about a year - with a new KSK
generated every 6 months. I guess this could be modified/customised per
zone - but these are very close to the default values. This means you
end up with two ZSK's and two KSK's per zone. This could be further
modified to remove older Keys after appropriate time delays - but...

You should use the Directory structure I suggest - rather - this keeps
files more manageable (Directory per zone). I don't put keys into any
HSM - kinda waiting on Bind to include a patch to work with Rickard
Bellgrim's SoftHSM (now that would be something!) That should one day be
workable.

On Tue, 2011-10-04 at 19:09 +, McConville, Kevin wrote:
 I’m new to this list, so please bear with me if these are/seem like
 “newbie” questions.
 
  
 
 We are currently evaluating a DNSSEC implementation. We have several
 static zones that we would like to implement first.   We are currently
 using ISC Bind 9.7.4 – In the test environment (1) Authoritative dns
 server and (1) Resolver dns server, both running RHEL 5.7.  We do have
 an on-hold Opendnssec server w/softhsm (we are trying to look at the
 built-in utilities of isc bind first).
 
  
 
 We are trying to make the DNSSEC piece as automatic as possible, so
 here are where we are having issues.
 
  
 
 1) Is there any way to have the zsk be auto-generated based upon
 the inactive date listed in the zsk meta-data? I know we can
 pre-publish and then use dnssec-settime to change the meta-data, but
 still very hands-on.
 
 2) With a static zone, are the update-policy local and auto-dnssec
 maintain options invalid/don’t work? From the docs, they look like
 they are only for automation of dynamic zones?
 
 3) Are there any ways to automate zone signing and zsk
 generation/roll-over with a totally static zone environment?
 
 4) What key-management, zone-signing management utilities or
 programs have you found useful/helpful? 
 
  
 
  
 
 Any suggestions, comments, or questions are greatly appreciated. Thank
 you in advance.
 
  
 
 Thanks,
 
  
 
 -Kevin
 
  
 
 Kevin McConville
 
 University at Albany
 
  
 
  
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Elkins m...@posix.co.za
Posix Systems

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Mixing Algorithms for DNSSEC

[Mark Elkins]

Saw the light of day and decided to change my DNSSEC signing script to
create DNS Keys with RSASHA256 rather than RSASHA1. It seems one can not
mix these two in the same zone

I've created a short script to demonstrate the issue.

I've Attached RunTest that simulates what I am doing.
It uses the zone foo.com - I've attached db.foo.com.base as a simple
zone.
I've attached the output
Bast to do this in a completely empty directory!

Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check
the results.
Add a new KSK using RSASHA256 - prep the zone and sign again.
1 - Signer is confused - can not sign (or generate a new Signed
Zone)...
Verifying the zone using the following algorithms: RSASHA1.
Missing self signing KSK for algorithm RSASHA256
The zone is not fully signed for the following algorithms:
RSASHA256.
dnssec-signzone: fatal: DNSSEC completeness test failed.

2 - The file dsset-foo.com. has too many DS records. Why is
dnssec-signzone adding the DS records for a ZSK into dsset?

If everything is either RSASHA1 or RSASHA256 - everything is OK.

Bug? Simply how it should be by design? This really disturbs me - these
Keys take ages in the real world to migrate using reasonable timings -
do I have to Zap all my Keys - redo all zones. Is this always the case
when an Algorithm changes?

Versions: BIND 9.7.3-P3, dnssec-keygen: 9.7.3, dnssec-signzone: 9.7.3-P3
-- 
Mark Elkins m...@posix.co.za
Posix Systems


RunTest
Description: application/shellscript
$TTL 3600
@   IN  SOA control.vweb.co.za. dns-admin.posix.co.za. (
2011101501  ; Serial number
3600; Refresh, 86400=1 day, 3600=1 hr
1800; Retry after 30 mins
604800  ; Expire after 7 days
1800 )  ; Negative TTL, 21600=6 hrs, 1800=30 
mins

IN  NS  secdns1.posix.co.za.
IN  NS  control.vweb.co.za.
IN  A   160.124.208.1

Generating key pair++ ++ 
Kfoo.com.+005+03488
Generating key pair.++ 
++ 
Kfoo.com.+005+56205
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
db.foo.com.signed
total 40
-rw-r--r-- 1 root root  426 Oct 15 11:56 Kfoo.com.+005+03488.key
-rw--- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+03488.private
-rw-r--r-- 1 root root  426 Oct 15 11:56 Kfoo.com.+005+56205.key
-rw--- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+56205.private
-rw-r--r-- 1 root root  818 Oct 15 11:53 RunTest
-rw-r--r-- 1 root root 1187 Oct 15 11:56 db.foo.com
-rw-r--r-- 1 root root  335 Oct 15 11:48 db.foo.com.base
-rw-r--r-- 1 root root 2672 Oct 15 11:56 db.foo.com.signed
-rw-r--r-- 1 root root  159 Oct 15 11:56 dsset-foo.com.
-rw-r--r-- 1 root root  406 Oct 15 11:56 output
Generating key pair..++ ...++ 
Kfoo.com.+008+13851
Verifying the zone using the following algorithms: RSASHA1.
Missing self signing KSK for algorithm RSASHA256
The zone is not fully signed for the following algorithms: RSASHA256.
dnssec-signzone: fatal: DNSSEC completeness test failed.
total 48
-rw-r--r-- 1 root root  426 Oct 15 11:56 Kfoo.com.+005+03488.key
-rw--- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+03488.private
-rw-r--r-- 1 root root  426 Oct 15 11:56 Kfoo.com.+005+56205.key
-rw--- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+56205.private
-rw-r--r-- 1 root root  423 Oct 15 11:57 Kfoo.com.+008+13851.key
-rw--- 1 root root 1012 Oct 15 11:57 Kfoo.com.+008+13851.private
-rw-r--r-- 1 root root  818 Oct 15 11:53 RunTest
-rw-r--r-- 1 root root 1610 Oct 15 11:57 db.foo.com
-rw-r--r-- 1 root root  335 Oct 15 11:48 db.foo.com.base
-rw-r--r-- 1 root root 2672 Oct 15 11:56 db.foo.com.signed
-rw-r--r-- 1 root root  318 Oct 15 11:57 dsset-foo.com.
-rw-r--r-- 1 root root 1311 Oct 15 11:57 output


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mixing Algorithms for DNSSEC

[Mark Elkins]

On Sat, 2011-10-15 at 08:11 -0700, Casey Deccio wrote:
 
 On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins m...@posix.co.za wrote:
 Basically - create a KSK and ZSK with RSASHA1 - Sign - and
 visibly check
 the results.
 Add a new KSK using RSASHA256 - prep the zone and sign again.
 1 - Signer is confused - can not sign (or generate a new
 Signed
 Zone)...
Verifying the zone using the following algorithms:
 RSASHA1.
Missing self signing KSK for algorithm RSASHA256
The zone is not fully signed for the following
 algorithms:
RSASHA256.
dnssec-signzone: fatal: DNSSEC completeness test
 failed.
 
 
 When you include DNSKEYS with multiple algorithms, both the DNSKEY
 RRset and other RRsets in the zone must be signed with each algorithm
 [1].  Because you designed your RSASHA256 DNSKEY as a KSK,
 dnssec-signzone is only using it to sign the DNSKEY RRset, not other
 RRsets.  To resolve this, create a ZSK with algorithm RSASHA256 to
 your zone.

Thanks.

So what you are saying in practical terms is in order to migrate from
RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
cycle once a year) and then at exactly the same time start using
RSASHA256 on the KSK's (which cycle every month) - making any existing
ZSK using RSASHA1 (or their DS's in the parent) redundant after about a
further month.

FUBAR!

And Algorithms have a tendency to be updated reasonably frequently...
every 2 to 5 years! 

That is not very friendly from a migration point of view. It would
probably be easier to first completely remove DNSSEC from a Zone then
re-install it from scratch with the new algorithms. I'm still playing
(after two years) - I don't mind. Others :-(

 
 Regards,
 Casey
 
 [1] See http://tools.ietf.org/html/rfc4035 - section 2.2
 

-- 
Mark Elkins m...@posix.co.za
Posix Systems


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mixing Algorithms for DNSSEC

[Mark Elkins]

True - no problem with a handful of zones.

Now assume a few thousand being automated from some script.

Wonder if OpenDNSSEC handles this at all?

OK - so I've rewritten my script to not worry (Don't Panic) - just keep
using the monthly KSK's with RSASHA1 until it sees a ZSK with the
RSASHA256 algorithm - then just switch over to creating KSK's with
RSASHA256 as well.

I just never knew switching Algorithms would bite me. No one ever told
me.

On Sat, 2011-10-15 at 20:58 +0100, Matthew Seaman wrote:
 On 15/10/2011 20:32, Mark Elkins wrote:
  So what you are saying in practical terms is in order to migrate from
  RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
  cycle once a year) and then at exactly the same time start using
  RSASHA256 on the KSK's (which cycle every month) - making any existing
  ZSK using RSASHA1 (or their DS's in the parent) redundant after about a
  further month.
 
 You don't have to wait.  There's nothing to stop you doing an early key
 rollover for your ZSK, and switching algorithms.  Where you can either
 revoke the old ZSK or change its expiry date -- once you've got the DS
 records in the parent updated, of course.
 
   Cheers,
 
   Matthew
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Elkins m...@posix.co.za
Posix Systems


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mixing Algorithms for DNSSEC

[Mark Elkins]

On Sun, 2011-10-16 at 12:13 +0100, Phil Mayers wrote:
 On 10/15/2011 08:32 PM, Mark Elkins wrote:
 
  So what you are saying in practical terms is in order to migrate from
  RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which
  cycle once a year) and then at exactly the same time start using
  RSASHA256 on the KSK's (which cycle every month) - making any existing
 
 Why are you rotating your KSK monthly, but your ZSK yearly? That's the 
 wrong way round, surely?

*blush* - Yes. 
Should check what I write more closely. KSK about once a year and ZSK
about once a month is more or less what I really do.
-- 
Mark Elkins m...@posix.co.za
Posix Systems


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Algorithm 'When to use EDNS0'?

[Mark Elkins]

I'm Running Bind 9.7.3-P3 (Gentoo build)...

When does 'EDNS' get brought into the picture?
A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) -
but a dig without '+dnssec' and actually asking for the 'dnskey' records
for a domain - which is over 512 bytes - does a Truncated, retrying in
TCP Mode on me - even when asking localhost.

I though that EDNS0 was negotiated or pretty much the default and didn't
have to be kicked into action Is this some sort of safety default
feature I need to de-activate via named.conf (which has no mention of
EDNS anything)

I'd honestly never noticed this before...
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keygen not responding

[Mark Elkins]

On Wed, 2011-11-30 at 13:45 -0600, Michael Graff wrote:
 On Nov 30, 2011, at 3:01 AM, Torsten Segner wrote:
  In RHEL there is a RPM package called unuran. 
  It's a random number generator daemon using either a piece of hardware or 
  /dev/urandom as source. Running this will provide enough entropy to create 
  lots of keys.
 
 I'd be rather wary of keys made from /dev/urandom but I am often times a 
 paranoid security freak.
 
 For my VM environment, I bought a USB random source, and share it across the 
 VMs with a little daemon I wrote.  Of course, you could just map the RNG into 
 the VM you need too, and even move it around.
 
 --Michael

I installed the 'haveged' package, www.irisa.fr/caps/projects/hipsor
Sort of reads 'entropy' from the CPU and feeds it into /dev/random
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Algorithm 'When to use EDNS0'?

[Mark Elkins]

On Tue, 2011-11-29 at 15:36 +0200, Mark Elkins wrote:
 When does 'EDNS' get brought into the picture?
 A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) -
 but a dig without '+dnssec' and actually asking for the 'dnskey' records
 for a domain - which is over 512 bytes - does a Truncated, retrying in
 TCP Mode on me - even when asking localhost.

Thanks for the private replies...

All this comes about as I had the expectation that DIG would run in a
similar way to any other 'dns lookup' - which it currently doesn't.
Neither does it have any form of config file. So adding '+dnssec'
obviously adds the '+edns=0' switch. I'm told that in a future software
release that '+edns=0' will be default behaviour - that sounds like a
reasonable thing to do.
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC authentication and ad parameter

[Mark Elkins]

It is working.

--
$ dig test.nknsec.in +dnssec

;  DiG 9.8.1  test.nknsec.in +dnssec
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 4578
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;test.nknsec.in.IN  A

;; ANSWER SECTION:
test.nknsec.in. 352 IN  A   10.1.27.25
test.nknsec.in. 352 IN  RRSIG   A 5 3 360 20120204072952 
20120105072952
16755 test.nknsec.in.
DcLPb3hVDqal64UQe3Vk4NjbMRwSSWHNy4r/Bk42M2WQLZYBt9p7NpIT
6g1AVdP2vyFs2q4CbA/QLUMeVWptvHBNZcA8/M4DpW5GpsOmC3SeZe01
lCUzbANN/+NNg/PwHsPhLUOEatmjZxfrU3lGpxXFF527ohzxXatZdX48 lsM=

;; AUTHORITY SECTION:
test.nknsec.in. 349 IN  NS  ns1.nknsec.in.
test.nknsec.in. 349 IN  RRSIG   NS 5 3 360 20120204072952 
20120105072952
16755 test.nknsec.in. ZOVyGZh6gPB7zT9ZniOy/+NQ
+fwP00b4KagDQ1F9kCwiNjGrSxjmGQQg
VD7R8LM6R4di1BBg8ayWtLQi7dVQdhmB942zy4BH/IYSMkWOf+WtILlx
YAD64F1NoJ4GXKRH7t01fYQRMoOtr2Teuok0KdUctAQNYBOjw280RwkY h9Y=

;; Query time: 3 msec
;; SERVER: 160.124.48.16#53(160.124.48.16)
;; WHEN: Wed Jan 11 08:46:34 2012
;; MSG SIZE  rcvd: 425
-

You need a recursive resolver set up to do DNSSEC, including 'lookaside'
for the DLV checking. You CAN NOT just use one of the nameservers that
the domain uses. You need to ask that resolver. The resolver handling
the zone (ns1.nknsec.in) will not set the 'ad' bit (assumption being
there is no special configurations like views or multiple resolvers -
etc) when directly asked.

I wrote a guide on how to do this - http://dnssec.co.za/ - some time
ago. It should be still valid. On the Linux Gentoo distribution, BIND is
almost installed like this by default - except for the 'dlv' portion. I
expect other distributions are similar?

I'll ignore issues like there is only one NS record for this and the
parent (nknsec.in) - .IN allows this 
You should also be able to make the zone at the 'nknsec.in' level secure
from that point onwards as well.
 
On Wed, 2012-01-11 at 10:45 +0530, Gaurav kansal wrote:
 Dear All,
 
  
 
 I had purchased a new domain especially for DNSSEC testing.
 
 But when I ask my registry to insert my DS keys in .in zone file, I
 got the answer that .in is still not ready for this although .in is
 signed.
 
  
 
 I tried to authenticate my domain through ISC dlv.
 
 I upload my DS key there and it is showing a “GOOD” status for my
 domain but still I am not getting “ad” parameter in my dig answer.
 
  
 
 Anyone please explain what I have to do next so that I can give
 authenticated answer for test.nknsec.in domain.
 
 
 Zone List
 (add a zone)
 
  
 
 Zone Name
 
 
 Status
 
 
 DNSKEYs
 
 
 Zone Actions
 
 
 test.nknsec.in
 
 
 Good
 
 
 1 (add)
 
 
 (details) (delete)
 
 
 
 Copyright © 2010 by Internet Systems Consortium.
 
  
 
  
 
  
 
  
 
  
 
  
 
 Please don't print this e-mail until  unless you really need, it will
 save Trees on Planet Earth. 
 
 
 
 IPv4 is Over,
 
 Are your ready for new Network.
 
 
 Thanks n Regards, 
 GAURAV KANSAL 
 9910118448 
 VoIP - 6259 
 Operation And Routing Unit 
 NIC , NEW DELHI 
 
  
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC made simple, is this possible?

[Mark Elkins]

On Wed, 2012-01-11 at 19:26 +0100, Jan-Piet Mens wrote:
  Next great thing would be for ISC to support the Soft-HSM that
  OpenDNSSEC uses. I believe that this would make the step of moving to a
  real hardware HSM a lot easier (if necessary).
 
 BIND has supported the PKCS#11 interface (./configure --with-pkcs11)
 since 9.6 IIRC, so it ought to be possible to integrate.

Humm... 
https://lists.isc.org/pipermail/bind-users/2010-October/081508.html
(which was a failed attempt - and cry for help)

Anyone have a successful go at this? (that is replicable)

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: nslookup/dig question

[Mark Elkins]

On Wed, 2012-01-25 at 16:57 +, JeanPaul Thomsin wrote:
 Antonio and John:
 
  
 
 You were right on. /var/log/messages indicated there was a problem
 with named.conf.
 
 I had done a check with named-checkconf and it found no errors, so i
 thought it was OK,
 
 but the logs said otherwise.
 
 Working now.

If I'm ever setting up a Nameserver for the first time on new kit, I
tend to run 'named' from the shell with the '-g' flag - just to 'see'
what is happening. Yes - one should check the logs - but that can be
multiple log files and it wouldn't be the first time I've made a mistake
in the logging section as well 

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.9 inline-signing issue..

[Mark Elkins]

I agree with you. I took your example and installed bind 9.9.0b2
I also updated my 'soa' in the unsigned...

Am getting the following in my log...
Jan 29...: zone test1.co.za/IN (unsigned): loaded serial 2012012901
Jan 29...: zone test1.co.za/IN (signed): loaded serial 200105
(DNSSEC signed)

Also couldn't quite figure how to make this an NSEC3 signed zone from
inception so stuck (by 'hand')
IN  NSEC3PARAM 1 0 5 B9A3F38D
into my unsigned zone. The signed zone seems to be NSEC though

I also see...
$TTL 0  ; 0 seconds
TYPE65534 \# 5 ( 08467D0001 )
TYPE65534 \# 5 ( 0896730001 )
appearing on a secondary for this zone. What is it?
(Yes - an unknown data type - the secondary is running bind 9.8)

Next: an 'rndc sync' didn't tidy up the zones .jnl file (much to my
disappointment)
Lastly - how does one 'view' the 'raw' format of a zone file?

I think a few examples would have helped in the documentation?

On Sun, 2012-01-29 at 11:20 -0500, Howard Leadmon wrote:
 Well after the various discussion a short while back, I decided to give
 the inline-signing a run, and after setup I must say it did appear to do
 what I expected.   Of course anything that went that easy had to have a
 snag, and it did, and at the moment I am wondering what I have missed so
 figured I would post and see if anyone had any suggestions.
 
  After setting up a zone with DNSSEC using inline-signing, I have run into
 the issue where if I do anything that updates the unsigned file that is
 input into BIND, that it never seems to update the signed data it generated.
 
  As an example, I had serial number of 2012012701 in the test zone file, and
 when I started named up it happily created the signed zone.   So then I went
 in and changed this serial to 2012012801, and performed an 'rndc reload' and
 nothing, it saw the updated unsigned zone, but never kicked off an event to
 resign the signed data it was dishing out when asked, so the changes were
 not available.   I then went and did a full restart on named, thinking maybe
 a hard restart would make it sign, but no luck, in fact it sees the zones,
 that the serial numbers are different, but never re-signs the served zone.
 
  Looking at my log I see:
 
 
 named[8422]: zone leadmon.org/IN/internal (unsigned): loaded serial
 2012012802
 named[8422]: zone leadmon.org/IN/internal (signed): loaded serial 2012012708
 (DNSSEC signed)
 named[8422]: zone leadmon.org/IN/internal (signed): receive_secure_serial:
 unchanged
 named[8422]: zone leadmon.org/IN/internal (signed): reconfiguring zone keys
 named[8422]: zone leadmon.org/IN/internal (signed): next key event:
 29-Jan-2012 11:53:54.971
 named[8422]: zone leadmon.org/IN/internal (signed): sending notifies (serial
 2012012708)
 
 
  So it is seeing that the signed and unsigned zones have different serials,
 but it's sure not picking up that I have made a change to the unsigned file,
 and that it needs to resign the zone it's serving.   
 
  As to my config over here, I have the following in the zone:
 
 zone leadmon.org {
 type master;
 file master/leadmon.org/db.leadmon.org-internal;
 key-directory keys;
 allow-transfer { 
 primary_servers;
 };
 auto-dnssec maintain;
 inline-signing yes;
 };
 
 
  Have I missed any additional commands I need to make this play correctly,
 or is something broken here that I have run into?
 
 
 
 ---
 Howard Leadmon 
 
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.9 inline-signing issue..

[Mark Elkins]

Slept on this.
This morning 8+ hours later, no change.
Added a completely new record to the (unsigned) zone, updated the SOA
Serial and ran 'rndc reload':

Jan 30 09...: received control channel command 'reload'
Jan 30 09...: loading configuration from '/etc/bind/named.conf'
...
Jan 30 09...: zone test1.co.za/IN (signed): (master) removed
Jan 30 09...: reloading configuration succeeded
Jan 30 09...: reloading zones succeeded
Jan 30 09...: zone test1.co.za/IN (unsigned): loaded serial 2012013001
Jan 30 09...: zone test1.co.za/IN (signed): loaded serial 200105
(DNSSEC signed)
Jan 30 09...: all zones loaded
Jan 30 09...: running

So still broken in my opinion.

Also - I miss the creation of the dsset-test.co.za. file :-(

I have been using the file/directory format of...
.../pri/domain.com/db.domain.com and then sticking everything associated
with that domain in that directory. Used this for over a year now and it
works well for me (organised clutter).


On Sun, 2012-01-29 at 23:37 +0200, Mark Elkins wrote:
 I agree with you. I took your example and installed bind 9.9.0b2
 I also updated my 'soa' in the unsigned...
 
 Am getting the following in my log...
 Jan 29...: zone test1.co.za/IN (unsigned): loaded serial 2012012901
 Jan 29...: zone test1.co.za/IN (signed): loaded serial 200105
 (DNSSEC signed)
 
 Also couldn't quite figure how to make this an NSEC3 signed zone from
 inception so stuck (by 'hand')
 INNSEC3PARAM 1 0 5 B9A3F38D
 into my unsigned zone. The signed zone seems to be NSEC though
 
 I also see...
 $TTL 0  ; 0 seconds
 TYPE65534 \# 5 ( 08467D0001 )
 TYPE65534 \# 5 ( 0896730001 )
 appearing on a secondary for this zone. What is it?
 (Yes - an unknown data type - the secondary is running bind 9.8)
 
 Next: an 'rndc sync' didn't tidy up the zones .jnl file (much to my
 disappointment)
 Lastly - how does one 'view' the 'raw' format of a zone file?
 
 I think a few examples would have helped in the documentation?
 
 On Sun, 2012-01-29 at 11:20 -0500, Howard Leadmon wrote:
  Well after the various discussion a short while back, I decided to give
  the inline-signing a run, and after setup I must say it did appear to do
  what I expected.   Of course anything that went that easy had to have a
  snag, and it did, and at the moment I am wondering what I have missed so
  figured I would post and see if anyone had any suggestions.
  
   After setting up a zone with DNSSEC using inline-signing, I have run into
  the issue where if I do anything that updates the unsigned file that is
  input into BIND, that it never seems to update the signed data it generated.
  
   As an example, I had serial number of 2012012701 in the test zone file, and
  when I started named up it happily created the signed zone.   So then I went
  in and changed this serial to 2012012801, and performed an 'rndc reload' and
  nothing, it saw the updated unsigned zone, but never kicked off an event to
  resign the signed data it was dishing out when asked, so the changes were
  not available.   I then went and did a full restart on named, thinking maybe
  a hard restart would make it sign, but no luck, in fact it sees the zones,
  that the serial numbers are different, but never re-signs the served zone.
  
   Looking at my log I see:
  
  
  named[8422]: zone leadmon.org/IN/internal (unsigned): loaded serial
  2012012802
  named[8422]: zone leadmon.org/IN/internal (signed): loaded serial 2012012708
  (DNSSEC signed)
  named[8422]: zone leadmon.org/IN/internal (signed): receive_secure_serial:
  unchanged
  named[8422]: zone leadmon.org/IN/internal (signed): reconfiguring zone keys
  named[8422]: zone leadmon.org/IN/internal (signed): next key event:
  29-Jan-2012 11:53:54.971
  named[8422]: zone leadmon.org/IN/internal (signed): sending notifies (serial
  2012012708)
  
  
   So it is seeing that the signed and unsigned zones have different serials,
  but it's sure not picking up that I have made a change to the unsigned file,
  and that it needs to resign the zone it's serving.   
  
   As to my config over here, I have the following in the zone:
  
  zone leadmon.org {
  type master;
  file master/leadmon.org/db.leadmon.org-internal;
  key-directory keys;
  allow-transfer { 
  primary_servers;
  };
  auto-dnssec maintain;
  inline-signing yes;
  };
  
  
   Have I missed any additional commands I need to make this play correctly,
  or is something broken here that I have run into?
  
  
  
  ---
  Howard Leadmon 
  
  
  
  ___
  Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
  unsubscribe from this list
  
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users

Re: trying DNSSEC with 9.9-rc1

[Mark Elkins]

On Wed, 2012-02-01 at 17:18 -0500, Michael W. Lucas wrote:
 Hi,
 
 I'd put off DNSSEC because of the high maintenance requirement. But
 with 9.9 and inline signing, it looks like I can now do DNSSEC the way
 I need (static zone files that work with legacy tools, automatic key
 rotation, etc.)
 
 I see that 9.9-rc2 came out yesterday; I'm building it now, but I
 don't see anything in the relnotes that tells me this has
 changed. Unfortunately, I'm trying to figure out how to use DNSSEC
 inline signing from the Internet's ten years of DNSSEC tutorials, none
 of which exactly cover this setup. And the ARM isn't quite updated for
 this yet.
 
 If someone is kind enough to help me figure out DNSSEC, I'll happily
 blog it for the next guy who comes along. I'm sure I won't be the
 last...
 
 My understanding of the process is:
 
 1) create KSK and ZSK
 
 nstest/etc/namedb/keys;dnssec-keygen -f KSK -a RSASHA1 -b 768 -n ZONE 
 transnetworks.net
 Generating key 
 pair. 
 .
 Ktransnetworks.net.+005+54607
 nstest/etc/namedb/keys;dnssec-keygen -a RSASHA1 -b 768 -n ZONE 
 transnetworks.net
 Generating key pair.. 
 ..
 Ktransnetworks.net.+005+51087
 


As others have said


When I create a Zone-Signing-Key (ZSK) - I use...
dnssec-keygen -a RSASHA256 -b 1024 -n ZONE posix.co.za

When I create a Key-Signing-key (KSK) - I use...
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK posix.co.za


Use the RSASHA256 algorithm. You are probably going to otherwise have
to switch to using it one day anyway - and algorithm rollovers are
more complicated than key rollovers. Also doesn't matter if you use NSEC
or NSEC3

I have a 2048 byte Key Signing key - I expect to use the same key for a
year (and not so easy to roll-over - depending on parents). I have a
1024 byte Zone Signing key - I only expect to have it for about one
month (and its easy to roll-over locally).

The default random device is /dev/random. This device will hang the
signing program if there is not enough random data to be fed from - so
you might want to add -r /dev/urandom to rather use the Pseudo Random
device -or- install haveged which is a random generator daemon which
feeds random into /dev/ramdom (at least on my gentoo linux box!)
(or get a true random number generator USB dongle!)

Oh - and Bind needs to be able to find the keys, why not create them in
the same directory as the zone file...

I now have a separate directory for each zone file, where the
appropriate keys can also be found as in

zone posix.co.za {
type master;
file pri/posix.co.za/db.posix.co.za;
key-directory pri/posix.co.za;
auto-dnssec maintain;
inline-signing yes;
}

Hope these suggestions help.

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Generating Zone Key hanging

[Mark Elkins]

On Sat, 2012-04-21 at 20:28 -0400, Bill Owens wrote:
 On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote:
 Hello,
 I was setting up BIND DNSSEC and when I issue the following command the
 process never finishes.
 dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
 I straced the process and noticed the following messages
 write(2, Generating key pair., 20Generating key pair.)= 20
 gettimeofday({1335044641, 756413}, NULL) = 0
 read(3, s\2161\363\364\1s1\343\311\212\1, 64) = 13
 read(3, 0x7fffcac9c960, 51) = -1 EAGAIN (Resource temporarily
 unavailable)
 select(4, [3], [], NULL, NULL)  = 1 (in [3])
 read(3, p\32\254\352$\264:\22, 51)= 8
 read(3, 0x7fffcac9c960, 43) = -1 EAGAIN (Resource temporarily
 unavailable)
 select(4, [3], [], NULL, NULL)  = 1 (in [3])
 read(3, \370\270\363IE\342X\343, 43)  = 8
 read(3, 0x7fffcac9c960, 35) = -1 EAGAIN (Resource temporarily
 unavailable)
 select(4, [3], [], NULL, NULL)  = 1 (in [3])
 My machine is a virtual host, does anyone have any ideas what resource is
 temporarily unavailable. 
 
 /dev/random - VMs, with no keyboard or mouse, don't accumulate enough
 entropy to keep /dev/random full. Installing haveged would probably
 help; or consider generating keys on a machine with a decent amount of
 entropy and securely moving them to your VM.

 Bill.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


Yes - lack of Entropy, try...
if=/dev/random of=/dev/null bs=128 count=1
... a few times.

Check your entropy levels
cat /proc/sys/kernel/random/entropy_avail

The package haveged does a very reasonable job - I found a description
of it at: www.irisa.fr/caps/projects/hipsor

or you can buy a hardware entropy source (USB dongle like device)

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC Generating Zone Key hanging

[Mark Elkins]

On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote:
 Thanks a lot, I have now resolved this issue. However, I was following
 the DNSSEC in 6 minutes guide [1]
 for learning purposes and I have followed all the steps up to you are
 now serving DNSSEC signed zones.

Reading the presentation - which dates itself

Slide 16, rather use 
dnssec­keygen ­-a RSASHA256 ­-b 1024 -­n ZONE zonename   (for ZSK)

Slide - 18: Also use RSASHA256 for the KSK. I personally use just 2048
bits for the KSK.

This avoids you having to do an algorithm rollover - which is a royal
pain in the proverbial. Its also what the 'root' uses.
('dig @i.root-servers.net. . dnskey' gives:
'DNSKEY 257 3 8' - and - 'DNSKEY 256 3 8')
The '8' part is algo RSASHA256, you probably have a '5' there.




 
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind 9.9.x inline signing

[Mark Elkins]

Eventually got down to some experimenting again.
These are observations - which may help others.

I followed example 1 of Evan Hunts
https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html
(I'm using bind 9.9.1)

I did change the name of the zone and didn't bother with
allow-transfer - using the default behaviour of BIND instead (using
the NS records in the zone instead)

I first created the zone and got it working as normally between two
machine (on the same lan - etc). This works fine, add a record to the
first zone, bump the SOA Serial, rndc reload, and the slave gets the
update notify.

I then went through the example and added automatic DNSSEC.

The Slave no longer seems to get NOTIFY - I had to stop, remove the
saved slaves file, and restart the slave to force the transfer.

Initially, making a change to the unsigned zone works.
(Edit unsigned, add data, bump SOA by one, save, rndc reload)
Log:  03-Jun-2012 17:23:35.941 general: info: zone yellowbutton.co.za/IN
(signed): serial 2012060307 (unsigned 2012060304)

I didn't like the fact that the unsigned serial (which I manage) was
lower than that of the signed zone. Making it bigger than the signed
zones version appears to have gotten the zones back in sync - however
the slave is still not getting any Notifies (and has not yet caught up).
I also expect that in the future, any 'magic bind key-signing' may also
de-sync my unsigned zone's concept of the current SOA Serial as well. 

Its the apparent lack of NOTIFY's thats really bugging me, I did modify
the secondary zone config in named.conf and added
masterfile-format text; - which saves the zone in nice, easy to debug,
ascii. 
Is the NOTIFY from 'Inline-signing' zones currently broken?


-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: VMware Bind

[Mark Elkins]

Just make sure you have an adequate supply of Randomness if playing with
DNSSEC (or any key generation stuff).

On Tue, 2012-06-05 at 13:33 -0400, jcarrol...@cfl.rr.com wrote:
 Technically VMware is not the OS but the hypervisor that controls other OS's, 
 such as Windows or Linux. I've implemented BIND 9 on Solaris 10 x86 running 
 on a VMware with no issues.
 
 JC
  Manson wrote: 
  Will bind run on VMware?

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.9.x inline signing

[Mark Elkins]

Some updates:

Eventually got VirtualBox to behave and now have two virtual instances
of Gentoo/BIND on my box. Now I have a cleaner test environment.

Rebuilt Evans demo and its now working well. Running BIND 9.9.1 and
'haveged' on both machines. I have modified my 'signer' script so if the
zone type is 'Auto', I just manage the Keys and BIND does the rest. The
script also check the SOA of the signed zone and brings the unsigned
zone up to the same Serial Number. Seems to be keeping in Sync now.

Some other 'changes' I've made, I create keys with SHA256 rather than
SHA1, thus my 'dnssec-keygen' invocation looks like:
dnssec-keygen -a RSASHA256 -b 1024
dnssec-keygen -fk -a RSASHA256 -b 2048 

So I have a beautiful NSEC managed zone - on to test with NSEC3!


On Sun, 2012-06-03 at 18:01 +0200, Mark Elkins wrote:
 Eventually got down to some experimenting again.
 These are observations - which may help others.
 
 I followed example 1 of Evan Hunts
 https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html
 (I'm using bind 9.9.1)
 
 I did change the name of the zone and didn't bother with
 allow-transfer - using the default behaviour of BIND instead (using
 the NS records in the zone instead)
 
 I first created the zone and got it working as normally between two
 machine (on the same lan - etc). This works fine, add a record to the
 first zone, bump the SOA Serial, rndc reload, and the slave gets the
 update notify.
 
 I then went through the example and added automatic DNSSEC.
 
 The Slave no longer seems to get NOTIFY - I had to stop, remove the
 saved slaves file, and restart the slave to force the transfer.
 
 Initially, making a change to the unsigned zone works.
 (Edit unsigned, add data, bump SOA by one, save, rndc reload)
 Log:  03-Jun-2012 17:23:35.941 general: info: zone yellowbutton.co.za/IN
 (signed): serial 2012060307 (unsigned 2012060304)
 
 I didn't like the fact that the unsigned serial (which I manage) was
 lower than that of the signed zone. Making it bigger than the signed
 zones version appears to have gotten the zones back in sync - however
 the slave is still not getting any Notifies (and has not yet caught up).
 I also expect that in the future, any 'magic bind key-signing' may also
 de-sync my unsigned zone's concept of the current SOA Serial as well. 
 
 Its the apparent lack of NOTIFY's thats really bugging me, I did modify
 the secondary zone config in named.conf and added
 masterfile-format text; - which saves the zone in nice, easy to debug,
 ascii. 
 Is the NOTIFY from 'Inline-signing' zones currently broken?
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Verify raw data within slaves on 9.9.x

[Mark Elkins]

On Mon, 2012-06-11 at 15:51 -0700, Walter Smith wrote:
 Folks,
 
 
 What tools/commands I can run to get plain ascii/text data out of
 modern raw/binary on BIND 9.9.x slaves?
 I just want to verify that changes are correct down to the slaves. So
 - I can check-in these changes into svn etc.

If you always want 'ascii' - then configure it so in 'named.conf'

zone example.com {
type slave;
file sec/db.example.com;
masterfile-format text;
masters {
192.168.1.1;
};
};

However - I guess its a little less efficient than the new default 'raw'
mode, especially for large zones. Consider a change of approach and if
its just an automated check - try 'dig'? I'm finding with in-line
signing that zones are often spread about in journal files - which makes
options like 'dig' a better way to go. Otherwise - you may have to first
run 'rndc sync -clean the.zone'.

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Seeking Advice on DNSSEC Algorithm Rollover

[Mark Elkins]

On Sat, 2012-06-23 at 22:34 +, Spain, Dr. Jeffry A. wrote:
 I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8.
 The Bv9ARM doesn't discuss this procedure explicitly as far as I can
 tell, but section 4.9 presents some clues. I'd like to ask the experts
 on this list if the following procedure might accomplish an algorithm
 rollover cleanly.

Before in-line signing existed, I rolled my keys from algorithm 5 to 8.
I was thus using dnssec-signzone to perform the signing. I had also
generated my own keys, both KSK and ZSK. ZSK's and KSK's up until then
were running their own life-cycles independently from each other. I
thought this 'independence' was good as DNSSEC events would happen
spread around the year.

I discovered that if there was not at least one KSK and ZSK of the same
algorithm, dnssec-signzone would fail. If one goes with defaults, KSK
life of one year and ZSK of one month, effectively to roll a key
algorithm and without forcing the roll-over by removing all the old
key/algorithm at the same time, you have to wait for a KSK to 'expire'
then add a new algorithm key pair together. As soon as the last old
algorithm KSK expires, there must no longer be any old algorithm ZSK's
left, but old algorithm ZSK's must be around until this event.
That is - at the time of roll-over - you have a KSK/ZSK pair using the
old algorithm and a pair using the new algorithm, obviously with
appropriate DS's in the Parent.

(That should make sense)

So, if you only have a very few signed zones, its possibly easier to
resign them from scratch, or force a roll-over. (Avoid the pain!)
If you re-do everything at the same time - then DNS signing events may
no longer be scattered around the year - maybe not a good thing.

I'd expect in-line signing to be of a similar nature unless algorithm 7
and 8 keys can as such 'speak for each other'.

My advice, test mixing old and new algorithm keys by signing with
dnssec-signzone and presume the same rules exist for in-line signing
too.
I'd look for a solution that 'upgrades' a zone to using a new Key
algorithm at the scheduled time of a KSK roll-over.  

I'm sure you'll post the results here!
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc signing -nsec3param

[Mark Elkins]

Have a look in the BIND log files when you are doing this

Look for lines containing: zone_addnsec3chain

for example, try changing just the salt...
(which is something one might do periodically...)
It all starts to make more sense.

I agree with the original posting thought - some more examples might
make this all much clearer.

On Sun, 2012-08-12 at 17:40 +, Evan Hunt wrote:
 On Sun, Aug 12, 2012 at 01:17:11AM +0800, GS Bryan wrote:
  looks like this: 'rndc signing -nsec3param 1 0 10  example.com'
  means:-
  - SHA-1 is used for hashing.
  - opt-out is turned off.
  - iteration is done 10 times.
  - the  is the salt.
  Am I right? So what kind of command I should enter if I were to use
  SHA-256 for hashing, opt-out is turned on, iteration is done 15 times,
  and salt is FF?
  Does it looks like this: 'rndc signing -nsec3param 2 1 15 FF 
  example.com'?
 
 SHA-256 is not (yet?) a defined hash algorithm for NSEC3, so the hash
 argument can only currently be set to 1.  (It would be nice if you could
 just omit it completely, since it's invariant, but we may add other hashes
 to NSEC3 in the future and had to allow for that.)
 
 The flags field may someday contain more values than just opt-out, too,
 but right now that's the only defined flag, and it's the low-order bit
 in the field, which is to say 1.  So you set opt-out by setting flags to
 1, and you unset it by setting flags to 0.
 
 There's a known bug with the salt field -- it's supposed to allow you
 to omit the salt by using a hyphen ('-') instead of a salt, but that
 doesn't work in rndc signing -nsec3param.  This will be be fixed
 in 9.9.2.
 
 The order and format of arguments given here precisely matches those in the
 NSEC3PARAM RR type. For example right now .ORG has NSEC3PARAM set to:
 
 org.900 IN  NSEC3PARAM 1 0 1 D399EAAB
 
 To duplicate that you'd use rndc signing -nsec3param 1 0 1 D399EAAB zone.
 

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Version statement...

[Mark Elkins]

I don't understand the problem...

Before I changed my 'named.conf' and added a 'version BIND;' line to
the options section - I got...

dig @localhost chaos txt version.bind +short
9.9.1-P2

Stopped and restarted BIND, Now I get...

# dig @localhost chaos txt version.bind +short
Porcupine Meatballs\0101 pound ground beef chuck\0101 cup instant rice
\0101 egg\0101 onion, diced\0101 can tomato soup\010salt and pepper
\010Mix ground beef with rice, egg, onion, salt and pepper. Shape into
balls about the size of golf balls and place in 2 quart baking dish.

named -v gives 
BIND 9.9.1-P2

Your recipe may vary?

On Fri, 2012-08-17 at 22:55 -0500, Jeff Justice wrote:
 Okay, I have confirmed the correct named.conf file by simply removing it then 
 restarting bind.  It throws an error until replaced.
 
 So any other ideas why the version directive won't work?  Can anyone confirm 
 with 9.9.1-P2?
 
 Jeff
 
 
 On Aug 17, 2012, at 9:02 PM, Michael Hoskins (michoski) micho...@cisco.com 
 wrote:
 
  -Original Message-
  
  From: Jeff Justice listacco...@starionline.com
  Date: Friday, August 17, 2012 6:10 PM
  To: bind-users@lists.isc.org bind-users@lists.isc.org
  Subject: Re: Version statement...
  
  Okay, here's what I know:
  
  named-checkconf says there are no errors.
  There is only one named process running.
  When I apply my edited named.conf, the log shows named stopping and
  restarting with no errors.
  
  How can I check to see the path where my named process thinks named.conf
  is located?
  
  I think configuration and OS tools are your best bet...
  
  You could check ps if you haven't already (sometimes it's there), you
  could check /etc/sysconfig/named or /etc/rc.conf*, or grep init scripts.
  You could use lsof and look for clues.
  
  
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ho to filter hundeds of domains ?

[Mark Elkins]

On Thu, 2012-08-30 at 17:25 +0200, Emanuele Balla (aka Skull) wrote:
 On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote:
  On Thu, Aug 30, 2012 at 03:16:32PM +0200,
   fddi f...@gmx.it wrote 
   a message of 15 lines which said:
  
  Actually many telephone companies in the world are doing this, 
  
  They're wrong politically (censorship) and they're wrong technically
  (see O'Reilly's answer).
  
  Copying telephone companies is not a good idea for the Internet :-)
 
 Still, that kind of setup is *mandatory* for ISPs in Italy :-\

Is the mandatory setup to actually use 'DNS' to block access to gambling
sites? Its easy enough to script an automatic update if someone central
and with the necessary authority decides what it not allowed (eg a
governmental man). Could even stick the 'bad' names in DNS to do the
distribution.

Suggestion: Don't listen to Niall O'Reilly - although he may be right.
(tongue firmly stuck in cheek)

Note to self, run own recursive DNS resolver on my laptop whilst
travelling in Italy.

8.8.8.8 ?

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Suspecious DNS traffic

[Mark Elkins]

Maybe I can try.

In the very old days - when BIND as a recursive resolver was chasing
down an answer to a question, it would sent the remote authoritative DNS
server the query in a UDP packet which has a query ID which was numbered
sequentially.

This was bad as bad people could guess your next query ID and send back
their own answers.

Then BIND randomised this 16 bit query ID which made it more difficult.
Tie that in with a reasonable TTL, so answers are cached - and the world
was a better place. We asked and received answers all on port 53.

Then Dan Kaminsky (actually a good guy) discovers a protocol weakness
which somewhat negated the effectiveness of the randomness of the 16 bit
query ID. The short term solution for this is to add some more
randomness in the query. A resolving name-server will now ask an
authoritative server on port 53 but will ask from an almost random port.
The Answer has to come back from port 53 but to the same random port and
obviously with the same Query ID (or maybe ports are the other way
around?)

You can by configuration restrict or even remove this extra randomness -
but it makes it easier for bad people to pollute your cache with bad
answers.

The Security Solution is to run DNSSEC - ie Sign all your own zones and
to use DNSSEC recursive resolvers. You'll then ignore bad answers.

If I start 'named' with the '-g' option - I get:
26-Mar-2013 ... using default UDP/IPv4 port range: [1024, 65535]
26-Mar-2013 ... listening on IPv4 interface lo, 127.0.0.1#53

I believe this is BIND telling me its intending to use from port 1024 to
port 65535 as the local source of queries. This is a Good Thing.

Your Firewall could be configured to allow BIND to do this.

One alternative is to lock BIND and the Firewall to only allow port 53
queries and have them all forwarded to a recursive name-server on the
outside of your firewall. If I sell machines - I think this is a great
solution (I sell more machines).

Don't restrict the Randomness that Queries can use. Even with DNSSEC -
the majority of the Internet's DNS is not yet signed.

If my explanation is not quite right - I'm pretty sure its at least in
the right direction.

On Wed, 2013-03-27 at 02:40 +0800, babu dheen wrote:
 Dear Matus,
  
 I think you got my point. Yes. I am using Stateful Firewall and not
 sure my DNS server connecting to remote DNS  on non standard port?
  
 So where i need to now look?
  
 Regards
 Papdheen M
 
 
 
 From: Matus UHLAR - fantomas uh...@fantomas.sk
 To: bind-users@lists.isc.org 
 Sent: Monday, 25 March 2013 7:46 PM
 Subject: Re: Suspecious DNS traffic
 
 
 On 26.03.13 00:21, babu dheen wrote:
 Hi Matus,
 
 please, skip personal replies. this is mailing list and issued should
 be
 discussed here.
 
 Still not convinced because if i need to allow 1024 port from  our
 DNS
  server to external world(internet)..  where is the security?
 
 If you have statefull firewall, you simply need to allow open
 connections
 (statefull firewalls can track outgoing UDP packets and match the
 replies).
 If not, you have to allow all traffic from port 53 on remote DNS
 servers to
 your DNS server. Since you can't know all DNS servers, you have to
 allow all
 incoming traffic to your DNS server where source port is 53.
 
 all the security is useless if blocks your service. Luckily, most of
 firewalls can track the connection state.
 -- 
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/


-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD Named.

[Mark Elkins]

Try using a more simple MD5, short key.

Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA)
There was also some sort of length bug? - try 128 bit length.

On Fri, 2013-03-29 at 06:19 -0600, Jim Bucks wrote:
 After working on this some more overnight.  
 
 I can add records interactively via nsupdate (as shown below).  But,
 cannot get the same results from an ipconfig /release  /renew from a
 workstation.  I am totally stumped at this point.
 
 Any ideas (and yes, I did do over the semicomplete URL provided
 by ?Alex?).  The only difference I can see is that I used a 512 bit
 key vs the examples 128bit key. And, I'm using a slaves/ directory vs
 internal/ directory for the zones files.
 
 Jim
 
 
 INTERACTIVE WORKS
 
 [root@dns04 chroot]# nsupdate 
  server 127.0.0.1
  key DHCP_UPDATER TrlaHSJXel+L5hqtfev5Gdlwj7B
 +HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
  update add 101.20.10.172.in-addr.arpa. 3600 in ptr
 proccilap.dhcp.coloradostudios.com.  
  
  update add proccilap.dhcp.coloradostudios.com. 86400 a 171.10.20.101
  
  
 
 [root@dns04 slaves]# ll
 total 24
 -rw-r--r-- 1 named named  400 Mar 28 15:08 db.172.10.20
 -rw-r--r-- 1 named named  792 Mar 29 05:54 db.172.10.20.jnl
 -rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
 -rwxrwx--- 1 named named  362 Mar 28 13:41 db.dhcp.coloradostudios.com
 -rw-r--r-- 1 named named  782 Mar 29 05:56
 db.dhcp.coloradostudios.com.jnl
 [root@dns04 slaves]# 
 
 
 
 [root@dns04 chroot]# rndc freeze
 [root@dns04 chroot]# rndc thaw
 
 
 [root@dns04 slaves]# ll
 total 16
 -rw-r--r-- 1 named named  433 Mar 29 05:58 db.172.10.20
 -rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
 -rw-r--r-- 1 named named  381 Mar 29 05:58 db.dhcp.coloradostudios.com
 [root@dns04 slaves]# 
 
 
 [root@dns04 slaves]# cat db.172.10.20 
 $ORIGIN .
 $TTL 86400; 1 day
 20.10.172.in-addr.arpaIN SOAdns04.coloradostudios.com.
 sysmgr.hd.net. (
 2013032605 ; serial
 10800  ; refresh (3 hours)
 3600   ; retry (1 hour)
 604800 ; expire (1 week)
 86400  ; minimum (1 day)
 )
 NSdns04.den.coloradostudios.com.
 $ORIGIN 20.10.172.in-addr.arpa.
 $TTL 3600; 1 hour
 101PTRproccilap.dhcp.coloradostudios.com.
 
 
 [root@dns04 slaves]# cat db.dhcp.coloradostudios.com 
 $ORIGIN .
 $TTL 86400; 1 day
 dhcp.coloradostudios.com IN SOAdns04.coloradostudios.com.
 sysmgr.axs.tv. (
 2013032804 ; serial
 10800  ; refresh (3 hours)
 3600   ; retry (1 hour)
 604800 ; expire (1 week)
 86400  ; minimum (1 day)
 )
 NSdns04.coloradostudios.com.
 $ORIGIN dhcp.coloradostudios.com.
 proccilapA171.10.20.101
 [root@dns04 slaves]# 
 
 
 IPCONFIG /RELEASE  /RENEW DOES NOT WORK
 
 Mar 29 06:10:33 dns04 dhcpd: Wrote 2 leases to leases file.
 Mar 29 06:10:33 dns04 dhcpd: DHCPRELEASE of 172.10.20.101 from
 00:0b:cd:33:b6:49 (proccilapxp) via eth1 (found)
 Mar 29 06:10:43 dns04 dhcpd: DHCPDISCOVER from 00:0b:cd:33:b6:49 via
 eth1
 Mar 29 06:10:44 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
 00:0b:cd:33:b6:49 (proccilapxp) via eth1
 Mar 29 06:10:44 dns04 dhcpd: Unable to add forward map from
 dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
 Mar 29 06:10:44 dns04 dhcpd: DHCPREQUEST for 172.10.20.101
 (172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
 Mar 29 06:10:44 dns04 dhcpd: DHCPACK on 172.10.20.101 to
 00:0b:cd:33:b6:49 (proccilapxp) via eth1
 
 
 
 
 
 On Thu, Mar 28, 2013 at 2:26 PM, Jim Bucks
 jbu...@coloradostudios.com wrote:
 Hi Jim,
 
 Shouldn't there be quotes around the key string in the
 named .conf file?  I have quotes around mine in named.conf.  I
 do not have quotes around the key string in the dhcpd.conf.
 
 If this is correct, I've made sure they match (I was trying to
 genericize the key string before), but not any longer.
 
 After making sure the key strings match, I'm still getting the
 error unable to add forward map when I do a release  renew
 from a windows laptop.
 Here are the current (and live) config files.
 
 named.conf
 =
 /*
  Sample named.conf BIND DNS server 'named' configuration file
  for the Red Hat BIND distribution.
 
  See the BIND Administrator's Reference Manual (ARM) for
 details, in:
file:///usr/share/doc/bind-{
 version}/arm/Bv9ARM.html
  Also see the BIND Configuration
 GUI : /usr/bin/system-config-bind and 
  

Re: Understanding Kaminsky exploit w/bind

[Mark Elkins]

On Sun, 2013-04-14 at 21:30 -0500, Jamie Ostrowski wrote:
 
 
 
  Hello,
 
 
  I hope this isn't too off-topic, but I've been studying the Kaminsky
 DNS exploit and I have a question. 
 
 
  According to what I've read on the topic, the Kaminsky exploit
 hijacks a whole domain, and that you can launch the attack on a
 nameserver over and over. It seems to imply you can do this
 immediately before waiting for any TTL's to expire by using a series
 of random name queries, however, I don't see how that is possible, and
 I wonder if anyone can explain this.
 
 
  I fired up a recursive nameserver running bind 9.4. In another window
 I started running a tcpdump session listening for traffic on port 53.
 
 
   If I perform a query on one of my domains the first time, for
 nonexistant-host.mydomain.com, I can see my nameserver querying the
 roots, getting a referral to the auth. nameserver for mydomain.com,
 and then seeing the query go out to that authoritative nameserver. 
 
 
  That makes sense.


   However, if I then fire off another query, for
 nonexistant-host2.mydomain.com, I do not see another querying going
 out to find the auth nameserver for mydomain.com - because it is
 cached in my recursive resolver. 

   This also makes sense.

Not looking again for the authoritative NameServers for mydomain.com
makes sense but not seeing *any* queries - that is - for
nonexistant-host2.mydomain.com does not. Unless you are also somehow
authoritative for mydomain.com - how would you already know the answer
to nonexistant-host2.mydomain.com ??? Why would an answer for that
query already be cached?

Kaminsky works because it looks for random stuff that most people would
not put in their zone (so it will not have be previously cached,
positively or negatively) - so it has to be looked up by asking an
appropriate authoritative server.

You don't use Kaminsky directly on the authoritative server for the
domain that you are trying to inject false information about - it
already knows what exists and by definition - what does not exist.

   But then how is it that an attacker, after he sends his first query
 for a non-existant host, if they aren't able to guess the transaction
 id to spoof a response before the real response comes in, then won't
 the resolver have the cached NS records for that mydomain.com stored
 with a TTL?
 
 
   I don't see how you can then launch successive queries for other
 non-existant hosts until the cached TTL expires for the domain
 server. 
 
 
   If anyone can shed any light, I'd appreciate it. I've read several
 articles on this topic and it's a piece of the puzzle I've been
 stumped on.
 
 
Thanks!
 
 
- Jamie
   
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse address entries

[Mark Elkins]

On Fri, 2013-06-28 at 17:54 +, Ward, Mike S wrote:
 Hello all, is there any reason to setup reverse address entries for a
 zone? I have asked some of the admins here and the consensus from them
 is that only A records are necessary. Is this true?

(IPv4 hat on)
I've taught my staff to plan using the reverse zone file. One can easily
see which addresses have been used and which are free (sort the zone
numerically!). Far more useful than putting names and addresses into a
spreadsheet... which I suspect.. never mind...

Having a correctly configured (ie complete) reverse is very useful. Mail
and other services use the information. If you just have an IP address,
a 'dig -x IP' will give a human understandable name. Can't think of any
sane reason not to properly configure the reverse zone..
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Audit the consistency of zone files on DNS servers

[Mark Elkins]

On Fri, 2014-03-14 at 14:54 -0400, Kevin Darcy wrote:
 On 3/14/2014 2:39 PM, Maren S. Leizaola wrote:
  On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote:
  On Fri, Mar 14, 2014 at 12:33:47PM +,
Phil Mayers p.may...@imperial.ac.uk wrote
a message of 25 lines which said:
 
  dig @server zone axfr file
  diff file file.real
  If you're really paranoid, it may not be sufficient since a server may
  reply differently to normal DNS queries and to zone file transfer
  requests (for instance if the server is also authoritative for a
  child zone, see RFC 5936, section 3.2).
 
 
 
  Thank you both for your replies.
 
  I am paranoid and I don't think zone transfers are a good method.
   I want something that looks at the file, intelligently looks at each 
  record and sends the right types of queries to all the DNS servers.
 
  We are never sure how bug free bind is. As I am using other DNS 
  servers I am not sure how reliably they interactive with Bind...
  So trust I nothing until it has been provent to work time and time 
  again
 
  I am surprised that there isn't a standard tool out there to do this, 
  it seems pretty obvious to me.


 Well, you're only *medium* paranoid, at most. If you were *really* 
 paranoid, you'd crypto-sign your transfers.

Makes me wonder a little

I use TSig to sign zone transfers. If I check the log file on the
receiving (slave) machine, I get something like...

14-Mar-2014 14:05:02.648 general: info: zone olpcsa.co.za/IN:
transferred serial 2014031402: TSIG ..

ie - the Serial Number transferred in.  At this point, I'm pretty darn
sure that the zone transfer with that serial No. has transferred
correctly for that zone at that time.

On the 'master' side, I have a cron driven script that keeps Check-Sum's
of my zone files. If the (md5sum) Check-sum for a zone file is wrong,
increment the SOA Serial, update that Check-sum and fire off an 'rndc
reload zone.name'. This allows updating the zone data without
remembering to update the SOA Serial. The script also keeps another file
per zone with just the last SOA-Serial in it - so can detect if the
Serial was incremented. I run each Zone in its own sub-directory to
manage each zones set of files (for managing DNSSEC Keys - etc).

Most zone transfers should be pretty much immediate.

If I were really paranoid:...
One could add code to the 'master' script to then run though the
appropriate 'slave' servers and 'dig' for the new SOA Serial. If a slave
does not report back the new SOA Serial after a minute or so - then
you'd have reason to become paranoid or more sensibly, go hunt down the
reason for the failure. 

Use BIND on the Master. It can, unlike NSD, generate outbound IXFR's.
You could use NSD on the Slaves - which gives you genetic diversity...

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.10.0b1 is now available

[Mark Elkins]

On Wed, 2014-02-26 at 00:55 +, Michael McNally wrote:
A new compile-time option, configure --enable-native-pkcs11,
allows the BIND 9 cryptography functions to use the PKCS#11 API
natively, so that BIND can drive a cryptographic hardware service
module (HSM) directly instead of using a modified OpenSSL as an
intermediary.  This has been tested with the Thales nShield HSM
and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] 


Has anyone tried this yet? - either using SoftHSM or a Thales HSM?

I have access to a totally unconfigured Thales netShield Connect 500.

Without reading *all* the manuals - anyone have a HowTo setup to make
one of these beasties talk PKCS#11...  a Goto page XX is acceptable..
-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.10.0b1 is now available

[Mark Elkins]

On Mon, 2014-03-17 at 20:06 +, Evan Hunt wrote:
 On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote:
  Yes, it was my understanding of how HSM worked. That's why I was trying to
  build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one
  side, and PKCS11 interface for zone signing on the other.
 
 I'd advise doing that with two separate BIND instances -- sign using
 pkcs11 (possibly on a hidden master) and keep that separate from your
 recursion/validation.
 
 I'm interested to read this, though, because it's a use case I hadn't
 considered. We'll have to give it some thought.  But right now there
 are three options:
 
  - build with regular openssl, no pkcs11
  - build with patched openssl, pkcs11 available via openssl shim
(configure --with-openssl=/path/to/openssl/prefix
--with-pks11=/path/to/provider.so
  - build with native pkcs11, no openssl
(configure --enable-native-pkcs11 --with-pkcs11=/path/to/provider.so)


I had not thought about that. BIND compiled with pkcs11 and no openssl
*has* to be used with an HSM (soft and Thales being the two tested
types) presumably as a Zone signer and can *not* be used as a DNSSEC
validating resolver (IMR)

One should be careful not to go mixing up the binaries!

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tsig-key

[Mark Elkins]

If it was and is now no longer working, re-sync/reset your clock on the
machine. TSIG needs the clocks (your PC time) correct to within 5
minute..



On Tue, 2014-06-10 at 18:56 +0300, Mohammed Ejaz wrote:
  
 
  
 
 I have info blox DNS appliance and slave is  BIND
 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4, now the problem is Zone
 transfer wont happening  when I am enabling Tsig key at master server
 of infoblox. It gives you the error like  client request has invalid
 signature tsig tranfer: tisg verify failure
 
  
 
  
 
 Here is the configuration, I was trying to do it.  .  
 
  
 
 My client/slave server configuration, the  file created tsig.key
 under /var/named  with the following entries nI
 
  
 
  
 
 key TRANSFER {
 
 algorithm HMAC-MD5;
 
 #secret ODvOnAg9F2j2Y09jTQRC276h1vY=;
 
 secret egr5WSDQAlP54KrnWweRjg==;
 
 };
 
  
 
  
 
 # Master server IP
 
 server 195.88.245.33 {
 
 keys { TRANSFER; };
 
 };
 
  
 
 In named.conf file on the slave server.  
 
  
 
 include /var/named/tsigkeys;
 
  
 
  
 
 Any help would be highly appreciated. 
 
  
 
 Thanks 
 
  
 
 Ejaz Sys admin
 
  
 
   
 
  
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

[Mark Elkins]

On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote:
 No, what I'm saying is that if
 
 example.com owns an A record 203.0.113.48, and
 www.example.com owns an A record 203.0.113.48, then
 
 where does 48.113.0.203.in-addr.arpa point?
 
 Some people will point it at example.com, some will point it at 
 www.example.com. What you get is a mish-mosh. No consistency.

Although I prefer the use of a CNAME solution (CNAME www.example.com to
example.com), in the case of separate A (and ) records, one could
point the reverse to both names. Nothing wrong with a PTR record having
more than one answer. There is then no inconsistency, just choice. After
all, pretty much every NS record has at least two Right-Hand-Sides
(Answers)


 If, on the other hand, www.example.com is a CNAME to example.com, then 
 it's crystal clear where the reverse record will point -- example.com. 
 There is no ambiguity or option for inconsistency.
 
  - Kevin
 
 On 9/10/2014 5:48 PM, Eliezer Croitoru wrote:
  Hey Kevin,
 
  This is not an issue at all.
  A PTR is different then a A record and can be used by two reverse 
  domain names and only the owner of the IP addresses space can define 
  them.
  I am not sure if two PTR records for two domains will be applied to 
  one IP but it is possible for two IP addresses to have the same PTR.
 
  Can we even use a CNAME as a PTR???
 
  Eliezer
 
  On 09/11/2014 12:37 AM, Kevin Darcy wrote:
  Also, have you considered the forward/reverse ambiguity that arises when
  multiple owner names resolve to the same address? To which of those
  names does the PTR point?
 
   - Kevin
 
  ___
  Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
  unsubscribe from this list
 
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

[Mark Elkins]

On Thu, 2014-09-11 at 11:27 -0400, Kevin Darcy wrote:
 Mark,
 Depending on implementation, a PTR RRset with multiple
 records either
 
 -- only ever gets answered with the first record of the set (in
 which case the second and subsequent records of the set are just a
 waste of space), or
 -- answers in a random, cyclic and/or round-robin fashion (in which
 case, the results are non-deterministic from the standpoint of a
 client, and this can cause problems and/or confusion)


Last time I checked, ALL matching records are returned as a single
Resource Record Set - (and in the case of DNSSEC - covered with a single
signature).

What the receiver does with it is up to that receiver... as you say -
some of the information may be discarded.

 So, although the standards allow multiple RRs, in practical terms, it
 only makes sense for a PTR RRset to contain a *single* RR.

I would still disagree. When there is forward--reverse checking, one
may need the complete answer. I certainly have some processes that do an
exhaustive check.


- Kevin
 
 On 9/11/2014 3:45 AM, Mark Elkins wrote:
 
  On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote:
   No, what I'm saying is that if
   
   example.com owns an A record 203.0.113.48, and
   www.example.com owns an A record 203.0.113.48, then
   
   where does 48.113.0.203.in-addr.arpa point?
   
   Some people will point it at example.com, some will point it at 
   www.example.com. What you get is a mish-mosh. No consistency.
  Although I prefer the use of a CNAME solution (CNAME www.example.com to
  example.com), in the case of separate A (and ) records, one could
  point the reverse to both names. Nothing wrong with a PTR record having
  more than one answer. There is then no inconsistency, just choice. After
  all, pretty much every NS record has at least two Right-Hand-Sides
  (Answers)
  
  
   If, on the other hand, www.example.com is a CNAME to example.com, then 
   it's crystal clear where the reverse record will point -- example.com. 
   There is no ambiguity or option for inconsistency.
   
- Kevin
   
   On 9/10/2014 5:48 PM, Eliezer Croitoru wrote:
Hey Kevin,

This is not an issue at all.
A PTR is different then a A record and can be used by two reverse 
domain names and only the owner of the IP addresses space can define 
them.
I am not sure if two PTR records for two domains will be applied to 
one IP but it is possible for two IP addresses to have the same PTR.

Can we even use a CNAME as a PTR???

Eliezer

On 09/11/2014 12:37 AM, Kevin Darcy wrote:
 Also, have you considered the forward/reverse ambiguity that arises 
 when
 multiple owner names resolve to the same address? To which of those
 names does the PTR point?
 
  - Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



   ___
   Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
   unsubscribe from this list
   
   bind-users mailing list
   bind-users@lists.isc.org
   https://lists.isc.org/mailman/listinfo/bind-users
  
  
  ___
  Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
  unsubscribe from this list
  
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I run two name servers on one host with two IP addresses?

[Mark Elkins]

On Thu, 2015-08-20 at 09:50 -0500, /dev/rob0 wrote:
 On Thu, Aug 20, 2015 at 02:07:57PM +0200, Robert Senger wrote:
  There are a number of providers out there offering secondary
  dns services for free or for a few bucks/month. Even DNSSEC
  is possible for free.
 
 This is good news!  I knew there were several good choices for free 
 DNS hosting, but this is the first I heard of them supporting signed 
 zones.
 
 https://acc.rollernet.us/help/dns/secondary.php
 
 Are there others?  I saw another one amongst your NS hosts, but that 
 seems to be your own domain.  (If you're offering secondary NS for
 free, please do mention your service here.)

Just for informational purposes...
I offer this as a paid service. Site is https://secdns.posix.co.za.
Secondaries: London (TeleHouse) and Johannesburg.
IDN aware (Puny/UTF8 names), IPv6 Connected, TSIG Management system
(supported/encouraged), DNSSEC aware (can view your DNSKEY records -
does not Sign domains).

Cost is R3 (Three South African Rand) a month per domain. That's about
US$ 3 a year.  For five or less names, I probably would not bother
charging. I've also done Service Swaps.

Its always a good idea to have your Nameservers geographically dispersed
to try to reduce the number of any single point of failure. ie - not
just same Machine/Rack/DataCenter but also not the same City, IP-Block,
ASN, Transit Provider - etc.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tsig indicates error

[Mark Elkins]

On Fri, 2015-07-24 at 15:44 +, Managed Pvt nets wrote:
  
  
 On 24/07/2015 5:05:24 PM, Alan Clegg a...@clegg.com wrote:
  
  Possible problems:
 Mismatched keys.
 Mismatched key names.
 Mismatched clocks.
  
 Most likely mismatched key.  I have to figure out how to make sure my
 master does not require TSIGs and my slave does not try to use them. 


TSIG is a step towards better security. Rather learn how to use it than
go backwards. I see TSIG as a step towards DNSSEC...

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tsig indicates error

[Mark Elkins]

On Fri, 2015-07-24 at 11:05 -0400, Alan Clegg wrote:
 Possible problems:
Mismatched keys.
Mismatched key names.
Mismatched clocks.

Yes - running some sort of Time Synchronisation is often overlooked.
Check: Simultaneously run date on both machines - must be within 5
minutes of each other.
To Do: Enable NTP or similar.

As you are in Zimbabwe, Liquid should be able to provide you with IP's
for Time Servers

If you look carefully in the logs of both machines - there is often more
clue to the error.


 On 7/24/2015 10:52 AM, Managed Pvt nets wrote:
 
  Hi All,
   
  I have recently built a server to act as a secondary / slave for my
  zones. Built on Debian 8.1 and running BIND 9.9.5. On trying to
  transfer zones from my master I am getting this error here, what
  could I be missing:
   
  ===
  Jul 24 15:33:55 huffer named[493]: zone myzonename.co.zw/IN:
  refresh: failure trying master aaa.bbb.ccc.ddd#53 (source
  0.0.0.0#0): tsig indicates error
  ===
   
  regards,
   
  Mollatt.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About query response on a view

[Mark Elkins]

On Thu, 2015-12-10 at 08:53 +, Okan Bostan wrote:
> Hi,
> Firstly thanks for all the responses, giving more details about our
> config:
> 
> Internal view: Internal DNS service for the internal clients. Accepts
> requests from internal IP, Recursion is on, forwarding the out of zone
> queries to our cache-only DNS servers. Also serves some zone
> information. 
> External view: Authoritative DNS service for our domain.  Accepts
> requests from external IP, No recursion, 
> 
> Also we will consider to separate the recursive and authoritative
> servers, but separating them with views isn’t a good solution?
> 
> @Eray Aslan, additional-from-cache and additional-from-auth settings
> did the trick, now server gives “query refused”
> 
> @Barry Finkel, yes I typed dig ww. At that point, every recursive
> query gives the same output. But thanks for the info. 
> 
> @Mark Elkins,In our setup, we have one machine with 2 IP addresses.
> (option 3) We are planning to use DNNSEC, Could you give more
> information about the possible DNSSEC problem?

Resolver Problem:
DNSSEC requires an appropriately configured recursive resolver that can
chase answers and signatures down from the root. It should not also be
authoritative (ie have Zones). To the best of my knowledge, answers from
Zones that the Software instance is authoritative for will never be
DNSSEC validated (AD bit set). This might not initially seem like a
problem (you trust your own setup) but things like DANE will not work,
ie DANE in an SMTP environment.

Resolver Solution:
Move the Internal Views of Authoritaive Data (Internal Zones) to a Third
IP address.
Run the Recursive Server on the "Resolver Only" IP address, perhaps use
UNBOUND (I like BIND - but multiple instances of BIND is going to become
administratively painful). It MUST be the only Port 53 application on
that 3rd IP address. Basically, copy the root KSK into a file owned by
unbound and tell unbound to use that file.
# cd /etc/unbound  (whatever)
# dig . dnskey | grep 257 > root-anchors.txt
# chown unbound: root.anchors.txt
...then add "auto-trust-anchor-file: root.anchors.txt" to unbound.conf
(Confirm the authenticity of the root dnskey/KSK from
https://dnssec.co.za and other sources)

DNSSEC Signing your Zones is easy enough but I've never tried to sign an
Internal and External version of the same Zone. Why complicate life.
You'll have to hand-roll a solution.


> I fix the referral problem with Eray’s solution.
> 
> @Kevin Darcy, (a) match-clients is a C class network address space.
> (b) I explained it above. Thanks for the detailed explanation and the
> note. 
> 
> Regards,
> 
> Okan Bostan
> 
>  
> 
> From: bind-users-boun...@lists.isc.org
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Darcy Kevin
> (FCA)
> Sent: Thursday, December 10, 2015 1:43 AM
> To: bind-users@lists.isc.org <bind-us...@isc.org>
> Subject: RE: About query response on a view
> 
> 
>  
> 
> Well, there some things that are not clear from your message:
> 
>  
> 
> A) when you do your “dig”, what is your source address, what is your
> destination address, and what is your match-clients ACL for the
> internal view? These values have a bearing on what view you’re going
> to match. Seems like you’re matching the wrong view – the external
> one, which has no recursion -- and getting a mere “referral”
> forwww.google.com (root nameservers) instead of an answer.
> 
> B) you say your internal view has “forwarders”. Why? What’s the
> purpose of that? To where are you forwarding? To public resolvers like
> Google? If you’re forwarding to *yourself*, then either you created a
> forwarding loop, or (if you excluded your own IP in the match-clients
> ACL of the internal view) the forwarded query is matching the wrong
> view, without (as you show below) any allow-recursion exception, so,
> again, as expected you’re getting a mere referral instead of an
> answer. Unless you’re forwarding to an external entity that provides
> some added value (e.g. enhanced performance/availability, DNSSEC
> validation, blacklisting of known malicious domains, anti-forgery
> measures, etc.) consider just replacing the forwarder configuration
> with an appropriate “hints” zone definition in your internal view and
> letting it resolve names iteratively. You didn’t say what platform you
> were migrating from, but if it was forwarding-centric, understand that
> forwarding is much less heavily used in the BIND world.
> 
>  
> 
> NOTE: if you want to publically post ACLs containing internal address
> ranges, it’s fine to obfuscate those ranges, as long as you preserve
> their “essence”, e.g. large-versus-small,
> public-versus-private-versus-localhost. It’s only when folks obfuscate
> 

Re: About query response on a view

[Mark Elkins]

If you ever want to do DNSSEC - you are going to have a problem.

If possible - have two different servers, one for inside, one for
outside.

This could be:
(1) Two different machines
(2) One machine - virtualised - each of the two virtual machines
logically like (1)
(3) One machine with two IP addresses - one for an internal instance of
BIND (or UNBOUND or any recursive only software) - the other for
external - with BIND running Authoritatively only (or NSD or other
non-recursive system)

If you are currently running the same zone but the internal version
(view) has more information, that is - you are hiding "authoritative"
DNS information from the rest of the world - Consider why. Is it really
secret? is it on RFC1918 address space?

You could consider having a third machine (virtual or otherwise) for
that... there are multiple ways to have this working.

The purist in me says the External machine should be Authoritative only,
the Inside machine should contain No Authoritative info and that a Zone
can only have one set of information regardless of where its viewed
from.

(and never call a machine "secretproject.example.com")

Your conditions may not allow a purist solution.

And - I think the outside machine is providing a Referral to the Root in
reply to your query, which seems a reasonable thing to do.
 
On Wed, 2015-12-09 at 09:11 +, Okan Bostan wrote:
> Hello List,
> 
> We are planning to migrate to Bind dns, I’m a bit newbie. 
> 
> In our design we have two views; int and ext. 
> As internal view, recursion is on and we have our internal zones &
> forwarders. I have no problem with internal view.
> 
> In external view, recursion in no. Also have some zones. In testing
> external view, I can query the records in zones, thats not a problem
> also. 
> 
> But when I try to query, for example www.google.com it returns the
> root servers records by dig.
> 
>  
> 
> ;; QUESTION SECTION:
> 
> ;ww.IN  A
> 
>  
> 
> ;; AUTHORITY SECTION:
> 
> .   518400  IN  NS  D.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  M.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  C.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  J.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  G.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  H.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  I.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  L.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  F.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  K.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  A.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  B.ROOT-SERVERS.NET.
> 
> .   518400  IN  NS  E.ROOT-SERVERS.NET.
> 
>  
> 
> And status: NOERROR
> 
> 
> also in nslookup:
> 
> Name:www.google.com
> 
> Served by:
> 
> - E.ROOT-SERVERS.NET
> 
>  
> 
> - F.ROOT-SERVERS.NET
> 
>  
> 
> - J.ROOT-SERVERS.NET
> 
>  
> 
> - G.ROOT-SERVERS.NET
> 
>  
> 
> - D.ROOT-SERVERS.NET
> 
>  
> 
> - C.ROOT-SERVERS.NET
> 
>  
> 
> - A.ROOT-SERVERS.NET
> 
> 
> 
>  
> 
> But in our existing DNS enviroment, I get  status: SERVFAIL to same
> query.
> 
> 
> 
> Is this a normal behaviour ? How can I disable this Authority section
> with root server NS records?
> 
> My external view:
> 
> view "EXTERNAL" {
> 
>  
> 
> match-clients {"any";};
> 
> allow-query-on {ext_ip; };
> 
>  
> 
> recursion  no;
> 
> allow-recursion { none;};
> 
>
>   
> 
> #Include SLAVE zones
> 
> include "slave.zones";
> 
>  
> 
> #Include REVERSE zones
> 
> include “reverse.zones";
> 
>  
> 
> 
> 
>  
> 
> };// view EXTERNAL 
> 
> Regards, 
> 
> Okan.


-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Trouble with option managed-keys

[Mark Elkins]

"managed-keys" is not a config option, try moving it outside the option
stanza, eg

options {
version ""; // remove this to allow version queries
listen-on{ 127.0.0.1; 192.168.21.101; };
listen-on-v6 { none; };
empty-zones-enable yes;
allow-query { clients; };
allow-recursion { clients; };
allow-transfer { none; };
dnssec-enable yes;
dnssec-validation yes;
};

include "/etc/root_trusted_key";

logging {
category lame-servers { null; };
};
...

Personally, I just have the text from your included file directly in
named.conf file itself.

Take a quick peek at http://dnssec.co.za



On 17/05/2016 22:35, t...@it-hluchnik.de wrote:
> Hi all,
> 
> I have a problem with DNSSEC and I dont find a solution. Maybe someone can 
> help me.
> 
> My intention is to run a bind which acts as DNSSEC enabled resolver for my 
> internal LAN. This runs on a VirtualBox instance with OpenBSD 5.9. I got a 
> precompiled package from OpenBSD, version is 9.10.3-P3.
> 
> Configuring my named, I mostly followed a howto from Calomel.org:
> 
> https://calomel.org/dns_bind.html
> 
> This is my named.conf:
> 
> root@bsd59n:/var/named/etc# egrep -v '^ *#|^ *$|^\/\/' named.conf
> acl clients {
> 127.0.0.0/8;
> 192.168.21.0/24;
> ::1;
> };
> options {
> version ""; // remove this to allow version queries
> listen-on{ 127.0.0.1; 192.168.21.101; };
> listen-on-v6 { none; };
> empty-zones-enable yes;
> allow-query { clients; };
> allow-recursion { clients; };
> allow-transfer { none; };
> include "/etc/root_trusted_key";
> dnssec-enable yes;
> dnssec-validation yes;
> };
> logging {
> category lame-servers { null; };
> };
> zone "." {
> type hint;
> file "etc/root.hint";
> };
> zone "localhost" {
> type master;
> file "standard/localhost";
> allow-transfer { localhost; };
> };
> zone "127.in-addr.arpa" {
> type master;
> file "standard/loopback";
> allow-transfer { localhost; };
> };
> 
> 
> As my named is running in a chroot jail, /etc/root_trusted_key is 
> /var/named/etc/root_trusted_key in reality.
> 
> root@bsd59n:/var/named/etc# root_trusted_key
> managed-keys {
>"." initial-key 257 3 8 
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";
> };
> 
> root_trusted_key was generated as Calomel howto describes.
> 
> Now, when I try to start named with that config, I get a courious error 
> message:
> 
> 
> root@bsd59n:/var/named/etc# /usr/local/sbin/named -t /var/named -u _bind -U 4 
> -g
> 17-May-2016 21:53:14.644 starting BIND 9.10.3-P3  -t /var/named 
> -u _bind -U 4 -g
> 17-May-2016 21:53:14.644 built with '--enable-shared' '--enable-filter-' 
> '--enable-threads' '--with-libt
> ool' '--without-readline' '--with-python=/usr/local/bin/python2.7' 
> '--prefix=/usr/local' '--sysconfdir=/etc'
>  '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var' 
> '--disable-silent-rules' '--di
> sable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe'
> 17-May-2016 21:53:14.644 
> 17-May-2016 21:53:14.644 BIND 9 is maintained by Internet Systems Consortium,
> 17-May-2016 21:53:14.644 Inc. (ISC), a non-profit 501(c)(3) public-benefit
> 17-May-2016 21:53:14.644 corporation.  Support and training for BIND 9 are
> 17-May-2016 21:53:14.644 available at https://www.isc.org/support
> 17-May-2016 21:53:14.644 
> 17-May-2016 21:53:14.645 found 2 CPUs, using 2 worker threads
> 17-May-2016 21:53:14.645 using 2 UDP listeners per interface
> 17-May-2016 21:53:14.648 using up to 4096 sockets
> 17-May-2016 21:53:14.681 loading configuration from '/etc/named.conf'
> 17-May-2016 21:53:14.683 /etc/root_trusted_key:1: unknown option 
> 'managed-keys'
> 17-May-2016 21:53:14.686 loading configuration: failure
> 17-May-2016 21:53:14.686 exiting (due to fatal error)
> 
> 
> But named documentation and "man named.conf" both say that managed-keys were 
> a valid option.
> 
> So what's wrong here? Thanks in advance for any help.
> 
> Thomas Hluchnik
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in 

dig and IDN

[Mark Elkins]

O.S. - Lunux Gentoo.
BIND/BIND Tools: BIND 9.10.4-P3

I've been using "dig axfr" to fetch signed and unsigned zones for doing
comparisons. The output is easy to parse as dig gives one line records -
fully qualified - etc.

One of the records includes some IDN (Puny) stuff..

xn--caf-dma.dnssec.co.za. A   160.124.48.8

This comes back in a dig axfr as:

café.dnssec.co.za.  86400   IN  A   160.124.48.8

If I then use "validns" on this "zone-file" - the "café" records are
marked as errors.  (record name is not valid)


Is there any way within dig to switch off the puny to UTF8 translations?
Some flag? Environmental variable?

Seems like LANG=en_US.utf8 makes the conversion happen.
I actually use LANG=en_ZA.utf8 - so I can type French from my US layout
ASCII keyboard

ps. Checking with dnssec-verify does not give this error.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Troubleshooting BIND stops responding

[Mark Elkins]

On 30/03/2017 06:35, i.chu...@volga.ttk.ru wrote:
> Greetings to everyone!
>
> I'm an engineer at local ISP and we have to provide 2 DNS servers running 
> BIND for our clients. We have logs full of various BIND errors but are 
> unable to gain full understanding of the problem. The main problem is that 
> the BIND at 213.80.236.18 sometimes stops responding after working fine 
> for about a week. Then BIND just doesn't return any responses and we have 
> to restart it. There is a suspicion of a weak (because other services are 
> running normally) DoS attack but I don't know the right way to determine 
> if it is so or not. I would be glad if anyone be so kind to help us to 
> solve this issue.
>
> The machines have the IPv4 addresses: 217.23.80.4 (BIND version 9.9.4) and 
> 213.80.236.18 (BIND version 9.9.5-r3) and have to resolve hostnames only 
> for ISP customers (and refuse to resolve for others) BUT we want to be 
> able to resolve our specific zones like vtt.net for anybody trying in case 
> of authoritative nameserver failures

Stopping right here, Recursive lookup and Authoritative services are
completely different services - and require different servers
(preferably, though you could run multiple incidents of nameservers on a
single server - but that can get ugly).

Your two recursive servers should remain as recursive servers, only
giving replies to your customer base. When you start running DNSSEC,
this becomes even more important, a recursive server running as an
authoritative server for a zone can not give a proper DNSSEC reply when
asked about Zones carried in its config.

Rather keep things simple.

I would presume that you have multiple authoritative servers for your
"vtt.net" domain. If you need more redundancy, add in more authoritative
nameservers or better still an AnyCast instance. Even any of your local
Authoritative Nameservers should ask your recursive servers when they
need to look up information that is not part of the Zones they manage.
Enough of the preaching.

-oOo-

If you were to run IPv6, a number of errors would disappear, otherwise
force BIND not to do any IPv6. Adding IPv6 though would be preferable.  ;-)

Don't think though that any of this is causing your problem. You could
always upgrade your version of BIND. On my Gentoo Laptop, I'm  running
BIND 9.11.0-P3, so you are a bit behind.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named-checkzone with multiple $ORIGIN

[Mark Elkins]

Most certainly - Yes.

You have a single zone here, thus only:

 named-checkzone example.com  example.com.zone

...should work.

Wait till you play with a reverse IPv6 zone - where I personally use
many $ORIGIN statements - saves hours of typing and makes reading the
Zones so much easier.


On 05/06/2017 15:40, Bernard Fay wrote:
> I understand what $ORIGIN is doing by reducing the typing and making
> it easier to maintain the zone files.
>
> To Tony, should I understand while using named-checkzone I need to
> enter _only_ the top domain and named-checkzone will understand the
> subdomains defined by the multiple $ORIGIN in the zone file?
>
> Thanks,
> Bernard
>
>
> On Mon, Jun 5, 2017 at 9:18 AM, Tony Finch  > wrote:
>
> Bernard Fay >
> wrote:
> >
> > I took control of a DNS based on Bind 9.9.  One of the zone
> files have
> > multiple $ORIGIN for example:
>
> The key thing to understand is that $ORIGIN just controls how
> unqualified
> domain names are expanded into fully-qualified domain names. In
> particular, $ORIGIN is completely independent of zone boundaries.
>
> So in the master file you sketched out,
>
> > $ORIGIN example.com 
> > ...
> > $ORIGIN sub1.example.com 
> > ...
> > $ORIGIN sub2.example.com 
> > ...
> > $ORIGIN sub3.example.com 
> > ...
>
> The person who wrote the file is using $ORIGIN in order to abbreviate
> unqualified names in subdomains, but the subdomains are all part
> of the
> same zone.
>
> The other thing to be aware of is that it is possible to write a
> zone file
> without any fuly-qualified names, which is why you have to specify the
> zone name when loading the file. (This feature is useful for empty
> zones,
> for example, but it's usually not a good idea for normal zones.)
> The zone
> name is used to set the default $ORIGIN and for the zone sanity
> checks.
>
> So, this works...
>
> > While checking the zone file with:
> > named-checkzone example.com  example.com.zone
> > named-checkzone returns ok for the first $ORIGIN.
>
> ...because the zone name you specified on the command line matches the
> contents of the master file.
>
> However,
>
> > named-checkzone sub1.example.com 
> example.com.zone
> > named-checkzone sub2.example.com 
> example.com.zone
> > named-checkzone sub3.example.com 
> example.com.zone
> > named-checkzone reports many "ignoring out-of-zone data
> (example.com )"
>
> this doesn't make sense. The master file is one single whole complete
> zone. The subdomains are not separate zones, and you can't load or
> check
> part of the file.
>
> So the error message is saying that the SOA record and the apex NS
> records
> at example.com  and loads of other records are
> not subdomains of the zone
> name that you gave on the commamnd line. I usually encounter this
> error
> when I have accidentally got my zone name and master file name muddled
> up, and once you get used to the error message it's a useful
> consistency
> check.
>
> Tony.
> --
> f.anthony.n.finch  > 
> http://dotat.at/  -  I xn--zr8h punycode
> Fitzroy: Southwesterly, veering northwesterly, 6 to gale 8,
> decreasing 5 later
> in southwest. Moderate or rough. Rain at first. Moderate or good.
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

[Mark Elkins]

Another solution could be to make one of the names a CNAME pointing to
the other name.

-or-

Just use one generic name for both services. rather than the two
"service" names.


Although in all honesty, I see nothing wrong with a lookup returning two
answers (in a single response packet)  for the one reverse query. BIND
certainly is not confused. I guess it confuses people?
I've written various scripts to do various DNS checks and have always
made (programmed for) this assumption - that there may be more than one
answer and there may also be CNAMEs involved. If other software is
confused - then perhaps it is badly written?

Some people do though, I believe, go overboard...
(dig  -x 41.185.8.21)

On 19/06/2017 09:51, Pierre Couderc wrote:
> On 06/19/2017 08:51 AM, Matus UHLAR - fantomas wrote:
>> On 19.06.17 08:03, Pierre Couderc wrote:
>>> Ok, thank you all, now I need to understand your answers...
>>
>> long story short:
>>
>> in the "125.124.123.in-addr.arpa" zone:
>>
>> 126   IN   PTR   mail.xxx.com.
>>
>> quoting your original message:
>>> What should I put for IPV4 reverse address : if I put mail.xxx.com, the
>>> reverse address will not point on ns.xxx.com, and if put ns.xxx.com,
>>> the
>>> reverse dns will not point on mail.xxx.com, and I shall have mail
>>> problem.
>>
>> you will not have problem. who told you that?
>>
> Thnk you, but your way of shortening the story ignores the IPV6. bind
> and MTA are on différent computers, and different IPV6 addresses.
> If I do what you say reverse IP for DNS will point on mail.xxx.com and
> not on ns.xxx.com.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

[Mark Elkins]

Put two reverse records in both  the IPv4 and IPv6 reverse zones

in the "125.124.123.in-addr.arpa" zone:

126   IN   PTR   mail.xxx.com.
126   IN   PTR   ns.xxx.com.

and the same sort of thing in the reverse IPv6 zone. To calculate run:-
2a01:e34:::::1122:3344
and see what question dig asks.

Nothing wrong with a machine (or interface on a machine) having more
than one name for the same address. List them all in the reverse
configuration. After all, a NS record usually has at least two records ;-)


On 18/06/2017 15:40, Pierre Couderc wrote:
> Well, we have 2 computers in xxx.com subnet provided by ISP on
> 123.124.125.126 ipV4  address and corresponding IPV6 segment
>
> mail.xxx.com :2a01:e34:::::1122:3344 for mail server
> ns.xxx.com :  2a01:e34:::::aabb:ccdd for dns server
>
> In xxx.com bind :
>
> mail A 123.124.125.126
> mail  2a01:e34:::::1122:3344
>
> ns A 123.124.125.126
> ns  2a01:e34:::::aabb:ccdd
>
> What should I put for IPV4 reverse address : if I put mail.xxx.com,
> the reverse address will not point on ns.xxx.com, and if put
> ns.xxx.com, the reverse dns will not point on mail.xxx.com, and I
> shall have mail problem.
>
> What are the best practices fore thus problem ?
>
> Thanks
> PC
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Automatic Key Management

[Mark Elkins]

With BIND version 9.12  coming out - I'm wondering if I've missed any
announcements on some form of Automatic (DNS)Key Management?
Something that will create and retire keys according to some sort of policy.

Does anyone have nice and up-to-date cheat sheets of the easiest way to
do DNSSEC with BIND?  That is, using the latest features of BIND. I'd
assume that to be something along the lines of
https://kb.isc.org/article/AA-00711/205/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html
but newer.


-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automatic Key Management

[Mark Elkins]

On 14/09/2017 16:55, Tony Finch wrote:

> Mark Elkins <m...@posix.co.za> wrote:
>
>> With BIND version 9.12  coming out - I'm wondering if I've missed any
>> announcements on some form of Automatic (DNS)Key Management?
>> Something that will create and retire keys according to some sort of policy.
> See dnssec-keymgr (new in 9.11) which will automate ZSK management.
>
> KSKs are still difficult. I don't know of any nice software for pushing
> delegation updates through registrars. It's a fairly tedious business
> because in many cases you'll need to talk to several different parents so
> you have to write the same code in several different ways. Even the good
> APIs (Gandi, RIPE) have murky corners (EPP itself is a movable feast), and
> sometimes you may be stuck without an API and reduced to scripting
> PhantomJS or something similarly horrible.
>
> Tony.

Thanks Tony.

I've been experimenting. I'm also a Registrar for South African domains,
running EPP including DNSSEC extensions.

Couldn't find a full example /etc/dnssec-policy.conf
so came up with:-

policy default-dnssec {
    algorithm ECDSAP256SHA256;
    pre-publist zsk 1w;
    pre-publist ksk 1w;
    post-publish zsk 1w;
    post-publish ksk 1w;
    roll-period zsk 4w;
    roll-period ksk 52w;
    coverage 190d;
};

zone smtp.co.za {
    policy default-dnssec;
    directory "/etc/bind/smtp.co.za";
};

Not completely sure if what is above is completely sane. :-)
I'm playing with a zone called "smtp.co.za". This is on a stand-alone
test machine. The test entry in my named.conf looks like...

zone "smtp.co.za" {
    type master;
    file "smtp.co.za/db.smtp.co.za";
    key-directory "smtp.co.za";
    inline-signing yes;
    auto-dnssec maintain;
    update-policy { grant ddns-key zonesub ANY; };
};

When run, dnssec-keymgr completely ignores ECDSAP256SHA256 and uses RSASHA256 
(the default if no algorithm specified).
I created ECDSAP256SHA256 signatures by hand and reran dnssec-keymgr. It simply 
creates two more RSASHA256 as if there were no Keys.

I'm not a python programmer and was somewhat lost when looking inside 
dnssec-keymgr. Stumbled into /usr/lib/python3.4/site-packages/isc/keymgr.py, 
found mention of ECDSAP256SHA256 in policy.py and stopped looking.

I also like to organise my "zones" as one per directory - so all the cruft for 
one zone is stored together in one place. Looks like I'll need a "zone" entry 
per zone in dnssec-policy.conf to manage this. Pity it doesn't simply look 
inside named.conf for that information (for where the keys live).
 
Maybe someone else on this list has looked further?

On my side, I can 'import' the KSK from the properly signed zone, Generate the 
DS record and EPP it up to the Registry. That all works fine, currently with 
the push of one (web) button. Will change/add this to something RESTful. Then, 
for full automation (KSK Rollover's) - I'd need dnssec-keymgr to call an 
external script when its time to trigger some sort of "Sync" action.

Didn't spot anything to auto-generate CDS records although BIND 9.11 is 
apparently capable. 

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS-Format-Eroor

[Mark Elkins]

$ dig mumbai-m.site ns

; <<>> DiG 9.11.1-P3 <<>> mumbai-m.site ns
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mumbai-m.site.            IN    NS

;; ANSWER SECTION:
MUMBAI-M.site.        3380    IN    NS    win-1ikkrphg9jj.

I seemed to have cached only one nameserver - which does not make
operational sense - neither does the name I've cached.

$ dig mumbai-m.site 
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;mumbai-m.site.            IN    

;; AUTHORITY SECTION:
MUMBAI-M.SITE.        3473    IN    SOA    win-1ikkrphg9jj. hostmaster.
4 900 600 86400 3600

The Zone looks like its not set up properly.. the admin has added dots
where they should not have...

The "win" and Serial No. of "4" suggests to me that this is a windows
machine, and as both nameservers are on the same IP, the adminstrator is
in need of some DNS training..

As for your errors, I'd guess you may run IPv6 but this person doesn't
appear to as asking for the Quad-A record returns the SOA (you got to
the right place but there is no answer to your question)

In summary - the administrator of MUMBAI-M.SITE has a broken zone
configuration.

Doing a "whois MUMBAI-M.SITE", seems they are hiding behind
"whoisguard.com" to remain anonymous - which suggests they have
something to hide. I don't get the vibe that this domain is owned by a
child or someone who needs protection from the evilness of the Internet...


On 18/12/2017 11:26, Reindl Harald wrote:
>
>
> Am 18.12.2017 um 10:16 schrieb Mohammed Ejaz:
>> Hello,
>>
>> I have several entries as below  in my  name server logs. Would any
>> one please assist me to knowing the exact reason of this,
>>
>> Also this IP 46.105.221.247 not in my trusted list.
>
> no, but it's the auth-nameserver of that domain operatd by another
> fool which thinks the requirement for 2 nameservers is just for fun
>
> i guess you have a inbound mailserver using your nameserver which logs
> the warning...
>
> [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup MUMBAI-M.SITE
> Server: 127.0.0.1
> Address:    127.0.0.1#53
>
> Non-authoritative answer:
> Name:   MUMBAI-M.SITE
> Address: 46.105.221.247
>
> [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS1.MUMBAI-M.SITE
> Server: 127.0.0.1
> Address:    127.0.0.1#53
>
> Non-authoritative answer:
> Name:   NS1.MUMBAI-M.site
> Address: 46.105.221.247
>
> [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS2.MUMBAI-M.SITE
> Server: 127.0.0.1
> Address:    127.0.0.1#53
>
> Non-authoritative answer:
> Name:   NS2.MUMBAI-M.SITE
> Address: 46.105.221.247
>
>> Dec 17 05:35:39 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 05:35:40 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv  
>>   ing ns2.mumbai-m.site/:
>> reply has no answer
>>
>> Dec 17 09:43:46 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:43:46 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:47:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:47:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:48:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:48:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:52:39 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:52:39 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:55:52 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:55:52 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:58:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv   

Re: disable dnssec for particular domain

[Mark Elkins]

Thanks for providing the domain name in question (testa.eu).

Indeed, port 43 whois shows no nameservers - neither does the web based
whois on whois.eurid.eu, though the name does exist in the 'eu' registry
system.

Dig gives me nothing either...

$ dig testa.eu ns +short
$ dig testa.eu ds +short

If there are no Nameservers for testa.eu in the eu zone (which appears
to be the case) - then DNSSEC in this case is a Red Herring. There is
nothing to validate.

It's possible to register a Domain in EU without supplying Nameservers.
I guess this is so people can either reserve a name for future use or
block anyone else from ever having it without the complications of
setting up Nameservers. This seems to be the case here.


On 07/02/2018 13:07, Matus UHLAR - fantomas wrote:
>> On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
>>> what's the difference, when the domain doesn't exist?
>>>
>>> is it because .eu is signed?
>
> On 06.02.18 16:35, Ray Bellis wrote:
>> Perhaps, although I'm not sure why given that .eu is signed with NSEC3
>> and opt-out.
>>
>> Are you *sure* that the domain doesn't now actually exist in the DNS?
>
> yes. even web whois shows no 'nameserver' information.
>
> the name is "testa.eu".
> I'm not good at dnssec to find out more.
>
> thanks you

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: questions on allow-query

[Mark Elkins]

Reading between the lines - it sounds like you may be mixing nameserver
roles, recursion with authoritative.

This is not a good idea and is why other Nameserver software (NSD,
UNBOUND and others) either perform one role or the other. I understand
that BIND-10 was also designed like this - separate software modules for
the two separate roles.

Then your "access list" is simple.


Recursive: Starts with knowing next to nothing, can be asked for
anything and serves a restrictive population
acl "trusted" {
    127.0.0.0/8;
    ::1/128;
    192.X.X.0/24;
    2001:::::/48;
  };
allow-query { trusted; };
allow-recursion { trusted; };


Authoritative: Starts with knowing everything about just a few Domains,
can only be asked about what it knows and serves the World.
allow-query { any; };
allow-recursion { none; };

You'll otherwise find that things like DNSSEC don't work as expected.


On 20/02/2018 00:51, @lbutlr wrote:
> If I set 
>
> allow-query { 127.0.0.1; [myipblock]; }
>
> Then my DNS doesn't respond to any other servers, right? This would be bad 
> for being authoritative. so, should I set that and then set allow-query { 
> any; }; in each zone?
>
> Is that better than simply setting the IPs that are allowed recursion?
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [BIND] RE: KSK Rollover

[Mark Elkins]

I'm aware of: rndc managed-keys status
I'm also aware of:  rndc secroots -

(a Hypen at the end of "rndc secroots" will send output to stdout)

I'm just not sure how long the 'hyphen' argument has been around for but
vaguely remember a similar discussion from long ago.
It looks like someone else also asked the same question but wasn't
allowed to change the default behaviour. :-(

So, if you are having issues running "rndc secroots", a quick suggestion
would be to try appending a 'hyphen' ('-') as an additional argument and
see if that helps.


On 09/07/2018 06:46 PM, Tony Finch wrote:
> Mark Elkins  wrote:
>
>> I kinda also wonder why the command simply doesn't output to stdout by
>> default.
> Historical reasons :-) BIND 9.11 and later have `rndc managed-keys` which
> is rather more user-friendly. I get the impression that the root rollover
> guides are using `rndc secroots` because that works in all the versions
> that support RFC 5011 so it ends up being simpler to explain.
>
> Tony.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [BIND] RE: KSK Rollover

[Mark Elkins]

I kinda also wonder why the command simply doesn't output to stdout by
default. The *only* reason I've ever run the command "rndc secroots" is
to look at the output, that is, checking for the correct DNSKEY
root-anchors - which I then need to use "cat" to see... if the file is
correctly created... and if I remember where to look for it.
If I wanted the output in a file, I can always redirect stdout.
Sending output to stdout allows me to easily "filter" the output as well
with other tools.

Perhaps Evan can comment?


On 09/07/2018 04:45 PM, Petr Mensik wrote:
> Hi Mark,
>
> Dne 7.9.2018 v 10:49 Mark Elkins napsal(a):
>> It would probably have been more helpful (speeded up finding the
>> problem) if the error message "file 'named.secroots': permission denied"
>> also gave the directory name that it was trying to write to? Just a thought.
>> Sometimes we don't see the obvious.
> It is sort of obvious, if you know the details. Bind changes current
> directory to the directory listed in directory option. It actually tries
> to open file path "named.secroots", in that directory. In that regard,
> it is precise. It is documented, but not very obvious on the first
> glance, what it really means.
>>
>> On 09/06/2018 10:58 PM, Brent Swingle wrote:
>>> I moved the file from /etc to /var/named and now I get an additional error 
>>> line printed in /var/log/messages.
>>>
>>> Sep  6 15:44:40 ns3 named[15443]: received control channel command 
>>> 'secroots'
>>> Sep  6 15:44:40 ns3 named[15443]: could not open secroots dump file 
>>> 'named.secroots': permission denied
>>> Sep  6 15:44:40 ns3 named[15443]: dumpsecroots failed: permission denied
>>> Sep  6 15:44:40 ns3 audit:  { write } for  pid=15447 
>>> comm="named" name="named.secroots" dev="dm-0" ino=135707451 
>>> scontext=system_u:system_r:named_t:s0 
>>> tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
>>>
>>>
>>> This error also appears in the audit.log file and a search is pointing to 
>>> SELinux as the hangup.  Any pointers on dealing with SELinux would be 
>>> appreciated.
>>>
>>> type=AVC msg=audit(1536266680.663:75671): avc:  denied  { write } for  
>>> pid=15447 comm="named" name="named.secroots" dev="dm-0" ino=135707451 
>>> scontext=system_u:system_r:named_t:s0 
>>> tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
>>>
>>>
>>> I left all of the permissions the same and I think they should be lenient 
>>> enough:
>>> [root@ns3 named]# ls -lh named.secroots
>>> -rw-rw-rw-. 1 named named 0 Sep  6 13:52 named.secroots
>>>
>>>
>>>
>>>
>>> -Original Message-
>>> From: Hugo Salgado-Hernández [mailto:hsalg...@nic.cl] 
>>> Sent: Thursday, September 06, 2018 3:39 PM
>>> To: Brent Swingle 
>>> Cc: Evan Hunt ; bind-users@lists.isc.org
>>> Subject: Re: [BIND] RE: KSK Rollover
>>>
>>> Hi Brent.
>>> In out CentOS box, the named.secroots file is written on
>>>   /var/named/
>>>
>>> You should check permissions there too.
>>>
>>> Hugo
>>>
>>> On 20:32 06/09, Brent Swingle wrote:
>>>> Evan,
>>>>
>>>> I ran the command and followed the directions to build out rndc as you 
>>>> have suggested.  However, I am not sure that it made much of a difference. 
>>>>  I should have been a little clearer from the beginning.  I had worked 
>>>> with rndc to issue other commands and had received what appeared to be 
>>>> valid responses as if rndc was functional.  I had somewhat assumed that 
>>>> rndc was baked in behind the scenes and ready to go.  Either way I it has 
>>>> a rndc.conf and is specified in named.conf at this point.
>>>>
>>>> I have two of these servers that are identical from an SW perspective.  As 
>>>> a test, I issued "rndc secroots" on the server that I have modified to 
>>>> configure rndc and observed the following lines appear in the 
>>>> /var/log/messages file.  When I issued "rndc secroots" from the 
>>>> non-modified file I get the same 3 lines.  It acts like the process is 
>>>> running but it is unable to write output to the named.secroots file.
>>>>
>>>> Sep  6 14:33:13 ns2 named[31189]: received control channel command 
>>>> 'secroots'
>>>> Sep  6 14:33:13 ns2 named[31

Re: DNSSEC and secondary DNS servers

[Mark Elkins]

Some clarification

Have you DNSSEC Signed your Domain - that is "covisp.net" because I
don't see any DS records for it in the "net" zone.

dig @a.gtld-servers.net. covisp.net ds
flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
returns the SOA for NET - so I know I got to the right place but there
was no answer...

If you mean you want to switch on DNSSEC for recursion - that is - when
you look up names and want DNSSEC protection - you should not do that on
your authoritative servers. If an authoritative server has a DNSSEC
signed zone and you ask it directly (e.g. with DIG) - it will set the
"AA" flag for that domain but never set the AD bit.

In my case, posix.co.za is signed and if I ask my local DNS Server which
is DNSSEC aware - I get...

$ dig posix.co.za a
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
...
posix.co.za.        3600    IN    A    192.96.24.1
...
;; SERVER: 127.0.0.1#53(127.0.0.1)

If I ask my authoritative (for "posix.co.za") Nameserver for the same:

$ dig posix.co.za a @secdns1.posix.co.za
...
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
...
posix.co.za.        3600    IN    A    192.96.24.1
...
;; SERVER: 192.96.24.81#53(192.96.24.81)

Notice there is no AD bit, just AA.

In a new install of bind (on my Linux Laptop: BIND 9.11.2-P1 )  I think
you'll find DNSSEC is already switched on otherwise you want:

options {
    dnssec-enable yes;
    dnssec-validation auto;
};

On an Authoritative system - anyone can query it but only for your
domain and there should be no recursion
allow-recursion { none; };

On a Recursive server, recursion should be on but only for a few trusted
people...
allow-recursion { trusted; }; // Trusted is only my local networks

Thus Recursive and Authoritative Nameservers should *ideally* be on
separate servers (virtual or physical)

On 09/08/2018 03:58 PM, @lbutlr wrote:
> So, I setup up DNSSEC on my authoritative bind 9.12 server, which was very 
> straightforward and works fine:
>
> dig covisp.net +dnssec +short @8.8.8.8
> 65.121.55.42
> A 7 2 86400 20181008122535 20180908122535 17363 covisp.net. 
> pkpVdFONJ2dYN+7wQ4pVcQTlWIThY3+mbNdXsE8p5uWiLNvIefVT32JE 
> i9itA3Si91/pImofmPnLPbxRbLzWt+dSfbxBoHaoCYK1ZCngw/vy9QlG 
> 36Um0De5ItCC/GuflXUnBKmEJKx0pQOlvqSnkRSV75yLnAw3NA0BdKnf 
> CBJP9QLQH/A1vojRafIER5MNM34lKfJC9QrMDBiUBYzrv3i/2QK3gE7t 
> 8Y1Zpoemux8Uz/zps1I/pmjVAIixk2ilVOLDXkeS6Ta4ODrWayyuFM8b 
> xwkodXsMtFAx5PhkVyHT5zJyScYYzC82aZs7fTmA6F01saabVsxIYAi6 78upgA==
>
> But now, what do I need to do for other DNS servers? Is it enough to simply 
> add
>
>   dnssec-enable yes;
> dnssec-validation yes;
>   managed-keys-directory "/usr/local/etc/namedb/working/keys";
>
> ? Should it simply validate the key with the primary and go from there? 
>
> I tried this, but trying to do a dig +dnssec on the secondary DNS doesn’t 
> return the record, so I think there must be something else.
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC will eventually generate Identical Key ID's

[Mark Elkins]

Just for the record, although I do look from a curiosity point of view
for Identical Key ID's once every few month - I've never seen them -
until now.

Now I have them - generated by BIND within a few days of each other...


-rw-r--r-- 1 root root   431 Aug 18 00:03 Kipv6.org.za.+008+46578.key
-rw--- 1 root root  1012 Aug 18 00:03 Kipv6.org.za.+008+46578.private

# cat Kipv6.org.za.+008+46578.key
; This is a zone-signing key, keyid 46578, for ipv6.org.za.
; Created: 20180817220323 (Sat Aug 18 00:03:23 2018)
; Publish: 20180817220323 (Sat Aug 18 00:03:23 2018)
; Activate: 20180817220323 (Sat Aug 18 00:03:23 2018)
ipv6.org.za. IN DNSKEY 256 3 8
AwEAAbdOBycxs6uv0fgkpxh1DyFNyVdWlHfVWy4zKAeEM0MEYeR/idNO
/Z7aWFLlHsEADEpUGuz5dpHRP5OgPDzFesa1AdK0YsbzkDVsRD10Epjt
1CakfLbYqnrn4i/+Ds7VGDQJa83+JOewhKl5lSbGMCtvycFoXg7pyi+A bsCQvITN


-rw-r--r-- 1 root root   431 Aug 23 00:03 Kftth.net.za.+008+46578.key
-rw--- 1 root root  1008 Aug 23 00:03 Kftth.net.za.+008+46578.private

# cat Kftth.net.za.+008+46578.key
; This is a zone-signing key, keyid 46578, for ftth.net.za.
; Created: 2018080329 (Thu Aug 23 00:03:29 2018)
; Publish: 2018080329 (Thu Aug 23 00:03:29 2018)
; Activate: 2018080329 (Thu Aug 23 00:03:29 2018)
ftth.net.za. IN DNSKEY 256 3 8
AwEAAeB+Q8/GXSoyp3eMHusIgxlr51HUMhMpsRUzhp5A4TlnGPPXHw3C
ktwELF4FzPpnHWrHuOL+PewPU15KL6rQ+y4jN1s9tRMK7+jyTuttSnsF
R9gmmhtCvyZ+GtmAhcBVaoe/4VfZMOCHjthwLxoqMy1l19qx9Yy5jVtd WWa+q6Ot

I've been running DNSSEC for 7 years and have around 400 DNSSEC keys for
133 signed Domains.
I'm a smallish Registrar for ZA domains.

Never assume a KeyID is unique.  :-)

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC and secondary DNS servers

[Mark Elkins]

(Seems I can't reply directly to the author)

$ dig covisp.net ds
; <<>> DiG 9.11.2-P1 <<>> covisp.net ds
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21696
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
...
;; ANSWER SECTION:
covisp.net.        86352    IN    DS    1 7 1
E59B549EC68D577C44A4E13542257CA44FE21970
covisp.net.        86352    IN    DS    2 7 2
051033AF1BC909BE73FCFE4B59B1BDD2B8D7F8BF7BD840174AC1DEF7 14895D02

Umm... this initially looks great but something is seriously strange.
The first numerical value after DS should be the Key ID (or Key Tag). I
really doubt that you would (randomly) create two different DNSKEY
records with sequential Key-ID's (Tags) starting from "1"... its usually
a relatively random value between 1 and 2^16

Also as an aside - many people are no longer putting the SHA-1 Digest
type DS record in their parent, just the longer (more secure?) SHA-256
(Digest Type 2) record.

As the root uses Algorithm 8 - many people also use algorithm 8 - you
are using algorithm 7. Algorithm roll-overs are a pain so if you can -
move straight to 8.

I also can not detect a DNSKEY in your zone?
dig covisp.net dnskey +cd
...gives your SOA.
Without the "+cd" (ignore any DNSSEC validation) - I get a SERVFAIL.

Adding DS records into your parent should be the last part of the
process in securing your Zone with DNSSEC.

I really think you need to start over. What are you using to sign your
zone with? Maybe I can help.
Take a look at https://dnssec.co.za

On 09/09/2018 08:59 PM, LuKreme wrote:
> On Sep 8, 2018, at 10:21, Mark Elkins  <mailto:m...@posix.co.za>> wrote:
>> Have you DNSSEC Signed your Domain - that is "covisp.net
>> <http://covisp.net>" because I
>> don't see any DS records for it in the "net" zone.
>
> I think I have everything set now and am hopping the two errors I have
> about validation are a matter of waiting for hover to propagate.
>
> “None of the 2 DNSKEY records could be validated by any of the 2 DS
> records”
>
> Thanks for all your help. We'll see if I still show this as broken
> tomorrow.
>
> -- 
> My main job is trying to come up with new and innovative and effective
> ways to reject even more mail. I'm up to about 97% now.
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [BIND] RE: KSK Rollover

[Mark Elkins]

It would probably have been more helpful (speeded up finding the
problem) if the error message "file 'named.secroots': permission denied"
also gave the directory name that it was trying to write to? Just a thought.
Sometimes we don't see the obvious.


On 09/06/2018 10:58 PM, Brent Swingle wrote:
> I moved the file from /etc to /var/named and now I get an additional error 
> line printed in /var/log/messages.
>
> Sep  6 15:44:40 ns3 named[15443]: received control channel command 'secroots'
> Sep  6 15:44:40 ns3 named[15443]: could not open secroots dump file 
> 'named.secroots': permission denied
> Sep  6 15:44:40 ns3 named[15443]: dumpsecroots failed: permission denied
> Sep  6 15:44:40 ns3 audit:  { write } for  pid=15447 comm="named" 
> name="named.secroots" dev="dm-0" ino=135707451 
> scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 
> tclass=file permissive=0
>
>
> This error also appears in the audit.log file and a search is pointing to 
> SELinux as the hangup.  Any pointers on dealing with SELinux would be 
> appreciated.
>
> type=AVC msg=audit(1536266680.663:75671): avc:  denied  { write } for  
> pid=15447 comm="named" name="named.secroots" dev="dm-0" ino=135707451 
> scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 
> tclass=file permissive=0
>
>
> I left all of the permissions the same and I think they should be lenient 
> enough:
> [root@ns3 named]# ls -lh named.secroots
> -rw-rw-rw-. 1 named named 0 Sep  6 13:52 named.secroots
>
>
>
>
> -Original Message-
> From: Hugo Salgado-Hernández [mailto:hsalg...@nic.cl] 
> Sent: Thursday, September 06, 2018 3:39 PM
> To: Brent Swingle 
> Cc: Evan Hunt ; bind-users@lists.isc.org
> Subject: Re: [BIND] RE: KSK Rollover
>
> Hi Brent.
> In out CentOS box, the named.secroots file is written on
>   /var/named/
>
> You should check permissions there too.
>
> Hugo
>
> On 20:32 06/09, Brent Swingle wrote:
>> Evan,
>>
>> I ran the command and followed the directions to build out rndc as you have 
>> suggested.  However, I am not sure that it made much of a difference.  I 
>> should have been a little clearer from the beginning.  I had worked with 
>> rndc to issue other commands and had received what appeared to be valid 
>> responses as if rndc was functional.  I had somewhat assumed that rndc was 
>> baked in behind the scenes and ready to go.  Either way I it has a rndc.conf 
>> and is specified in named.conf at this point.
>>
>> I have two of these servers that are identical from an SW perspective.  As a 
>> test, I issued "rndc secroots" on the server that I have modified to 
>> configure rndc and observed the following lines appear in the 
>> /var/log/messages file.  When I issued "rndc secroots" from the non-modified 
>> file I get the same 3 lines.  It acts like the process is running but it is 
>> unable to write output to the named.secroots file.
>>
>> Sep  6 14:33:13 ns2 named[31189]: received control channel command 'secroots'
>> Sep  6 14:33:13 ns2 named[31189]: could not open secroots dump file 
>> 'named.secroots': permission denied Sep  6 14:33:13 ns2 named[31189]: 
>> dumpsecroots failed: permission denied
>>
>>
>> As a test, I manually created named.secroots with weakened permissions to 
>> see if that made a difference but it still won't print output to it.
>> [root@ns3 etc]# ls -lh named.secroots
>> -rw-rw-rw-. 1 named named 0 Sep  6 13:52 named.secroots
>>
>>
>>
>> -Original Message-
>> From: Evan Hunt [mailto:e...@isc.org]
>> Sent: Thursday, September 06, 2018 1:22 PM
>> To: Brent Swingle 
>> Cc: bind-users@lists.isc.org
>> Subject: Re: KSK Rollover
>>
>> On Thu, Sep 06, 2018 at 05:34:21PM +, Brent Swingle wrote:
>>> This is the command that does not work and the output received:
>>> [root@ns2 ~]# rndc secroots
>>> rndc: 'secroots' failed: permission denied
>>> [root@ns2 ~]#
>> Have you set up your server to accept rndc commands?
>>
>> If not, run "rndc-confgen" and follow the directions.
>>
>> --
>> Evan Hunt -- e...@isc.org
>> Internet Systems Consortium, Inc.
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org

Re: DNSSEC: give KSK from my domain to parent zones

[Mark Elkins]

On 10/04/2018 05:03 PM, Roberto Carna wrote:
> Hello, thanks to both of you for your help. Now I understand I have to
> contact my registrar in order to give it the DS of the KSK.
>
> Please I have a last question:
>
> I have two DNS servers running BIND 9.10, they have delegated my own
> domain, let's say "robert.com.uk " and some
> other domains from our clients, let's say:
>
> client1.com.uk 
> client2.edu.uk 
> client3.info.uk 
>
> Can I sign theses client zones with my ZSK, or do I have to have a
> different key for each domain?

I believe common practise is to create separate KSK and ZSK keys for
each domain - so each domain will have their own DS records in the
parent. This way, if one of the clients moves their domain to a new DNS
provider - there is no security conflict in the move from shared keys.

(Use a different Key)

> And do I have to tell my clients I will sign their zones or it is
> transparent for them?

DNSSEC is a good thing - but I'd suggest telling the clients that this
is happening. DNSSEC usually introduces the need to have extra DNS
actions happen - even on an otherwise static Zone. Thus - there is more
that might possibly break. On the other hand, it make resolving items in
that zone far more secure and allows for newer possibilities such as
TLSA records for Web and Mail services. I believe the customer should be
made aware of all these pros and cons.

(Yes)

> Thanks a lot again, regards !!!
>
>
>
> El mié., 3 oct. 2018 a las 16:36, Mark Andrews ( >) escribió:
>
> You give the matching DS record via your registrar much the same
> way as you do the NS RRset or glue address records.  If your
> registrar doesn’t support DNSSEC you will need to change registrars.
>
> If your parent zone uses CDS or CDNSKEY then publish those records
> at the zone apex. 
>
> If your parent zone is not signed then start complaining.
>
> -- 
> Mark Andrews
>
> On 4 Oct 2018, at 05:24, Roberto Carna  > wrote:
>
>> Dear people, I have DNSSEC implemented in my authoritative domain
>> in BIND 9.10. I've created the KSK and ZSK too.
>>
>> Let's say my domain is "robert.com.uk ".
>>
>> How do I have to give the KSK (key signing key) to my parent
>> zones, let's say COM and UK ???
>>
>> And what if COM or UK don't use DNSSEC at all ???
>>
>> Thanking in advance,
>>
>> Robert
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org 
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange DNSsec failure [was incorrectly sent Thursday night]

[Mark Elkins]

Works fine for me? - unless its been fixed in  the meantime. This is 
stock standard bind. Nothing funny at all on both the query machine and 
the DNSSEC aware resolver. Both run the same version of BIND.


$ dig  mx1.comcast.net

; <<>> DiG 9.12.3-P4 <<>> mx1.comcast.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12395
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 02a3b8dbc350ae44457cdec05cb1874ac246b4103d9a2461 (good)
;; QUESTION SECTION:
;mx1.comcast.net.        IN    A

;; ANSWER SECTION:
mx1.comcast.net.    300    IN    A    96.114.157.80

;; Query time: 244 msec
;; SERVER: 192.96.24.72#53(192.96.24.72)
;; WHEN: Sat Apr 13 08:52:58 SAST 2019
;; MSG SIZE  rcvd: 88

You can see from the query time this was a fresh lookup and not cached.

On 2019/04/13 04:59, frnk...@iname.com wrote:

I've had DNSsec validation on our non-public resolvers for a year or two --
virtually no issues ... until Thursday.  First hint was that I couldn't get
the  for dns.comcast.net.  Later in the day our monitoring system
alerted me to email in our outbound queue that could not deliver to
comcast.net.

If I perform a dig with DNSsec validation turned off then I can resolve
Comcast's FQDNs.  Here are their two MX records:

mail1:~# dig +cd mx1.comcast.net @127.0.0.1 +short
96.114.157.80
mail1:~# dig +cd mx2.comcast.net @127.0.0.1 +short
68.87.20.5
mail1:~# dig  mx1.comcast.net @127.0.0.1 | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21243
mail1:~# dig  mx2.comcast.net @127.0.0.1 | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18695
mail1:~#

Not sure why five of our DNSSec-validating DNS servers are choking on
comcast.net domains.  If I flush the cache or restart the server it works
until the resource record counts down to zero, after which I get a SERVFAIL.

Problem ones: BIND 9.8.4-rpz2+rl005.12-P1 (on Debian, Debian package).
Working one: BIND 9.11.0-P2 

Any ideas?

None of the public resolvers I regularly test against (Google, OpenDNS,
Quaad9) are having any issues with the Comcast FQDNs that I tested.

None of the other signed zones that our monitoring system uses
(www.dnssec-or-not.net, dnssec-name-and-shame.com, www.opendnssec.org) have
an issue.

Frank

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Algorithm roll-over, unexpected content in dsset-file

[Mark Elkins]

Hi Ondřej,

Thanks for the info. I was happy to run an Algorithm roll-over the way I 
did previously (years ago) and was unaware of the combined signing key 
issue.
Regardless, decided to create a new Algo-13 KSK when ever I create the 
first Algo-13 ZSK for any particular domain - which removes the problem.

Algorithm roll-overs are way more fun than a normal KSK roll-over :-)

Was trying to keep all my KSK roll-overs as spread out around the year 
as possible. I suspect what I want to do is keep ZSK's using the old 
algo until its time to create a new KSK (with Algo-13) then immediately 
roll-over a ZSK (created with Algo-13)... so the KSK's timetable does 
not change.

Might do a presentation on this one day.

On 2019/08/11 19:32, Ondřej Surý wrote:
When there’s no DNSSEC KEY with SEP bit set, the Algo-13 “chain” has 
single entry point, e.g. Single-Type Signing Scheme (Combined Signing 
Key), see https://tools.ietf.org/html/rfc6781#section-3.1 and 
https://tools.ietf.org/html/rfc8499#section-10


I don’t know exactly know what are you trying achieve, but adding only 
ZSK with new algorithm serves no purpose.


Ondřej
--
Ondřej Surý — ISC


On 11 Aug 2019, at 12:59, Mark Elkins  wrote:

Hi, Running BIND 9.14.4 on Gentoo.

I've been running BIND and DNSSEC for a long time. Years ago - I 
changed from Algorithm 5 to 8 and am now changing from 8 to 13.


My ZSK's have a lifetime of 34 days and my KSK a lifetime of 370 
days. I've chosen to create a new ZSK every 17 days and KSK every 185 
days - so usually have two of each per domain. I've 1532 domains in 
my system, 74 are NSEC and 54 are NSEC3 - the rest are unsigned. 
Currently - resigning happens randomly over the year - which keeps 
loads (and changes) scattered over the year. Some parents - I manage 
via EPP, others have various other methods of updating - so having 
the best part of six month to do a key-rollover has its advantages.


I've just started allowing the system to add Algo-13 Keys... and this 
is what I see:


1 - Created a test zone file: contains enough to be legal.

2 - Created some old keys, one ZSK and one KSK - Signed the domain 
and looked inside the "dsset-" file

  # vi db.foo.com
  # dnssec-keygen -a RSASHA256 foo.com
  # dnssec-keygen -a RSASHA256 -f KSK foo.com
  # cat Kfoo.com.*.key >> db.foo.com
  # dnssec-signzone -a -o foo.com db.foo.com
  # cat dsset-foo.com.
foo.com.        IN DS 62014 8 1 6CFC9114C7D0954195C01B488C3B8D6E1BD0F220
foo.com.        IN DS 62014 8 2 
74112FE6AE6E9DFB5A00EB3C26397E92CAA27038FA176A9B4B67D9FE 4E0154FE

(perfect!)

3 - created one additional ZSK - Algo 13, add that to the zone and 
resigned.


 # dnssec-keygen -a ECDSAP256SHA256 foo.com
 # cat Kfoo.com.+013+34805.key >> db.foo.com

 # dnssec-signzone -a -o foo.com db.foo.com
Verifying the zone using the following algorithms: RSASHA256.
Missing self-signed KSK for algorithm ECDSAP256SHA256
The zone is not fully signed for the following algorithms: 
ECDSAP256SHA256.

DNSSEC completeness test failed.
Zone verification failed (failure)

I don't mind the failure - after all there is no complete Algo-13 
chain - but the existing Algo-8 chain is complete. Interestingly, the 
signed zone contains no mention of the Algo-13 ZSK. No problem.


However - WTF is a ZSK doing in the dsset file??? Is this a bug?

# cat dsset-foo.com.
foo.com.        IN DS 34805 13 1 A040C7BC6C03778B20AD4A3AEE3BC0648CE8AC23
foo.com.        IN DS 34805 13 2 
340DC924A523CAD49E5C22357BBFECC07A2944D7723AD8F44DCE5332 FACD3AB2

foo.com.        IN DS 62014 8 1 6CFC9114C7D0954195C01B488C3B8D6E1BD0F220
foo.com.        IN DS 62014 8 2 
74112FE6AE6E9DFB5A00EB3C26397E92CAA27038FA176A9B4B67D9FE 4E0154FE


4 - If I then add an algo-13 KSK, add it to the Zone and run signzone 
- everything looks good again...


(New KSK) foo.com. IN DNSKEY 257 3 13 
pD6yMHdPCKmLj0hY8oiLA1F2Vdb8a1LgpzU8XiO2c6eIh16n1Dv2Vogc 
9WylTUjOLTZlhRXPDmAcIUTyBUuC2Q==

# dnssec-signzone -a -o foo.com db.foo.com
Verifying the zone using the following algorithms: RSASHA256 
ECDSAP256SHA256.

Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
  ZSKs: 1 active, 0 stand-by, 0 revoked
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
    ZSKs: 1 active, 0 stand-by, 0 revoked
db.foo.com.signed
# cat dsset-foo.com.
foo.com.        IN DS 23294 13 1 AADE5856B8EB3BB946DAAD2804A735816B3B3132
foo.com.        IN DS 23294 13 2 
7FD5F02A2E52A1C6E3DEBD54C05A9A974CE88FA78548E3644B36FA2D 27E0F910

foo.com.        IN DS 62014 8 1 6CFC9114C7D0954195C01B488C3B8D6E1BD0F220
foo.com.        IN DS 62014 8 2 
74112FE6AE6E9DFB5A00EB3C26397E92CAA27038FA176A9B4B67D9FE 4E0154FE


I really don't like the bad ZSK DS record in dsset because I 
currently use that info to build CDS records in to my Database - 
which is used to verify when the DS record is seen in the parent. 
Anyway - I think this is a bug in the code of dnssec-signzone

Algorithm roll-over, unexpected content in dsset-file

[Mark Elkins]

Hi, Running BIND 9.14.4 on Gentoo.

I've been running BIND and DNSSEC for a long time. Years ago - I changed 
from Algorithm 5 to 8 and am now changing from 8 to 13.


My ZSK's have a lifetime of 34 days and my KSK a lifetime of 370 days. 
I've chosen to create a new ZSK every 17 days and KSK every 185 days - 
so usually have two of each per domain. I've 1532 domains in my system, 
74 are NSEC and 54 are NSEC3 - the rest are unsigned. Currently - 
resigning happens randomly over the year - which keeps loads (and 
changes) scattered over the year. Some parents - I manage via EPP, 
others have various other methods of updating - so having the best part 
of six month to do a key-rollover has its advantages.


I've just started allowing the system to add Algo-13 Keys... and this is 
what I see:


1 - Created a test zone file: contains enough to be legal.

2 - Created some old keys, one ZSK and one KSK - Signed the domain and 
looked inside the "dsset-" file

  # vi db.foo.com
  # dnssec-keygen -a RSASHA256 foo.com
  # dnssec-keygen -a RSASHA256 -f KSK foo.com
  # cat Kfoo.com.*.key >> db.foo.com
  # dnssec-signzone -a -o foo.com db.foo.com
  # cat dsset-foo.com.
foo.com.        IN DS 62014 8 1 6CFC9114C7D0954195C01B488C3B8D6E1BD0F220
foo.com.        IN DS 62014 8 2 
74112FE6AE6E9DFB5A00EB3C26397E92CAA27038FA176A9B4B67D9FE 4E0154FE

(perfect!)

3 - created one additional ZSK - Algo 13, add that to the zone and resigned.

 # dnssec-keygen -a ECDSAP256SHA256 foo.com
 # cat Kfoo.com.+013+34805.key >> db.foo.com

 # dnssec-signzone -a -o foo.com db.foo.com
Verifying the zone using the following algorithms: RSASHA256.
Missing self-signed KSK for algorithm ECDSAP256SHA256
The zone is not fully signed for the following algorithms: ECDSAP256SHA256.
DNSSEC completeness test failed.
Zone verification failed (failure)

I don't mind the failure - after all there is no complete Algo-13 chain 
- but the existing Algo-8 chain is complete. Interestingly, the signed 
zone contains no mention of the Algo-13 ZSK. No problem.


However - WTF is a ZSK doing in the dsset file??? Is this a bug?

# cat dsset-foo.com.
foo.com.        IN DS 34805 13 1 A040C7BC6C03778B20AD4A3AEE3BC0648CE8AC23
foo.com.        IN DS 34805 13 2 
340DC924A523CAD49E5C22357BBFECC07A2944D7723AD8F44DCE5332 FACD3AB2

foo.com.        IN DS 62014 8 1 6CFC9114C7D0954195C01B488C3B8D6E1BD0F220
foo.com.        IN DS 62014 8 2 
74112FE6AE6E9DFB5A00EB3C26397E92CAA27038FA176A9B4B67D9FE 4E0154FE


4 - If I then add an algo-13 KSK, add it to the Zone and run signzone - 
everything looks good again...


(New KSK) foo.com. IN DNSKEY 257 3 13 
pD6yMHdPCKmLj0hY8oiLA1F2Vdb8a1LgpzU8XiO2c6eIh16n1Dv2Vogc 
9WylTUjOLTZlhRXPDmAcIUTyBUuC2Q==

# dnssec-signzone -a -o foo.com db.foo.com
Verifying the zone using the following algorithms: RSASHA256 
ECDSAP256SHA256.

Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
  ZSKs: 1 active, 0 stand-by, 0 revoked
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
    ZSKs: 1 active, 0 stand-by, 0 revoked
db.foo.com.signed
# cat dsset-foo.com.
foo.com.        IN DS 23294 13 1 AADE5856B8EB3BB946DAAD2804A735816B3B3132
foo.com.        IN DS 23294 13 2 
7FD5F02A2E52A1C6E3DEBD54C05A9A974CE88FA78548E3644B36FA2D 27E0F910

foo.com.        IN DS 62014 8 1 6CFC9114C7D0954195C01B488C3B8D6E1BD0F220
foo.com.        IN DS 62014 8 2 
74112FE6AE6E9DFB5A00EB3C26397E92CAA27038FA176A9B4B67D9FE 4E0154FE


I really don't like the bad ZSK DS record in dsset because I currently 
use that info to build CDS records in to my Database - which is used to 
verify when the DS record is seen in the parent. Anyway - I think this 
is a bug in the code of dnssec-signzone.


I'm trying to wait as long as possible before forcibly creating Algo-13 
KSK's in the hope that they will be created according to the existing 
schedule. If the Second Algo-13 ZSK is to be created in under 3 days - 
then I'll replace the oldest KSK with an Algo-13 KSK.


--
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC validation via DLV

[Mark Elkins]

I  can't comment on com.au (but looking up the Nameservers, I see the AD 
bit set - so DNSSEC appears to be in use..


However, co.za (and net.oza, org.za & web.za) which are managed by the 
ZACR (and DNS) - they are all signed and I personally have domains under 
these second levels - all running DNSSEC. The DS records are added to 
the parents using EPP - and it works perfectly. I used to present free 
(to the community) DNS classes to the community (the ZACR paid me) and 
this (DNSSEC) was taught to attendees. Unfortunately, no more classes 
for now.


DNSSEC in CO.ZA became live at about the time DLV stopped running. The 
other SLD's had already been running for about a year.


For the record, EDU.ZA is also signed and can accept DS records - albeit 
via a Web interface.


@peek - you are most welcome to chat to me.


On 2019/07/18 04:34, p...@vspace.co.za wrote:

With DLV (DNSSEC Lookaside Validation) having been decommissioned, 
though zones still exists that does not provide a fully signed path 
from root to zone, i.e. .com.au , co.za etc, how would an 
administrator enable / implement DNSSEC validation for these zones ?



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC validation via DLV

[Mark Elkins]

That I understand. Use me (Posix) then, full DNSSEC support. 
https://vweb.co.za. If you like, run your DNS wherever you want, just 
use me at the Registrar.
Unfortunately, very few Registrars in ZA-Land have implemented DNSSEC 
support - despite ZA having a very high percentage of DNSSEC resolver 
support (about 50% of all queries hit a DNSSEC aware recursive resolver!)


On 2019/07/19 01:57, p...@vspace.co.za wrote:

By all means, not a difficult process at all. I have DNSSEC enabled and fully 
operational on .com domains.

Problem being, no options exist as to export the DS record of co.za, com.au or 
net.au domains to the respective registrars, being namecheap.com and 
axxess.co.za.

Noted that namecheap.com does accept the DS records for .com domains, yet not 
for .au domains.

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mal via 
bind-users
Sent: Thursday, 18 July 2019 10:22 PM
To: m...@posix.co.za; bind-users@lists.isc.org
Subject: Re: DNSSEC validation via DLV


Not a difficult process really..

-Configure a DNSSEC enabled name server
-Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) 
-Update your nameserver configuration to point to the signed zone file -Export 
your DS records (dsset) to the domain registration company (EPP).

Confirm the chain..   http://dnsviz.net/d/apnic.com.au/dnssec/

Mal



On 18/07/2019 4:46 pm, Mark Elkins wrote:

I  can't comment on com.au (but looking up the Nameservers, I see the
AD bit set - so DNSSEC appears to be in use..

However, co.za (and net.oza, org.za & web.za) which are managed by the
ZACR (and DNS) - they are all signed and I personally have domains
under these second levels - all running DNSSEC. The DS records are
added to the parents using EPP - and it works perfectly. I used to
present free (to the community) DNS classes to the community (the ZACR
paid me) and this (DNSSEC) was taught to attendees. Unfortunately, no
more classes for now.

DNSSEC in CO.ZA became live at about the time DLV stopped running. The
other SLD's had already been running for about a year.

For the record, EDU.ZA is also signed and can accept DS records -
albeit via a Web interface.

@peek - you are most welcome to chat to me.


On 2019/07/18 04:34, p...@vspace.co.za wrote:


With DLV (DNSSEC Lookaside Validation) having been decommissioned,
though zones still exists that does not provide a fully signed path
from root to zone, i.e. .com.au , co.za etc, how would an
administrator enable / implement DNSSEC validation for these zones ?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC basic information

[Mark Elkins]

On 2019/09/23 23:00, John W. Blue wrote:


Jukka,

Some odds n ends in no particular order:

1. DNSSEC was designed for external zones


1) I'd also suggest using Algorithm 13 - Elliptical Curve - for any new 
key creations


dnssec-keygen -a ECDSAP256SHA256 ( -f KSK) Zone.being.signed

This way - DNSKEY's are shorter (query responses are shorter, save data) 
so in a DNS Amplification attack - you are less lightly to be the source 
of the amplification.


In your DNSSEC Authoritative Nameserver, add into your BIND config 
(named.conf) :-


|options { directory "/var/named"; ... rate-limit { responses-per-second 
10; }; }; |


The "rate-limit" should also help dissuade people from using you as a 
source of amplification.
(@BIND) This perhaps should be the default behaviour for an 
authoritative only config.


2) When a Zone is signed, you will be given some DS Records - which need 
to be passed on for inclusion into the Parent Zone. Currently, BIND 
creates two DS keys.
You'll find them inside "dsset-Zone.being.signed". Use just the "13 2" 
version - SHA256  (this needs to become the minimum default 
behaviour by DNSSEC operators)
SHA384 Digests may break DNSSEC in some resolvers (unbound) - so perhaps 
avoid for now. Not everyone has upgraded.


3) Adding "CDS" (Child versions of the DS record) into your zone is also 
a useful thing to do (I *think* BIND may do this automagically?)


4) Keeping DNSSEC aware resolvers and DNSSEC authoritative Nameservers 
separate is best practise - follow that. Configs will then be more simple.


--
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to set up a dmarc record ?

[Mark Elkins]

The reason why is because you don't have a '.' at the end of 
"_dmarc.pasteur-cayenne.fr" so what you really have in your zone file 
is... "_dmarc.pasteur-cayenne.fr.pasteur-cayenne.fr."


Another way of seeing this would be to do an AXFR of your zone - these 
mistakes then jump out at you!


Why do you have "NS ara.pasteur-cayenne.fr." twice ???  That may confuse 
you in the future.


On 2019/12/10 15:37, Niall O'Reilly wrote:

On 10 Dec 2019, at 13:30, Edouard Guigné wrote:


; DMARC
_dmarc.pasteur-cayenne.fr IN  TXT ( "v=DMARC1; p=none; "
"rua=[mailto:dm...@pasteur-cayenne.fr](); 
pct=5; "

  "sp=none; aspf=r" )


Instead of "_dmarc.pasteur-cayenne.fr", you should put "_dmarc",
leaving out ".pasteur-cayenne.fr", just as you did for the DKIM
record.

Niall O'Reilly
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix SystemsVCARD for MJ Elkins

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND-9.16.1 & KASP

[Mark Elkins]

Hi all,

I have been experimenting with BIND-9.16.1 & KASP. So far - it really 
looks great and it should greatly simplify DNSSEC for the masses.


My named.conf entry:-

dnssec-policy "ecdsa256-policy" {
    dnskey-ttl 3600;
    keys {
    ksk lifetime unlimited algorithm ecdsa256;
    zsk lifetime 34d algorithm ecdsa256;
    };
};

zone "smtp.co.za" {
    type master;
    file "/etc/ns.d/pri/smtp.co.za/db.smtp.co.za";
    key-directory "/etc/ns.d/pri/smtp.co.za/keys";
    dnssec-policy "ecdsa256-policy";
};

My experimental zone (smtp.co.za) is still waiting the initial period of 
(I think) about 25 hours since setup so no CDS records in the zone yet - 
but I do have two new unknown records. From the command:-

dig @localhost smtp.co.za axfr | grep -v RRSIG

smtp.co.za.        1200    IN    SOA    jekyll.smtp.co.za. 
dns-admin.posix.co.za. 2018091104 86400 10800 604800 600

smtp.co.za.        0    IN    TYPE65534 \# 5 0D0D740001
smtp.co.za.        0    IN    TYPE65534 \# 5 0D1BDA0001
smtp.co.za.        3600    IN    DNSKEY    256 3 13 
Rty3kVtsujkbxhKfvVP/xaK2vKetLwBxW9cd0M0GxrpIh8PdvAoTC8us 
pgljMfMC5PIfNeLp+ZZKH0D0nJVSGg==
smtp.co.za.        3600    IN    DNSKEY    257 3 13 
LlDBhlTpPzo7/8hgaIe8AursP216+EuqYjwO23k8dlmIFqKRUEspMPHP 
jKcqBWrSkoiKbxI2IcbSECynYrehAA==

smtp.co.za.        1200    IN    A    196.43.2.142
...

In my own web management interface, it collects the KSK DNSKEY and 
generates its own CDS - which it then EPP's up to the parent. That all 
got done late last night - so the zone is secure (asking 1.1.1.1 - AD is 
set and correct data returns).


Question - What are the "TYPE65534" records? What are they saying? I am 
using "DiG 9.16.1" so surprised it doesn't know.


My zones '$TTL' is 1200... so I would have thought the CDS record would 
have appeared by now.
I "signed" the zone at Apr 12 21:27 +02:00 and its now 16 hours later. I 
thought the biggest delay factor is the zones $TTL, often set to one day.


Looks like the SOA Serial Number still needs to be maintained manually. 
Was expecting a more OpenDNSSEC approach. Would love an automated 
MMDDxx number - date it was last 'modified'. Would be perfect for 
small zones that are rarely updated.


--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND-9.16.1 & KASP

[Mark Elkins]

Thanks for the reply

On 2020/04/14 08:42, Matthijs Mekking wrote:

Mark,

On 4/13/20 8:54 PM, Evan Hunt wrote:

On Mon, Apr 13, 2020 at 02:22:53PM +0200, Mark Elkins wrote:

Question - What are the "TYPE65534" records? What are they saying? I am
using "DiG 9.16.1" so surprised it doesn't know.

This is a mechanism named uses to keep track of the status of zone
signing operations, so that if there's a crash or power outage before
signing is complete, it'll know which step it needs to resume on. To
see the status in a human-readable form, use "rndc signing -list ".
If it says signing is complete, you're free to remove the records
with "rndc signing -clear all ".


My zones '$TTL' is 1200... so I would have thought the CDS record would
have appeared by now.
I "signed" the zone at Apr 12 21:27 +02:00 and its now 16 hours later. I
thought the biggest delay factor is the zones $TTL, often set to one day.

I'm... not sure CDS is published automaitcally yet. I'd have to check to be
sure, but I think that's coming in a future release.

If you sign your zone for the first time, named needs to make sure the
DNSKEY and RRSIG records are long enough in the zone such that if a
resolver is able to fetch the DS, it must also be able to fetch the
corresponding DNSKEY and RRSIG records. Only then the CDS is published
indicating it is safe to submit the DS record.

This time is the the maximum zone TTL, zone propagation delay, and
publish safety time. The dnssec-policy does not yet look into the zone
for the maximum TTL but derives it from configuration. The default
policy sets the maximum zone TTL to 1 day. Together with  the zone
propagation delay and publish safety delay from the default policy this
is a 25 hour and 5 minute wait before the CDS is published.

Obviously you can change your policy to lower the maximum-zone-ttl to
1200 in your case (and if you don't care about a publish safety period,
you can set it to 0 seconds).



Got that. So if one has a rarely changing zone and gives it a (default) 
$TTL of four days - then the defaults in the "dnssec-policy" will be
too short! Something for people to think about. I think the 
dnssec-policy system should probably look into the Zone as the default 
method

of finding the "maximum zone TTL".


Looks like the SOA Serial Number still needs to be maintained manually.
Was expecting a more OpenDNSSEC approach. Would love an automated
MMDDxx number - date it was last 'modified'. Would be perfect for
small zones that are rarely updated.

I think the zone option "serial-update-method date;" does this. (I haven't
tested it with dnssec-policy though.)

Despite the documentation says this is for dynamic DNS zones, this also
works for inline-signing and dnssec-policy zones.


Thumbs Up!




- Matthijs


--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix SystemsVCARD for MJ Elkins

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-keygen getting dates wrong

[Mark Elkins]

Running BIND.. 9.16.6 on a Gentoo machine - so BIND is kept very much up 
to date.


dnssec-keygen - Version: 9.16.6


I create DNSSEC Keys in a manual process and in order to see when a Key 
was created (so I can rotate them - etc..) I look at the Creation date 
inside the 'key' file


# dnssec-keygen -a RSASHA256 fubar.com

# cat Kfubar.com.+008+21010.key
; This is a zone-signing key, keyid 21010, for fubar.com.
; Created: 20200830105653 (Sun Aug 30 12:56:53 202)
; Publish: 20200830105653 (Sun Aug 30 12:56:53 202)
; Activate: 20200830105653 (Sun Aug 30 12:56:53 202)

Can anyone spot an issue? Look carefully at the creation date, the year 
in particular!


--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix SystemsVCARD for MJ Elkins

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How do I insert "CDS 0 0 0 0"?

[Mark Elkins]

What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND.
Version - BIND 9.16.6 (Stable Release)
I've read RFC8070 - which says... (https://tools.ietf.org/html/rfc8078)

The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
   contain the exact fields as shown below.

  CDS 0 0 0 0

  CDNSKEY 0 3 0 0

In Knot docs... 
https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
it says...

DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually

In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it 
says...

A child zone can also signal to turn off DNSSEC by removing the DS 
record set in the parent zone.
In this case, the operator may publish a special CDS record which must 
exactly match:

CDS 0 0 0 00


I have a zone called "nodnssec.edu.za".

In a text zone - if I add:-

CDS 0 0 0 0

I get:-   (from running: /usr/sbin/named-checkconf -z 
/etc/bind/named.conf | grep nodnssec)


_default/nodnssec.edu.za/IN: bad hex encoding
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za 
failed: bad hex encoding

zone nodnssec.edu.za/IN: not loaded due to errors.

CDS 0 0 0 00   gives me

_default/nodnssec.edu.za/IN: bad CDS
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
zone nodnssec.edu.za/IN: not loaded due to errors.

I've also tried a null string - CDS 0 0 0 ""    - no joy.

So what should I add?

I've seen a record hosted by Cloudflare for revolution.edu.za, DIG 
shows that as "CDS 0 0 0 00" and the NET_DNS2 software shows it 
as...  "CDS 0 0 0 " (no digest at all).





--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Serial number question..

[Mark Elkins]

I was wondering if there was any significance in the SOA serial value

$ date --date='@1297117089'
Tue Feb  8 00:18:09 SAST 2011
$ date --date='@1762233707'
Tue Nov  4 07:21:47 SAST 2025

...so nope (but sort of close?)

Personally - I try and use a MMDDxx format in my SOA Serial number - 
so in an easily understandable human readable format (as long as there 
are no more than 99 updates in a day - or one change every 15 minute 
clock tick). Another option is the current seconds since Unix epoch - 
which is what I thought might be going on. That could work for very busy 
or dynamic zones.


It then allows for simple sanity checking of the SOA Serial number based 
on the current date (and time) - before telling your authoritative 
nameserver software a change has happened.


Years ago - I had to rotate an SOA Serial past 2^31, negative and down, 
past Zero to the format we wanted when an uncontrolled SOA update 
happened. Pain in the rear end.


Anyway - the Secondaries will only update again once the Primary SOA 
Serial number is "bigger" than they are.


On 12/17/20 8:56 PM, Bruce Johnson wrote:

Someone updated out name server and messed up the serial number on the primary; 
as a result our secondaries are not updating properly.

Primary:

bruces-Mac-Mini:~ johnson$ dig @elixir.pharmacy.arizona.edu -t SOA +noall 
+answer pharmacy.arizona.edu
pharmacy.arizona.edu.   86404   IN  SOA elixir.pharmacy.arizona.edu. 
wunz.elixir.pharmacy.arizona.edu. 1297117089 3600 120 1209600 86400


Secondaries:

bruces-Mac-Mini:~ johnson$ dig @dhbns1.pharmacy.arizona.edu -t SOA +noall 
+answer pharmacy.arizona.edu
pharmacy.arizona.edu.   86404   IN  SOA elixir.pharmacy.arizona.edu. 
wunz.elixir.pharmacy.arizona.edu. 1762233707 3600 120 1209600 86400
bruces-Mac-Mini:~ johnson$ dig @ns-remote.arizona.edu -t SOA +noall +answer 
pharmacy.arizona.edu
pharmacy.arizona.edu.   86404   IN  SOA elixir.pharmacy.arizona.edu. 
wunz.elixir.pharmacy.arizona.edu. 1762233707 3600 120 1209600 86400

Is the fix here just setting the serial number on the primary to 1762233708 ?

The various things online I’ve found are all based on “you accidentally set the 
primary more than 2^32 ahead” so you have to do a bunch of modulo arithmetic...



--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 



Posix SystemsVCARD for MJ Elkins

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC upgrade

[Mark Elkins]

Waiting twice the TTL is the safe option. Start counting from when you 
see the new DS record in the parent. To be even more pedantic, start 
counting after all authoritative Nameservers have the new DS record...

Quite easy to do from a script.

And the recommendation to move to ecdsa-p256-sha256 is a good one - 
makes you a lot less appetising to be used in a DNS amplification attack.


On 4/30/21 3:05 AM, Edwardo Garcia wrote:

Halo Tony,
Thank you, wow ecdsa-p256-sha256 produce keys 1/10th the size of rsa, 
strange how this better but we have made change as
from your howto, thank you, now 24 hour and all seems ok from what we 
tell, and the test site says all good.


One question however it talk about longest TTL, does this mean also 
root TLD zones (.com, .net) which from memory are 48 hours, so before 
we delete old keys we need wait 48 hours, even though our zone TTL was 
24 ?


Thank you, wow much much easy than I hoped for :-)

On Wed, Apr 28, 2021 at 12:08 PM Tony Finch > wrote:


Edwardo Garcia mailto:wdgar...@gmail.com>> wrote:
>
> Many year ago we set up DNSSEC, our key were generated with sha1
as was
> recommended way back all them years. We too are not DNSSEC guru,
so some
> answer may be simple

Well, you are going to do an algorithm rollover, which is one of
the more
tricky things you can do with DNSSEC. So, plan to do some testing,
a trial
run, with a spare zone that you can break without worrying.

If you like to understand things by getting an idea of the wider
context
then there are a couple of RFCs on the general subject of key
rollovers.
The parts that are most relevant are the algorithm rollover
section in RFC
6781 and the double-KSK section in RFC 7583.

https://tools.ietf.org/html/rfc6781

https://tools.ietf.org/html/rfc7583


DNSSEC has got easier since those RFCs were written, so you might
as well
just skip to the howto bits below :-) It turns out, I wrote most
of this
reply over a year ago...

> Also we use ZSK -b 1024 and KSK -b 4096
> even modern google from apnic show example  ZSK of only 1024? is
this still
> secure?

The current recommendation for DNSSEC algorithms is:

  * you already know you want to choose something based on sha256
- it's
    secure enough, so there's no need for bigger hashes

  * ecdsa-p256-sha256 (13) is the best choice, because it is widely
    supported and produces small signatures

  * if you must use RSA, use 2048 bit keys for both zsk and ksk.
1024 bits
    is not secure; 2048 has a roughly comparable security level to
sha256
    (112ish bits vs 128 bits); 4096 is big and slow and probably
not worth
    the cost

  * I would like to be able to deploy ed25519 (a better elliptic curve
    than p256) but it is not yet supported well enough

> Is best practise for doing this, replacing the keys completely,
more or
> less like start fresh again?
>
> We do use inline signing and automatic maintain.

I did a wholesale algorithm rollover from RSASHA1 to p256 around
the end
of 2019 and I wrote an algorithm rollover guide for colleagues in
other
parts of our university who run their own DNS. It's basically
three steps
with lots of waiting in between:

https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html


The "Semi-automated DS updates" section probably isn't relevant to
you,
and the "Future" section has been made obsolete by dnssec-policy.
But the
rest of it should guide you through the essentials.

(Also, the RIPE NCC does now support CDS records.)

And use these DNS checking services to verify that it is working as
expected:

https://dnsviz.net/ 

https://zonemaster.net/ 

Tony.
-- 
f.anthony.n.finch  mailto:d...@dotat.at>>

https://dotat.at/ 
Rattray Head to Berwick upon Tweed: North or northeast 4 or 5,
occasionally 3 later. Slight or moderate. Showers. Good.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 



Posix SystemsVCARD for MJ Elkins

___
Please visit 

Re: Bind 9.11 serving up false answers for a single domain. (OT)

[Mark Elkins]

I think getting rid of SHA1 DS (DS type 1) records would be a reasonable 
thing to do. They are weaker than SHA256 DS (DS type 2) records. 
Generally, in life, making things simpler is a good idea and I believe 
that applies here too.


.COM only provides DS type 2 records in the root so if there were 
fundamental problems - we would have heard by now.


@Stuart - So do any delegations in the root zone only have SHA1 DS records?

On 2/11/21 8:01 AM, Stuart@registry.godaddy wrote:

It's one of those old compatibility things.

A quick bit of analysis of the root zone:

1,370 delegations with DS records
  697 SHA1 DS records
1,519 SHA2 DS records

Yes, these numbers don't add up; there are some double and triple DS record 
sets in there.

So the US zone is by no means alone in keeping it around (at least 27 other 
countries similarly have them).

I'm sure that in the not-too-distant future, they'll be phased out, but for now 
we don't have that as an high priority piece of work.

Stuart

On 11/2/21, 1:06 pm, "bind-users on behalf of John W. Blue via bind-users" 
 wrote:

 Notice: This email is from an external sender.



 So out of curiosity why does the us tld have a SHA1 DS in root?  Should be 
an easy thing to tidy up, eh?

 John

 -Original Message-
 From: Stuart@registry.godaddy [mailto:Stuart@registry.godaddy]
 Sent: Wednesday, February 10, 2021 7:20 PM
 To: John W. Blue; bind-users
 Subject: Re: Bind 9.11 serving up false answers for a single domain. (OT)

 Ah, SHA1 DS record or an RSASHA256 DNSKEY, yes.

 Stuart

 On 11/2/21, 11:42 am, "bind-users on behalf of John W. Blue via bind-users" 
 wrote:

 Notice: This email is from an external sender.



 Well .. as best as I can tell .. the us tld does has a SHA1 DS record:

 ;; QUESTION SECTION:
 ;us.IN  DS

 ;; ANSWER SECTION:
 us. 50882   IN  DS  21364 8 1 
260D0461242BCF8F05473A08B05ED01E6FA59B9C
 us. 50882   IN  DS  21364 8 2 
B499CFA7B54D25FDE1E6FE93076FB013DAA664DA1F26585324740A1E 6EBDAB26

 Right?

 In checking other tld's looks like it is a mixed bag .. some do .. 
some don’t.

 ;; QUESTION SECTION:
 ;com.   IN  DS

 ;; ANSWER SECTION:
 com.78577   IN  DS  30909 8 2 
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766

 -Original Message-
 From: Stuart@registry.godaddy [mailto:Stuart@registry.godaddy]
 Sent: Wednesday, February 10, 2021 5:24 PM
 To: John W. Blue; bind-users
 Subject: Re: Bind 9.11 serving up false answers for a single domain. 
(OT)

 

 If you look closer, you’ll see that ‘us.’ is RSASHA256. ‘state.ma.us.’ 
however, is delegated to the state officials of the Commonwealth of 
Massachusetts and is indeed RSASHA1NSEC3.

 Stuart
 ... one of the guy’s that does the DNSSEC for US TLD.

 From: bind-users  on behalf of "John W. Blue via 
bind-users"  Reply to: "John W. Blue" 
 Date: Thursday, 11 February 2021 at 9:21 am
 To: bind-users 
 Subject: RE: Bind 9.11 serving up false answers for a single domain.

 Notice: This email is from an external sender.

 Three words:  tcpdump and wireshark

 It is like peanut and jelly .. hall and oates .. salt and pepper .. 
ebb and flow .. pen and paper .. I could go on but …

 Know them.  Love them.  They are your newest best friends.

 

 Using tcpdump IMHO should be the first tool anyone uses when 
troubleshooting seemly unexplainable DNS weirdness.

 Knowing what is being put on the wire (or lack thereof) is critical 
since it provides key factual data points that decisions can be made on.  When 
running tcpdump on the DNS server I personally prefer this command:

 tcpdump -n -i  -s 65535 -w 

 dash n is telling tcpdump that you do not want it to resolve 
hostnames.  This is an important option when doing DNS troubleshooting because 
you do not want extra resolutions taking place.
 dash s is saying gimme the full packet.
 dash w is the name of the file you want the output saved in.

 After starting the command, run several queries from a host and ctrl+c 
to exit.

 Once you get your file into wireshark now you can start slicing n 
dicing on the data!

 Here is handy wireshark filter:  dns.qry.name == 
internet-dns1.state.ma.us

 By using a filter of dns.flags.rcode == (number here) you can drive 
off into the weeds and get super granular with sorting the data.  For example 
“dns.flags.rcode == 2” will show you all of the server failures for queries.

 It is hard to provide further guidance on what to do since what you 
find in 

Re: Change records in DNS slave if master is offline

[Mark Elkins]

Apart from master/slave now being Primary/Secondary  (mindset change 
after 25 years of DNS management)


... I kind of like the idea - except if the Primary server is DNSSEC 
Signing that zone (and DNSSEC is a really smart thing to be able to do) 
then editing a Secondary is not a very simple thing to do. The DNSSEC 
keys (zsk/ksk/(csk)) are not shared with the transfer of a zone - so 
locally signing on a Secondary would be a challenge.


I guess in an emergency one could remove the DNSSEC records from the 
Zone along with removing the DS records from the parent. It would then 
be safe to edit a text version on the Secondary and better still, 
promote it to being the new Primary. Generally though, one can usually 
afford for a Primary to be down for a short time until things are fixed.


Having a contingency plan to switch your Primary to a different 
(currently Secondary) server along with all the DNSSEC configuration 
would be a useful exercise. Have all the same DNS tools on that backup 
server that you already have on the current Primary server.


On 12/19/21 3:12 PM, Richard Doty wrote:
Having text files makes editing easier, but you still want to keep the 
slaves the same - making the identical edit multiple times is some 
work, but may not actually happen depending on circumstances (people 
make mistakes)


I like to make all the servers 'masters' - so whoever has the highest 
serial number wins.  Then if you update one slave, it is automatically 
synced to the others.  This might conflict with however you populate 
your true master.


On Fri, Dec 17, 2021 at 6:30 AM Roberto Carna 
mailto:robertocarn...@gmail.com>> wrote:


Warren, thanks a lotwith the masterfile-format clause it works OK.

Greetings!!!

El jue, 16 dic 2021 a las 15:43, Warren Kumari (mailto:war...@kumari.net>>) escribió:
>
>
>
> On Thu, Dec 16, 2021 at 10:37 AM Roberto Carna
mailto:robertocarn...@gmail.com>> wrote:
>>
>> Dear all, I have one BIND9 server as master and 3 as slaves.
>>
>> The master and one slave are in a given site #1, and the other two
>> slaves are in a geographical different site #2.
>>
>> In case site #1 goes offline, I need to edit records in both slaves
>> from site #2, in order to point some services to other public
IP's for
>> contingency.
>>
>> My question is:
>>
>> What is the recommended way to edit the records from a BIND9 slave?
>> Because the zone files are binary files
>
>
> Yup, if you are running (IIRC) > v9.9.x, the default is binary
files.
> You can convert these beck to text with:
> named-compilezone -f raw -F text -o example.com.text example.com
 example.com.binary
>
> You can also change the default in named.conf:
> options {
> // many many options
> masterfile-format text;
> //
> // many other options
> //
> }
>
> The raw (binary) zone files are good for large zones, but for
small zones, where speed isn't super important, text format works
just fine...
> W
>
>
>>
>> and using the Webmin interface
>> is blocked.
>>
>> The only manner is changing the configuration from slave to master?
>>
>> Thanks in advance, greetings!!!
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users
 to unsubscribe
from this list
>>
>> ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/
 for more information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org 
>> https://lists.isc.org/mailman/listinfo/bind-users

>
>
>
> --
> The computing scientist’s main challenge is not to get confused
by the
> complexities of his own making.
>   -- E. W. Dijkstra
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
 to unsubscribe
from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/
 for more information.


bind-users mailing list
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ 

Re: DNSSEC implementation on IPv6 PTR Zones

[Mark Elkins]

And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC.

One suggestion though. When one signs an IPv4 reverse - use NSEC - as 
everyone can guess what is there anyway.
With IPv6 - you might want to use NSEC3 - as there can be huge holes in 
the reverse zone. Make the bad guy work at guessing what is in the zone.
Also - if signing a brand new zone - try using Algo 13 (Elliptical 
curve) as it will generate shorter keys - so less chance of your zone 
being used in a DNS DDOS amplification attack - it doesn't amplify as much.



On 11/18/21 12:07 PM, Mark Andrews wrote:
You do it exactly the same as any other zone.  You create DNSKEYs. You 
sign the zone. You add DS records to the parent zone.


--
Mark Andrews


On 18 Nov 2021, at 20:28, Divya  wrote:


Dear Admin,

Has anybody implemented  DNSSEC on IPv6 reverse  zones?
Kindly help us to configure DNSSEC on reverse zones of IPV6 segment 
with BIND 9.17.16+CentOS  7.9.


With Thanks & Regards
Divya






___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 



Posix SystemsVCARD for MJ Elkins

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

CDS records created from ZSK records?

[Mark Elkins]

I've just noticed that in the last few days that "BIND 9.16.22 (Extended 
Support Version) " appears to be generating CDS records for 
both KSK ***and ZSK*** records!


Nothing on my side has been changed although I do run automated updates. 
I'm on a Linux machine running Gentoo.


$ dig DNSKEY EDU.ZA

; <<>> DiG 9.16.6 <<>> DNSKEY EDU.ZA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22867
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;EDU.ZA.                IN    DNSKEY

;; ANSWER SECTION:
EDU.ZA.            9378    IN    DNSKEY    256 3 13 
U9/K052f1oBX5WYbedZhLM0jd+rNAwEYNfuRUAsf2S3U7UNaEKV2pYtM 
3dHSOdsNDiLkr0H77x9U2ZFtoN7U2A==
EDU.ZA.            9378    IN    DNSKEY    256 3 13 
YPgTWLFxFXWMXlVaJB2bCA5F75l5yryFO/h9w+xXS/GfhhmvyZvh9NCv 
MLPZckLRGbeZ5/BkyH9ae4X0IyzKYA==
EDU.ZA.            9378    IN    DNSKEY    257 3 13 
75OMA5R90131FVGX1QcJiCGAUboYSmazf3dPpAPL0t33YLcx7bBnio6Y 
qyrR77MRVZKNpWIBLcnz7YOLWNZXmQ==


---

$ dig CDS EDU.ZA

; <<>> DiG 9.16.6 <<>> CDS EDU.ZA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11376
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;EDU.ZA.                IN    CDS

;; ANSWER SECTION:
EDU.ZA.            86400    IN    CDS    569 13 2 
350F4414CB611C04AD829CD2C23A5C60296EA635BF59D7F0B44CD02F 6B396A94
EDU.ZA.            86400    IN    CDS    9355 13 2 
B0A16FBB3F5D6274665DE272FE5FF182ABC89B3072B668589E5EC6F0 513E36C9
EDU.ZA.            86400    IN    CDS    49988 13 2 
6F99A6D6A4657F0A528AD2791B8B3E02AFB34E5DB79F5C53EA022A55 1874D40A


These are also the values from inside my signed zone. Anyone have any 
thoughts?

This is going to screw up systems that poll for CDS records.

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CDS records created from ZSK records?

[Mark Elkins]

Found it my problem.

I used to create the CDS records using a binary that has now been 
withdrawn by ISC (around November/December 2021) and now use...


dnssec-dsfromkey -C $key

...except I was running that on all keys - including ZSK's...

I have a bash shell script that does the signing. First written in 2011.
Yes - I am testing with "dnssec-policy"...

---

dnssec-policy "posix-ecdsa256-policy" {
    dnskey-ttl 3600;
    keys {
    ksk lifetime unlimited algorithm ecdsa256;
    zsk lifetime 34d algorithm ecdsa256;
    };
};

zone "smtp.co.za" {
    type master;
    file "/etc/ns.d/pri/smtp.co.za/db.smtp.co.za";
    key-directory "/etc/ns.d/pri/smtp.co.za/keys";
    dnssec-policy "posix-ecdsa256-policy";
    serial-update-method date;
};
---

... but until there is a trigger system so I can call code to do an EPP 
based KSK rollover to the parent, will keep what I've got as it 
(usually) works.


On 1/25/22 12:58 AM, Mark Andrews wrote:



On 25 Jan 2022, at 07:35, Mark Elkins  wrote:

I've just noticed that in the last few days that "BIND 9.16.22 (Extended Support Version) 
" appears to be generating CDS records for both KSK ***and ZSK*** 
records!

Nothing on my side has been changed although I do run automated updates. I'm on 
a Linux machine running Gentoo.

$ dig DNSKEY EDU.ZA

; <<>> DiG 9.16.6 <<>> DNSKEY EDU.ZA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22867
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;EDU.ZA.INDNSKEY

;; ANSWER SECTION:
EDU.ZA.9378INDNSKEY256 3 13 
U9/K052f1oBX5WYbedZhLM0jd+rNAwEYNfuRUAsf2S3U7UNaEKV2pYtM 
3dHSOdsNDiLkr0H77x9U2ZFtoN7U2A==
EDU.ZA.9378INDNSKEY256 3 13 
YPgTWLFxFXWMXlVaJB2bCA5F75l5yryFO/h9w+xXS/GfhhmvyZvh9NCv 
MLPZckLRGbeZ5/BkyH9ae4X0IyzKYA==
EDU.ZA.9378INDNSKEY257 3 13 
75OMA5R90131FVGX1QcJiCGAUboYSmazf3dPpAPL0t33YLcx7bBnio6Y 
qyrR77MRVZKNpWIBLcnz7YOLWNZXmQ==

---

$ dig CDS EDU.ZA

; <<>> DiG 9.16.6 <<>> CDS EDU.ZA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11376
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;EDU.ZA.INCDS

;; ANSWER SECTION:
EDU.ZA.86400INCDS569 13 2 
350F4414CB611C04AD829CD2C23A5C60296EA635BF59D7F0B44CD02F 6B396A94
EDU.ZA.86400INCDS9355 13 2 
B0A16FBB3F5D6274665DE272FE5FF182ABC89B3072B668589E5EC6F0 513E36C9
EDU.ZA.86400INCDS49988 13 2 
6F99A6D6A4657F0A528AD2791B8B3E02AFB34E5DB79F5C53EA022A55 1874D40A

These are also the values from inside my signed zone. Anyone have any thoughts?
This is going to screw up systems that poll for CDS records.

Well CDS records are for DNSKEYs without the SEP bit are perfectly valid as the 
SEP bit is purely advisory and
no it should screw up systems that poll for CDS records.  You will however have 
to manage them properly in the
future.

You haven’t said how you are managing DNSSEC and named supports several models 
so it is hard to a) tell if
there was a bug in our code or b) an error on your part.

Assuming that you are not using dnssec-policy you should be able to use 
'dnssec-settime -D sync date/offset’
on the ZSK’s to tell named to stop publishing the CDS records but remember you 
still need to account for the
fact that they where published as you go forward.

Mark

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 
<https://ftth.posix.co.za>


Posix SystemsVCARD for MJ Elkins

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can't modify an existing SPF record

[Mark Elkins]

There can only be one SFP TXT record per domain. A complete record could 
look like.


domain1.com.  IN    TXT   "v=spf1 a:mail.domain1.com 
a:smtp.domain1.com a:relay.domain2.com -all"


It should be logical to use a (domain) name because that name could have 
multiple IP addresses, both IPv4 and IPv6.

Note that there are double quotes around the whole TXT string as well.

On 7/8/22 5:55 PM, Richard T.A. Neal wrote:


Hi Roberto,

You need to prefix it with “a:” to indicate that this is an A-record, 
i.e.:


a:relay.company.com

Best,

Richard.

*From:*bind-users  *On Behalf Of 
*Greg Choules via bind-users

*Sent:* 08 July 2022 4:45 pm
*To:* Roberto Carna 
*Cc:* ML BIND Users 
*Subject:* Re: Can't modify an existing SPF record

Hi Roberto. What domain is this SPF for and exactly how are you trying 
to add the extra term?


Cheers, Greg

On Fri, 8 Jul 2022 at 16:38, Roberto Carna > wrote:


Dear, from my webmin interface for BIND9, I try to add an additional
allowed sender host to our SPF record, but I get the following error:

Failed to save record : 'relay.company.com
' is not a valid host to
allow sending from

What does this mean? Do I have to consider some important thing
I'm forgetting ?

relay.company.com  is already defined in
our public DNS, and it has a
reverse record too.

if I add this record by hand, it's not replicated to the DNS slaves.

Thanks in advance!!!
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users

 to unsubscribe
from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/
 for more information.


bind-users mailing list
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users




--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 



Posix SystemsVCARD for MJ Elkins

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Facing issues while resolving only one record

[Mark Elkins via bind-users]

To disable DNSSEC validation for a domain from the command line - I 
use:   dig +cd eportal.incometax.gov.in 


Works as expected.

Better answer is to get them to fix the problem.

On 2023/08/30 17:08, Bob McDonald wrote:

Turning off validation for that domain fixes the issue.

When using dig to diagnose this issue, one might be tempted to use the 
DNSSEC switch. However, the following command:


dig eportal.incometax.gov.in . +NODNSSEC

will NOT turn off DNSSEC validation.

The DNSSEC switch in dig is used to display the associated DNSSEC 
records (if they exist). It doesn't affect validation. You must make 
the options change indicated by Greg Choules in his previous post to 
disable DNSSEC validation for a specific domain.


Sorry if this is redundant or very rudimentary.

Bob

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 




-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Zone stats

[Mark Elkins via bind-users]

Hi,

I'm writing some software to be able to read information from a Zone 
file. I am a legally authorised Secondary Authoritative Nameserver for a 
number of domains or rather zone files, eg. EDU.ZA (and others). Is 
there an easy way to:-


1) Count how many delegated domains there are (Names with NS records)

2) Extract the above Names - so I can look for changes (Added/Deleted names)

3) find out how many unique names have DS records (I can DIG I suppose)

I'd also like to spot broken stuff (named-checkzone ?)

So the zones (such as EDU.ZA) contain the domain name of the entity 
(whois.edu.za) along with the Nameserver records and in this case, a DS 
record. e.g... "whois.edu.za" looks like


whois  NS    control.vweb.co.za.
   NS    secdns1.posix.co.za.
   NS    secdns2.posix.co.za.
   NS    secdns3.posix.co.za.
   DS    27300 13 2 
8ED21DB407F6AC3E6EA757AE566953C1BBADD8B652BE4C7C0744B1D7 9DF42894
   DS    17837 13 2 
36FD5B19450B672988AE507FB7D2F948ED1E889546C6E16554C7EAF9 CE9C3FEA


One hindrance is that journal files are present - so it is not just the 
zone file but the zone.jnl file as well.


Some African ccTLDs have everything in one zone e.g. their COM, EDU, GOV 
- etc. In South Africa, these are all separate zones, making life 
somewhat easier.


I'd hate to re-invent software that already exists.

The primary purpose is to pull in data into an (ICANN requested) African 
DNS Observatory.



--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 



Posix SystemsVCARD for MJ Elkins

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone stats

[Mark Elkins via bind-users]

Thank you Timothe for this. I tested this on some of my domains and 
found AXFR worked the best


dig @::1 $zone axfr | grep -v '^;' | grep -v '^$zone' | grep 'NS    
' | cut -f1 | cut -f1 -d' ' | sed 's/\.$//' |sort -u > axfr.$zone


... does the trick. $zone is the Zone in question. There is a  
after "NS".


Take a Zone, Strip comments, Strip lines beginning with the Zone, Look 
for NS records (exclude NSEC records), take the first argument (strip 
trailing dot) and make the output sorted and unique...


I'll be writing in PHP and already use a similar PHP "NET::DNS" type 
library so shouldn't be difficult.


Yes - this will go into a Database - etc..

On 2023/08/22 02:10, Timothe Litt wrote:


(Sorry for the duplicate/reply without context).  See below.

On 21-Aug-23 11:11, Mark Elkins wrote:


Hi,

I'm writing some software to be able to read information from a Zone 
file. I am a legally authorised Secondary Authoritative Nameserver 
for a number of domains or rather zone files, eg. EDU.ZA (and 
others). Is there an easy way to:-


1) Count how many delegated domains there are (Names with NS records)

2) Extract the above Names - so I can look for changes (Added/Deleted 
names)


3) find out how many unique names have DS records (I can DIG I suppose)

I'd also like to spot broken stuff (named-checkzone ?)

So the zones (such as EDU.ZA) contain the domain name of the entity 
(whois.edu.za) along with the Nameserver records and in this case, a 
DS record. e.g... "whois.edu.za" looks like


whois  NS control.vweb.co.za.
   NS secdns1.posix.co.za.
   NS secdns2.posix.co.za.
   NS secdns3.posix.co.za.
   DS    27300 13 2 
8ED21DB407F6AC3E6EA757AE566953C1BBADD8B652BE4C7C0744B1D7 9DF42894
   DS    17837 13 2 
36FD5B19450B672988AE507FB7D2F948ED1E889546C6E16554C7EAF9 CE9C3FEA


One hindrance is that journal files are present - so it is not just 
the zone file but the zone.jnl file as well.


Some African ccTLDs have everything in one zone e.g. their COM, EDU, 
GOV - etc. In South Africa, these are all separate zones, making life 
somewhat easier.


I'd hate to re-invent software that already exists.

The primary purpose is to pull in data into an (ICANN requested) 
African DNS Observatory.



--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


Mark,

a) Use named-compilezone to extract the zone with journals applied.

b) my favorite: do an axfr of the zone, which gives the correct data 
with all the pseudo-ops expanded


c) Use a library - I use Perl's Net::DNS - and write code to do the 
axfr & walk the zone - it allows you to access fields in the records.


https://github.com/tlhackque/certtools has a simple utility called 
acme_token_check  that does (c) to remove stray ACME records - it 
shows how to do the transfer and walk the zone.   (And also how to use 
DNS UPDATE to maintain it.)


Enjoy.


Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 
<https://ftth.posix.co.za>



-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC signing of an internal zone gains nothing (unless??)

[Mark Elkins via bind-users]

Hmmm - might be saying the wrong thing but...

.SE was DNSSEC Signed waaay before the root, so if living in Sweden, one 
would prep your DNSSEC aware resolver with the DS Key of the .SE Zone. 
DNSSEC then worked for .SE domains. Perhaps do the same?


I do get confused further down in this email when one says you'll get 
back an "AA" flag in the answer. That will only happen if you ask the 
Authoritative Server for the domain you are looking in. That shouldn't 
be a Recursive server. It is terribly bad practice to have a BIND server 
running in both Authoritative and Recursive mode at the same time - 
should be two separate instances of BIND.


On 8/1/22 7:51 PM, John W. Blue via bind-users wrote:

Also do not disagree.

However, the intent of the thread is to talk about the lack of an AD flag from 
a non-public internal authoritative server.  Based upon what I am seeing only 
the AA flag is set.

John

-Original Message-
From: John Franklin [mailto:frank...@sentaidigital.com]
Sent: Monday, August 1, 2022 12:45 PM
To: John W. Blue
Cc: bind-users@lists.isc.org
Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??)

On Aug 1, 2022, at 12:15, John W. Blue via bind-users 
 wrote:

As some enterprise networks begin to engineer towards the concepts of 
ZeroTrust, one item caught me unaware:  PM’s asking for the DNSSEC signing of 
an internal zone.
  
Granted, it has long been considered unwise by DNS pro’s with a commonly stated reason that it increasing the size of the zone yadda, yadda, yadda.

  [snip]
Thoughts?

DNSSEC enables use of certain security RRs, such as SSHA and TLSA, which can be 
used as part of a zero trust solution in DevOps pipelines.  It’s also good 
practice managing DNSSEC before deploying it in public production sites.

jf

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 






OpenPGP_0xB6FA15470B82C101.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

[Mark Elkins via bind-users]

Yes - I think "automated" in-line signing would be useful in 
"dnssec-policy" run zones.


We didn't need this some versions of BIND ago ( I had to add it recently 
on a zone that I've been testing with - untouched from a year or so ago)


We don't generally edit the signed zone - just the unsigned zone (at 
least that is how this zone is modified!)


On 2022/10/26 10:19, Matthijs Mekking wrote:
Thanks for this. It probably should be removed from the docs at this 
point.


When introducing dnssec-policy, my goal was to reduce the dozens of 
DNSSEC related configuration options that are scattered throughout 
named.conf and contain them in one stanza. But some options are more 
difficult to be replaced than others.


On 24-10-2022 18:16, PGNet Dev wrote:

i've read this comment


'inline-signing' might go away and be replaced by dnssec-policy


now a few times, in posts and in docs

currently, WITH 'dnssec-policy' signing enabled & in-use, i've

 zone "example.com" IN {
 type master; file "namedb/primary/example.com.zone";
 dnssec-policy "test";
 inline-signing yes;
 ...

the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in 
order to _not_ overwrite original zone files/data on signing.  e.g., 
with the config above


 cd namedb/primary/
 ls -1 *example*
 example.com.zone  < THIS is the original, 
unsigned zone data

 example.com.zone.jbk
 example.com.zone.jnl
 example.com.zone.signed   < THIS is the 
signing-generated zone data, which gets propagated

 example.com.zone.signed.jnl

without it, the original "example.com.zone" is overwritten with 
signed data.


is there already config in, or planned for, 'dnssec-policy' that 
preserves that separate-file functionality, preserving the original?


There are two ways of DNSSEC maintenance in BIND. One is the 
inline-signing approach, that preserves the original zone file. The 
other is to apply the changes directly to the zone (and zone file) and 
requires the zone to allow dynamic updates.


Since the latest release dnssec-policy requires either inline-signing 
to be set to yes, or allow dynamic updates.


I am thinking of adding inline-signing to dnssec-policy, do you think 
that would that be useful?


Best regards,

Matthijs

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 



Posix SystemsVCARD for MJ Elkins



OpenPGP_0xB6FA15470B82C101.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC adoption

[Mark Elkins via bind-users]

I generally agree with you - comments in line

On 8/3/22 5:56 PM, Peter wrote:

I see a two-fold issue with DNSSEC:

1. The wide-spread tutorials seem to explain a key rollover as an
exceptional activity, a *change* that is infrequently done. And
changes, specifically the infrequent ones, bring along the
possibility of failure, mostly due to human error.


Domains with Cloudflare seem to get Signed once -(KSK/DS - etc) and 
that's it!




I don't see reason why this is so. DNSSEC can be fully
automated (mine is), and then it can be done frequently, and the
human factor is out of the loop. It is then no longer a change,
but a regular operation that happens every 
without anybody even need noticing it.
(Let'sEncrypt did the same for certificates, and that also works
well.)


Both my DNSSEC and Let's Encrypt are totally automated as well. I 
usually run two KSK's overlapping by 6 months - so plenty of "rollover" 
time. Other domains, there is only a second KSK for a week or so.




2. TCP seems still to be considered a second-class-citizen in the
DNS world. (If I got the details right, TCP is only "optional",


Agh! No. NOT OPTIONAL. One might see it as a fall-back for when UDP 
fails (Truncated) but it is completely necessary!




and must only be tried as a second choice after receiving TC.)
So people may be induced to try and squeeze replies into whatever
512 or 1280 or 1500 bytes. Which means, they probably cannot use
more than one key, and so take possible redundancy out of the game.

I do not currently know about how or where this issue could be
tackled appropriately; I for my part have decided to happily ignore
it, and am using *four* KSK, thereby supporting RFC 5011 and RFC
7344, all with one simple script - and anyway now I have the longest;
here you can see it in action: https://dnsviz.net/d/daemon.contact/dnssec/
Let's see where this leads into problems; for now it appears not to.

-- PMc



Fair enough. And Elliptical Curve (Algo 13 ???) - so much shorter.

ps - Algorithm rollovers can be fun!!!

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 





OpenPGP_0xB6FA15470B82C101.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-policy - KSK rollover

[Mark Elkins via bind-users]

Hi people,

I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy

I have put the following policy in my named.conf file:-

dnssec-policy "ecdsa256-policy" {
    signatures-refresh 5d;
    signatures-validity 14d;
    signatures-validity-dnskey 14d;
    dnskey-ttl 3600;
    publish-safety 1h;
    retire-safety 1h;
    purge-keys 10d;

    keys {
    ksk lifetime 370d algorithm ecdsa256;   // < this part in 
particular!

    zsk lifetime 34d algorithm ecdsa256;
    };

    zone-propagation-delay 300s;
    max-zone-ttl 86400s;
    parent-propagation-delay 1h;
    parent-ds-ttl 3600;
};

I also have some external code that goes trawling for CDS records and 
puts into a parent whatever it finds in the child - that in this case is 
signed with the above policy stanza.


If the child creates a new CDS - my external scripts will find it and 
pop it into the parent as a DS record.
If the child looses a CDS record - my external script will remove the 
corresponding DS record from the parent.

Basically - whatever is in the child as a CDS will be in the parent as a DS.
A null CDS removes all DS records - but that's not my question.

Is there anything else I need to do? Any additional rndc's ??

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-policy - KSK rollover

[Mark Elkins via bind-users]

:-) Will let you know in a year!


ps - please, please keep the CDS's in the child zone - reflecting the 
current KSK's!  (etc)


On 2022/11/24 09:50, Matthijs Mekking wrote:

Hi,

I think this should work with some caveats.

First, If you migrate to dnssec-policy (that is the zone is already 
signed), make sure that the key properties match the current DNSKEYs.


Second is about your script:

> If the child looses a CDS record - my external script will remove the
> corresponding DS record from the parent.

This is true for BIND 9, as it will publish the CDS for as long as the 
DS should be in the parent. But it doesn't have to be the case. The 
RFC (7344) says:


   When the Parent DS is in sync with the CDS/CDNSKEY
   RRset(s), the Child DNS Operator MAY delete the CDS/CDNSKEY RRset(s);
   the Child can determine if this is the case by querying for DS
   records in the Parent.

Personally I like to keep the CDS in the child zone, so you can see if 
the parent is in sync, that is why I implemented it in BIND 9 to keep 
the CDS.


Best regards,

Matthijs


On 23-11-2022 18:24, Mark Elkins via bind-users wrote:

Hi people,

I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy

I have put the following policy in my named.conf file:-

dnssec-policy "ecdsa256-policy" {
 signatures-refresh 5d;
 signatures-validity 14d;
 signatures-validity-dnskey 14d;
 dnskey-ttl 3600;
 publish-safety 1h;
 retire-safety 1h;
 purge-keys 10d;

 keys {
 ksk lifetime 370d algorithm ecdsa256;   // < this part 
in particular!

 zsk lifetime 34d algorithm ecdsa256;
 };

 zone-propagation-delay 300s;
 max-zone-ttl 86400s;
 parent-propagation-delay 1h;
 parent-ds-ttl 3600;
};

I also have some external code that goes trawling for CDS records and 
puts into a parent whatever it finds in the child - that in this case 
is signed with the above policy stanza.


If the child creates a new CDS - my external scripts will find it and 
pop it into the parent as a DS record.
If the child looses a CDS record - my external script will remove the 
corresponding DS record from the parent.
Basically - whatever is in the child as a CDS will be in the parent 
as a DS.

A null CDS removes all DS records - but that's not my question.

Is there anything else I need to do? Any additional rndc's ??

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 



--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 
<https://ftth.posix.co.za>


Posix SystemsVCARD for MJ Elkins

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users