Automatic key rollover (Was: DNSSEC: Configuring auto-signed dynamic zones HOWTO)

Nicholas Wheeler wrote: > On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: >> (Well, for now the plan is to do it once a year by hand. Then, we'll see...) > > For the record, NIST recommends to roll the ZSK every three months, and > the KSK every two years. Let me put it this way: by the

Re: hosts or subnet number in delegation?

On Wed, Feb 24, 2010 at 2:01 PM, sasa sasa wrote: > Hello, > for a 192.168.199.64/26 in zone file to delegate to a customer; > should i put subnet number: > 64/26 IN NS ns1.example.com. > 64/26 IN NS ns2.example.com. > or host ranges: > 64-126 IN NS ns1.example.com. > 64-126 IN NS ns2.example.com.

hosts or subnet number in delegation?

Hello, for a 192.168.199.64/26 in zone file to delegate to a customer; should i put subnet number: 64/26 IN NS ns1.example.com. 64/26 IN NS ns2.example.com. or host ranges: 64-126 IN NS ns1.example.com. 64-126 IN NS ns2.example.com. . . $GENERATE 65-126 $ CNAME $.65-126 thanks Sasa

Re: Fwd: IPv6 client and negative cache - some doubts

On Tue, Feb 23, 2010 at 11:19 PM, Mark Andrews wrote: > > In message , > Micha > l Wesolowski writes: > > > > sorry for replying directly, still have some problems with gmail UI. > > > > -- Forwarded message -- > > From: Michal Wesolowski > > Date: Tue, Feb 23, 2010 at 2:47 PM >

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 02/23/10 19:54, Joe Baptista wrote: It would be nice to see it as an RFC. I agree with that. But from what I know it will be a pretty cold day in hell before it becomes an RFC. I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will ev

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

> I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is > full of wackos. So it is unlikely he will ever be bothered to dance the > IETF RFC jig. Is there a requirement that Dr. Bernstein must personally do the dancing? Let someone else write the RFC, if it needs writing. Whil

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

It would be nice to see it as an RFC. I agree with that. But from what I know it will be a pretty cold day in hell before it becomes an RFC. I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will ever be bothered to dance the IETF RFC jig.

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 02/23/10 18:31, Joe Baptista wrote: Now that OpenDNS the largest provider of public DNS supports DNSCurve http://twitter.com/joebaptista/status/9555178362 Would it be possible to include DNScurve support in bind? thanks joe baptista I'd love to see BIND adopt DNScurve...when it becomes an

Blacklisting private address range

Hi! Have any sense to blacklist the private address ranges on a server that is facing Internet? I mean, this address ranges is not even routed on the Internet. There is a trick about this? Thanks in advance! -- Diosney ___ bind

OpenDNS today announced it has adopted DNSCurve to secure DNS

Now that OpenDNS the largest provider of public DNS supports DNSCurve http://twitter.com/joebaptista/status/9555178362 Would it be possible to include DNScurve support in bind? thanks joe baptista ___ bind-users mailing list bind-users@lists.isc.org ht

Re: Update returns FORMERR: ran out of space

In message <20100223135615.ga30...@nic.fr>, Stephane Bortzmeyer writes: > Trying to add/delete DNSSEC keys with dynamic update (first time I try > that), the nsupdate client gets a FORMERR and BIND logs: > > Feb 23 14:53:24 jezabel named[10174]: client ::1#29411: updating zone 'bortzm > eyer.fr/I

Re: `named' uses 32-bit capabilities

In message <20100223171023.4c1fd17...@britaine.cis.anl.gov>, bsfin...@anl.gov w rites: > In production I am running BIND 9.6.1-P3 on Solaris 9, > sun4u sparc SUNW,Sun-Fire-V240. When I start BIND I get this message: > > Jan 25 11:03:17 dns1 named[9673]: [ID 873579 daemon.notice] > built with '

Re: A question with forwarder and listen-on

On 2/19/2010 11:51 PM, Kevin Oberman wrote: Date: Fri, 19 Feb 2010 20:30:27 -0800 (PST) From: gmspro Sender: bind-users-bounces+oberman=es@lists.isc.org > From /etc/bind/named.conf forwarders { 212.27.53.252; 212.27.54.252; }; Queries will be forwarded to these to nam

Re: Differences between 9.3 and later versions

In message <20100223145337.c0rua.72226.r...@cdptpa-web25-z02>, jcarrol...@cfl.r r.com writes: > Please do not crucify me. > > Due to an security audit I have been given the task of upgrading our BIND fro > m 9.3 to a new version (9.7 is preferred). Using the package from sunfreeware > .com (Solar

Re: Fwd: IPv6 client and negative cache - some doubts

In message , Micha l Wesolowski writes: > > sorry for replying directly, still have some problems with gmail UI. > > -- Forwarded message -- > From: Michal Wesolowski > Date: Tue, Feb 23, 2010 at 2:47 PM > Subject: Re: IPv6 client and negative cache - some doubts > To: Sam Wilso

Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO

> Date: Tue, 23 Feb 2010 16:02:27 -0500 > From: Alan Clegg > Sender: bind-users-bounces+oberman=es@lists.isc.org > > Nicholas Wheeler wrote: > > On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: > >> (Well, for now the plan is to do it once a year by hand. Then, we'll > >> see...) >

Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO

On Tue, 23 Feb 2010, Alan Clegg wrote: For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. And there are lots of other opinions on this timing as well. Note that you cannot really talk about rolling key recommendations without mentioning the key s

Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO

Nicholas Wheeler wrote: > On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: >> (Well, for now the plan is to do it once a year by hand. Then, we'll see...) > > For the record, NIST recommends to roll the ZSK every three months, and > the KSK every two years. And there are lots of other op

Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO

On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: > (Well, for now the plan is to do it once a year by hand. Then, we'll see...) For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. Thanks, -- Nicholas signature.asc Description: This is a

Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO

Stephane Bortzmeyer wrote: > There is nothing about key rollover, it seems? How do you handle it? I don't. (Well, for now the plan is to do it once a year by hand. Then, we'll see...) Regards, Eugene signature.asc Description: OpenPGP digital signature __

`named' uses 32-bit capabilities

In production I am running BIND 9.6.1-P3 on Solaris 9, sun4u sparc SUNW,Sun-Fire-V240. When I start BIND I get this message: Jan 25 11:03:17 dns1 named[9673]: [ID 873579 daemon.notice] built with '--prefix=/export/home/named/bind' '--with-openssl=/krb5' '--sysconfdir=/

Re: Update returns FORMERR: ran out of space

On Tue, Feb 23, 2010 at 02:56:15PM +0100, Stephane Bortzmeyer wrote a message of 17 lines which said: > Trying to add/delete DNSSEC keys with dynamic update (first time I try > that), the nsupdate client gets a FORMERR and BIND logs: Some details: * I use NSEC3 with opt-out * I checked with

Re: Scripts for zsk rollover in 9.7

> I'm not sure it is a good idea. BIND is already quite loaded in > features. Why not relying on dedicated free software such as > OpenDNSSEC ? AFAIK, OpenDNSSEC works fine with 9.7. (And it rocks and everyone should check it out.) But there's room for both approaches

Cannot use dnssec-settime with old keys

I try to play with the new toy, DNSSEC timing meta-data in key files. % dnssec-settime -v 3 Ktoto.fr.+008+42555 dnssec-settime: fatal: Key toto.fr/RSASHA256/42555 has incompatible format version 1.2, use -f to force upgrade to new version. OK, I upgrade: % dnssec-settime -v 3 -f Ktoto.fr.+008

Re: nsec3 in bind 9.7

> > To answer the question, those values are the NSEC3PARAM data for the > > zone, as defined in RFC 5155. [...] flags of 1 means opt-out and 0 > > means no opt-out; > > It is not exactly what the RFC says: > >The Opt-Out flag is not used and is set to zero. True. I oversimplified a bit. W

Re: Differences between 9.3 and later versions

On Feb 23 2010, Matus UHLAR - fantomas wrote: since 9.5, the default for allow-recursion is { localhost; localnets; }; previous versions used iirc { all; }; Actually, that change was made in 9.4. (Some of the cross-inheritance of the different query-* access controls wasn't there until 9.4.2,

Re: Differences between 9.3 and later versions

On 23.02.10 09:53, jcarrol...@cfl.rr.com wrote: > Due to an security audit I have been given the task of upgrading our BIND > from 9.3 to a new version (9.7 is preferred). Using the package from > sunfreeware.com (Solaris 10/X86) the upgrade seem to work well. However, > whenever someone tries to n

Re: cache hit rate/ratio

Try caused recursion / non authorative. On Feb 23, 2010 3:47 PM, "Timothy Holtzen" wrote: I have seen references out there about cache hit rates of 50-70% being normal. However I'm confused as to how to measure/calculate hit ratio? I can't seem to find any good references on how to find it. T

Re: no hostname become unresolvable.

> @   IN  MX 10   mail.man169.com. Try adding here: @ IN A 202.68.195.36 > www IN  A   202.68.195.36___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo

Summary: Differences between 9.3 and later versions

This mailing list rocks. Many thanks to Stephane Bortzmeyer and Jay Ford. Both where spot on with "allow-query". Now BIND 9.7 resolves to the outside. JC jcarrol...@cfl.rr.com wrote: > Please do not crucify me. > > Due to an security audit I have been given the task of upgrading our BIN

Re: Differences between 9.3 and later versions

On Tue, 23 Feb 2010, jcarrol...@cfl.rr.com wrote: Due to an security audit I have been given the task of upgrading our BIND from 9.3 to a new version (9.7 is preferred). Using the package from sunfreeware.com (Solaris 10/X86) the upgrade seem to work well. However, whenever someone tries to nsl

Re: Scripts for zsk rollover in 9.7

Stephane Bortzmeyer wrote: >> We have plans to improve this in 9.7.x (where x probably equals 1) >> in a couple of ways: first, by making it possible to assign each key >> an explicit successor key and warn the user if a key is set to >> expire without a successor; second, by making it possible to

RE: no hostname become unresolvable.

Right - Thanks for pointing it out. I inherited a lot of zones and never went back and changed them. The @ is something I do use in alias zones - we have a couple hundred domains and many of them go to the same IP and using @ I'm able to use a single zone file to incorporate the ones that all go

Re: Differences between 9.3 and later versions

On Tue, Feb 23, 2010 at 09:53:37AM -0500, jcarrol...@cfl.rr.com wrote a message of 9 lines which said: > However, whenever someone tries to nslookup (or dig) an external > site (i.e. cnn.com) they get REFUSED. If I back down to the 9.3 > version all is well. allow-query and allow-query-cache

Re: no hostname become unresolvable.

On Tue, Feb 23, 2010 at 09:50:29AM -0500, Lightner, Jeff wrote a message of 66 lines which said: > superease.net. IN A 202.68.195.36 ... > The dot is important Using @ would be simpler and would allow the zone file to be used for other zones as well. http://www.bortzmeyer.org/id

Re: no hostname become unresolvable.

In article , "Lightner, Jeff" wrote: > You need an A record for the domain itself: > superease.net. IN A 202.68.195.36 > www IN A 202.68.195.36 > > The first one (terminated by the dot) tells it lookup for the domain > name "superease.net" itself. The dot i

Re: no hostname become unresolvable.

On Tue, Feb 23, 2010 at 10:41:37PM +0800, Cefull Lo wrote a message of 89 lines which said: > But when I try to ping the server without hostname, [Technicality: there *is* a hostname, superease.net *is* an hostname.] > Here the zone file There is no A or record for @ (superease.net).

Re: Scripts for zsk rollover in 9.7

On Sat, Feb 20, 2010 at 09:15:23PM +, Evan Hunt wrote a message of 22 lines which said: > We have plans to improve this in 9.7.x (where x probably equals 1) > in a couple of ways: first, by making it possible to assign each key > an explicit successor key and warn the user if a key is set

Differences between 9.3 and later versions

Please do not crucify me. Due to an security audit I have been given the task of upgrading our BIND from 9.3 to a new version (9.7 is preferred). Using the package from sunfreeware.com (Solaris 10/X86) the upgrade seem to work well. However, whenever someone tries to nslookup (or dig) an extern

Re: nsec3 in bind 9.7

On Sat, Feb 20, 2010 at 12:31:38AM +, Evan Hunt wrote a message of 36 lines which said: > To answer the question, those values are the NSEC3PARAM data for the > zone, as defined in RFC 5155. [...] flags of 1 means opt-out and 0 > means no opt-out; It is not exactly what the RFC says:

RE: no hostname become unresolvable.

You need an A record for the domain itself: superease.net. IN A 202.68.195.36 www IN A 202.68.195.36 The first one (terminated by the dot) tells it lookup for the domain name "superease.net" itself. The dot is important - without it this would try to lookup su

no hostname become unresolvable.

Hi everybody, I just setup my dns using bind-9.6.1-P2 when I try to ping the server with a hostname, that's ok. i.e. #ping www.superease.net PING www.superease.net (202.68.195.36) 56(84) bytes of data. But when I try to ping the server without hostname, #ping superease.net ping: unknown host su

cache hit rate/ratio

I have seen references out there about cache hit rates of 50-70% being normal. However I'm confused as to how to measure/calculate hit ratio? I can't seem to find any good references on how to find it. The only thing I've been able to find is to do ("responses sent") - ("queries caused recursi

Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO

On Mon, Feb 22, 2010 at 11:40:49AM +0300, Eugene Crosser wrote a message of 49 lines which said: > Reviewed version placed here: http://www.average.org/dnssec/ There is nothing about key rollover, it seems? How do you handle it? ___ bind-users mail

Re: Query denied errors on PTR records for delegated zone

On 23.02.10 08:47, Lightner, Jeff wrote: > I'm running 9.3 on RHEL 5.4. > > My options are: > > options { > directory "/var/named"; > query-source address 10.0.0.3; > allow-query { internaldns; externaldns; dswadnsalias; }; > allow-recursion { internaldns; extern

Fwd: IPv6 client and negative cache - some doubts

sorry for replying directly, still have some problems with gmail UI. -- Forwarded message -- From: Michal Wesolowski Date: Tue, Feb 23, 2010 at 2:47 PM Subject: Re: IPv6 client and negative cache - some doubts To: Sam Wilson On Tue, Feb 23, 2010 at 1:33 PM, Sam Wilson wrote:

Update returns FORMERR: ran out of space

Trying to add/delete DNSSEC keys with dynamic update (first time I try that), the nsupdate client gets a FORMERR and BIND logs: Feb 23 14:53:24 jezabel named[10174]: client ::1#29411: updating zone 'bortzmeyer.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space I checked the disk space (ple

RE: Query denied errors on PTR records for delegated zone

I'm running 9.3 on RHEL 5.4. My options are: options { directory "/var/named"; query-source address 10.0.0.3; allow-query { internaldns; externaldns; dswadnsalias; }; allow-recursion { internaldns; externaldns; }; blackhole { blackhats; }; version

Re: IPv6 client and negative cache - some doubts

In article , Michal Wesolowski wrote: > Hello Everyone > > I have a problem with Bind 9.3.6-P1 (included in Solaris 10) but honestly I > don't even understand if it is wrong Bind behaviour or my ignorance. It does > apply only to some specific cases when external domain delegation is also > som

IPv6 client and negative cache - some doubts

Hello Everyone I have a problem with Bind 9.3.6-P1 (included in Solaris 10) but honestly I don't even understand if it is wrong Bind behaviour or my ignorance. It does apply only to some specific cases when external domain delegation is also somewhat broken. My server is caching only. Let me show

Re: Query denied errors on PTR records for delegated zone

On 22.02.10 16:26, Geoff Sweet wrote: > I have an on-going problem that has totally stumped me. I have a CentOS > 5.3 server that I am using the builtin Bind (9.3) to serve our zones. Our > ISP has provisioned us a block of IP's and has delegated our name servers > as authoritative for the revers

Re: Query denied errors on PTR records for delegated zone

On 22.02.10 17:21, Geoff Sweet wrote: > The problem is that editing the options list to: > > options { > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > m