> So how do we implement one? Create a separate caching server with DNSSEC
> validation turned off and forward all queries for the broken domain to it?
Unbound can be configured (on the fly) to ignore DNSSEC for individual
zones. From the unbound.conf(5) page:
domain-insecure:
Sets
> Comcast has taken a pragmatic view. I'm glad to see they've turned on
> validation, but I can see why they need to configure exceptions. Without
> being able to manage exceptions, large ISPs are not going to turn on
> validation.
Indeed, which brings on the question why BIND (still) doesn't have
> -%<-
> @ IN SOA localhost root@localhost. (
> 2012041100
> 7200
> 1800
> 1209600
>
> I was mistakenly thinking the KSK also had an expiration as the
> the ZSK does.
Keys don't expire; signatures (RRSIGs) do.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users maili
> When the shared KSK needed to be rolled over, you would have to
> process DS records in the parents of your few dozen zones all at the
> same time.
*If* you want to roll the KSK, a.k.a. "when did you last roll your SSH
keys?" :-)
-JP
___
Pleas
Augie,
> Is there a way to exclude a domain from DNSSEC validation, like
> Unbound's "domain-insecure"?
That is regrettably not possible at the moment, at least not in BIND
9.9.0.
The only (quite impracticable) workaround would be to define the zone
authoritatively yourself and populate it someh
> What is the best way to log DNSSEC failures in Bind without enforcing
> DNSSEC validation?
>
> That is I want to see what Bind would have rejected because of failed
> DNSSEC validation, but I do not want to return SERVFAIL to my client.
I don't think that is possible without modifying the clien
> The question is: how to generate the name of a nzf file?
> Is there a tool or an easy way?
The code is in lib/dns/view.c
if (allow) {
char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(NZF)];
isc_sha256_data((void *)view->name, strlen(view->name), buffer)
> What is the starting and ending SOA record?
>
> In the original zone, there is ony one SOA record...
The "starting" SOA is the SOA in your zone. The final SOA is used to
indicate end-of-transfer and is a copy of the first; you can safely
ignore it or, as Michael pointed out, supress it.
> For My internal DNS setup i want to create a internal root hint file .
> Should i follow the pattern of standard root hint file ?
Yes, create your own hints zone containing one or more NS RRsets with
their respective glue. Something along these lines:
.360 IN NS
> I consider it a feature, though opinions may vary.
I consider it a bug, and it's going to bite hard.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
htt
> That said, instead of using 'rndc reload leadmon.org', I actually have to
> use 'rndc reload leadmon.org IN external', or internal as the case may be to
> separate the zone I am reloading.
Not here, in spite of multiple views; BIND 9.9.0rc1
-JP
_
> After setting up a zone with DNSSEC using inline-signing, I have run into
> the issue where if I do anything that updates the unsigned file that is
> input into BIND, that it never seems to update the signed data it generated.
I've previously [1] received "the Gold Star" for suggesting ;-)
Hello,
FWIW and for the record, I received an EntropyKey and have shortly described my
experience with it so far at http://dnssexy.net/903
Regards,
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
> the online documentation it says
> that addzone will add it to the config files. But after running a test,
> all this does is add it to the cache. So does this would mean that every
> time the cache is purged, I would have to run addzone again?
No. Zones are added to / removed from a .nzf "cache
> include "/etc/bind/sites-enabled/*"
That won't work.
What you could do though is to create the content of the file you're
including, which ought to solve your problem.
cd /var/path
ls > /etc/bind/sites-enabled.include
And then in named.conf [ include "/etc/bind/sites-enabled
> > Now if FreeBSD would just add 9.9 to the ports collection
>
> I generally don't add new versions until they are released,
ISC said today in the inline-signing Webinar, that 9.9 would probably be
released on February 7th. Maybe wait for that?
-JP
__
> Next great thing would be for ISC to support the Soft-HSM that
> OpenDNSSEC uses. I believe that this would make the step of moving to a
> real hardware HSM a lot easier (if necessary).
BIND has supported the PKCS#11 interface (./configure --with-pkcs11)
since 9.6 IIRC, so it ought to be possibl
> DNS OARC runs a pair of validating servers, open to the public.
It appears their BIND server has DLV anchor configured, but their
Unbound instance doesn't.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> I tried from google dns (8.8.8.8) also but didnt get AD bit set. This may
> be because 8.8.8.8 might not be configured for DLV validation.
Google's DNS servers don't do proper DNSSEC validation.
> Is there any open dns available from which I can check my domain for AD
> flag set??
> $ORIGIN 184.16.172.in-addr.arpa.
> $TTL 14400; 4 hours
> 105 PTR GVC-E237-A01.wks-gvc.domain.com.
> 88PTR GVC-LIB-C07.wks-gvc.domain.com.
> 9 PTR gvc-busdrivers.wks-gvc.domain.com.
> 90PTR nb-csiler.
> Has anyone tried the new features of rndc addzone|delzone with
> BIND-9.7?
> Will the zone added|deleted get transfered between master and slaves?
No, the newly added (or deleted) zone will not be automatcially added to
(deleted from) slave servers. (Slaves require a different zone
definition co
During a bout of excessive boredom I created a Lua back-end for DLZ's
dlopen() driver. If anybody is interested, I've put up a short
description [1] and the source code [2]. Patches are welcome. :)
-JP
[1] http://jpmens.net/2011/12/01/lua-back-end-for-bind/
[2] https://github.com/jpmens/d
> I don't know what you mean by that. Apex of what exactly - my zone
> file? Can you tell me exactly what the zone file should look like
> with the CNAME record at the "apex"?
Determine the address(es) for the target domain name
shop4water.hostedbywebtstore.com (I'm using 127.0.0.1 as an example
> I'd recommend checking the next four octets as well; they'll be "00 00 00 00"
> or "00 00 00 01".
I've hacked up a magic(5) file which seems to work for me:
$ file *
inline.aa:BIND raw format zone file < v9.9
inline.aa.jnl:BIND journal file v9
Thanks Michael, and Hauke.
I've had relatively good prior experience with Haveged [1], but I've
always wanted to experiment with a USB random generator.
Both the Araneus Alea [2] and the Entropy Key [3] look very interesting.
I'd heard of the latter previously, and I've ordered that because the
A
On Wed Nov 30 2011 at 20:45:30 CET, Michael Graff wrote:
> For my VM environment, I bought a USB random source, and share it
> across the VMs with a little daemon I wrote.
Would you be willing to give us a few more details, such as the name of
the USB random source generator (is it an Entropy Ke
> Feature suggestion: some sort of synthetic clock option to named for
> use in the test suite ("--test-unixtime-offset") or something?
>
> Obviously non-trivial.
Indeed.
I think Chris' & Evan's suggestion of a public zone that revokes and
replaces trust anchors periodically (every few hours?) i
> Judicious use of views with ACLs
I haven't actually tested this, but there's a recent thread [1] which
describes what I mean. Pay particular attention to the issue of getting
master notification into the slaves.
-JP
[1] https://lists.isc.org/pipermail/bind-users/2011-May/083664.html
_
> May I transfer *views* rather than zone description files?
No. That's why it is called "zone" transfer. :)
> May I transfer two zone description files for a single zone to a
> single server?
Again no. (See previous thread on your request to serve two zone files
for the same zone in the one vi
> The documentation for `match-clients' isn't comprehensive enough... Can
> I add all host from, for example 172.16/16 except a single host? Does:
>
> match-clients { 172.16.0.0/16;!172.16.1.1; }
BIND checks the ACL in the order you specify. In your example,
172.16.1.1 will be allowed by the firs
> given that their respective administrators have
> declared an intention to follow RFC 5011 if they ever roll over their
> KSKs.
As you say "if they ever roll"; I'm not placing any money on that. ;-)
> I could of course set up such a test zone and try to perform an RFC 5011
> rollover on it, usi
> Do I *have* to use views to deal with such distinction or can I specify
> it just as above without views?
You have to use views so that the server can decide which clients get
which responses. This you specify in a match-clients {} stanza within
the view.
-JP
__
Jeffry,
> I have had a tendency to dig axfr from my Windows workstation
+1 to you for using `dig' on Windows; most don't even know it exists
and suffer the `nslookup' pain. ;-)
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-us
On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote:
> I use `dig axfr dotat.at | grep -v RRSIG`
... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM
hoping, of course, that no owner name is called 'RRSIG' et. al. ;-)
-JP
__
On Wed Nov 23 2011 at 20:21:00 CET, Evan Hunt wrote:
> Correct, but... let me start by explaining the situation in releases prior
> to 9.9, without the inline-signing feature.
And would you now kindly do all of us and all future readers a favor and
copy/paste that text *verbatim* into the ARM? Th
> I have 1 domain name, and 1 reverse in-addr.arpa
> citires.ca and0-127.254.194.207.in-addr.arpa
>
> which my two slaves log that the master is "not authoritative" for
Seen from here (.DE) the NS for citires.ca both refuse to answer
queries, so they are indeed not authoritative:
On Tue Nov 22 2011 at 20:34:46 CET, Spain, Dr. Jeffry A. wrote:
> I did something similar, using nsupdate to modify the unsigned zone
> instead of a manual edit. [...] "rndc reload" is not necessary.
`rndc reload' never is necessary if you use DDNS to update master zones.
-JP
_
> 22-Nov-2011 11:25:28.320 general: notice: all zones loaded
> 22-Nov-2011 11:25:28.320 general: notice: running
This looks to me as though you've cycled the server, which isn't
currently allowed. Evan pointed out recently here that it can actually
corrupt the zone...
My experience is that, after
> afaik your client can identify itself by TSIG instead of IP address.
> of course, this requires tyour client to support TSIG ...
Unfortunately the clients are dumb stub resolvers (Linux, Mac, Windows),
so TSIG is not an option.
-JP
___
Please
Hello,
I'm looking at a BIND installation with a largish number of views, each
of which allow recursion and contain a couple of RPZ zones. Each view
has a `match-clients{}' option limiting access to the view to a very
small number of addresses. (Typically the single address of a client
with a dyna
It seems as though you haven't followed some of the advice given you on
this list -- you'll have to do a bit more reading. Nevertheless:
> 1. How frequently DNS server will download the malware domain database
That depends on how frequently the RPZ provider publishes updates to the
zone. RPZ zone
> I have found that www.thisisgame.com does not resolve on our DNS servers
You haven't done anything wrong. thisisgame.com has a single name
server, and that is currently not open to business, at least not from
my part of the world, maybe due to some firewall rule. (Google's NS do
indeed have acce
> So the error being logged isn't really an error, it just looks like
> one; we should probably see about silencing it.
The error is indeed confusing, maybe it should say "not yet signed" ?
11-Nov-2011 12:32:35.838 zone inline.aa/IN/internal (unsigned): loaded serial 2
11-Nov-2011 12:32:35.838 zo
> I have one more question - how can I block every update for every zone
> in options section using update-policy?
Are you actually *reading* the documentation: the ARM actually defines
`allow-update':
"Specifies which hosts are allowed to submit Dynamic DNS updates
for master zon
> Bind version is: 9.7.4
Upgrade; 9.8.1 is current. (In addition, you're reading a book called
BIND 10 -- even though the book doesn't once mention that software!)
> Maybe this is a stupid question but what is ARM?
BIND 9 Administrator Reference Manual. It is provided in multiple
formats within
> Note, the new .XXX TLD is included in that list.
Does that mean it is or isn't safe for work? ;-)
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.i
> Is there an IETF/ICANN reserved TLD for internal use? I've seen plenty of
> .loc and .local, but I haven't seen an RFC reserving it. RFC 2606
> reserves .example, .invalid, .localhost and .test but these don't seem
> approriate.
Not IETF/ICANN reserved, but ISO 3166 [1] reserves the follow
> I don't mind, but how can I create a CNAME in the parent?
Why don't you describe what you are trying to accomplish and what you
need that an additional A/ record won't solve? You've been told how
to solve the problem, and the members on this list are helping you avoid
shooting yourself in th
> I'm looking for success (or failure) stories to back up my statement :)
Thank you all for replies, on and off-list. If you are interested in a
summary, I've posted it at [1].
Regards,
-JP
[1] http://dnssexy.net/538
___
Please visit
> host is four characters shorter.
Use `dig' and save 25% ;-)
`nslookup' must die. (Until a few years ago, it printed a deprecation
notice which, unfortunately, has since been removed.)
-JP
___
Please visit https://lists.isc.org/mailman/listinf
> >What have you tried so far?
> @ IN CNAME linuxsystems.it.
No CNAME and other data [1]. You have an SOA and NS at the apex, so a
CNAME isn't allowed.
-JP
[1] Until you start with DNSSEC :)
___
Please visit https://lists.isc.org/ma
> 4. Perceived second-class status of DLZ
Ack.
> 6. Too-tight coupling between the SQL DB and DNS
It'll be interesting to see how BIND 10 [1] handles this coupling [2]. I
haven't (yet) had the inclination to experiment, mainly because (and now
back on topic :-) DDNS is apparently not yet ready
[ pardon the possible duplicate ]
I'm a fan of RFC 2136 Dynamic DNS and, if I think it appropriate for a
particular use case, sometimes suggest DDNS to customers. I often have
a hard time convincing people to use DDNS and am doubted regarding its
stability and/or performance.
I'm looking for
On Fri Sep 30 2011 at 11:50:51 CEST, Hauke Lampe wrote:
> > *except that perhaps those who enable this feature will use it as an excuse
> > to avoid enabling validation, which would be a very bad result, IMO. . .
>
> My reading of the docs says that BIND's NXDOMAIN redirections won't
> break DNS
> *except that perhaps those who enable this feature will use it as an
> excuse to avoid enabling validation, which would be a very bad result
+1 +1
A *very* bad result.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
On Wed Sep 28 2011 at 16:43:17 CEST, 风河 wrote:
> this is the stuff what should be done by webserver rather than by DNS. i,e,
> Apache rewrite will do that.
That is incorrect. DNS is needed to "find" the Web server. Web server
rewriting/configuration is needed to "find" the site.
-JP
> > '_' is an illegal character in hostnames in the DNS...
>
> Yeah, I got hosed by that one by a consultant.
MCSE per chance? [Sorry; couldn't resist.]
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
fro
On Tue Sep 27 2011 at 17:32:22 CEST, Issam Harrathi wrote:
> and you say here it's cached for 30 seconds?!
Evan said:
> and we've discussed implementing it in BIND9, but haven't had time yet.
In other words, they are *not* cached in BIND9.
-JP
__
> Well, I'm going to run the modified bind on a local testbed
> disconnected of internet.
You won't be causing harm, even if connected. :)
> Thanks on the hint, now I have to find out where to dig first.
> Any knowledge?
I'm no specialist, but this might get you started:
lib/dns/code.h
> But just for the sake of convenience, is there a way to rename
> TYPE<#> to something that I want?
If you dig (pun not necessarily intended) into the source of BIND you
can actually change the source so that `named' can read your type from a
zone master file and `dig' displays it however you wis
On Wed Sep 07 2011 at 12:54:31 CEST, Chris Thompson wrote:
> >Named doesn't yet have the ability to disable DNSSEC validation
> >for specified namespaces.
>
> "Yet"? Is there a hint of a future change there?
*Please* say yes.
-JP
___
Please v
> The last time there was a dns issue with usdoj.gov, it took about 3
> weeks for them to fix it.
Reeks of incompetence.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing li
> If Bind version of primary dns is "bind-libs-9.3.6-16.P1.el5" and for
> secondary dns "bind-9.5.0-29.b2.fc9.i386".
Something wrong there: "libs" vs. "server", but I assume you mean server
for both.
> Is it mandatory the same version for
> primary and secondary DNS.
Not unless you rely on a pa
Evan,
> may find this information useful:
very useful and quite impressive.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.is
> Does anyone else find the bind-users list to be very slow?
Yes, very. [Pressing 's'end at 09:54 CET]
-JP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
> I have a BIND 9.8.0-P2 server instance running on a production server. My
> firewall is showing repeated attempts by named.exe to connect to IP
> addresses in foreign countries on ports , 6667 and 6669 - common IRC
> ports used by worms/trojans/zombies.
Sounds like you're running an IRC bot.
> This is reproducible and should only affected in 9.7.3.
For the record, the problem has been fixed:
http://www.isc.org/software/bind/advisories/cve-2011-1910
-JP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailma
> # host -t TXT _adsp._domainkey.federalreserve.gov
>
> bind dies with
>
> May 26 19:59:02 resolv04 named[8237]: buffer.c:285: REQUIRE(b->used + 1
> <= b->length) failed
> May 26 19:59:02 resolv04 named[8237]: exiting (due to assertion failure)
>
> This is reproducible and should only affected i
> Mark my words. You will know the truth in future.
Ah: DNSSEC -- the guy is on topic.
-JP
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
> So I look for a way that I can say that all clients from EXAMPLE.TEST are
> allowed to update their own record (or whatever).
Sounds like a task for update-policy external [1], but note that that
requires updates to be sent via TCP and not UDP. [2]
-JP
[1]: https://lists.isc.org/piperm
Juergen,
> I use GSS-TSIG and the handbook says that in gss-tsig the content of the
> identity field ist the common secret which is the kerberos principal.
I believe you'll have to set `tkey-gssapi-credential' and `tkey-domain` for
this to work the way you want, though I do confess to not have a
> While writing this, a compromise came to me. :) I can run forward
> zones as children of a single TLD, and use 168.192.in-addr.arpa. as
> parent for all my reverse zones. :)
If you're setting up your own DNS root server, you could sign that root
zone, have your clients enter that island of tru
> Over the years I wondered why public dynamic DNS services reinvented
> these wheels, with custom clients rather than using nsupdate. Now it
> makes sense.
How I wish they'd used a term other than "dynamic DNS" for their
services, though...
> While indeed, RFC 2136 had *me* cover
> Now I want to do it right, but I don't see a way for nsupdate to do
> what httpd does: autodetection of client IP address for nsupdate of
> its A record.
>
> I can script something on the client end to get the IP address, but
> if possible I'd prefer autodetection, which would be OS- and
> s
> I'd like to reinforce what Chris said, and recommend the use of an
> internal root zone for networks/enterprises which have no public
> Internet connectivity
+1
> A lot of people seem to be scared by the prospect of setting up
> their own root zone.
It really isn't difficult, and I discuss th
> Where can I find a description of what the variables at the end of the
> line in the query log mean? For example:
The full set is +SETDC
+ recursion requested (- no recursion)
S request is signed
E EDNS0 enabled
T TCP (else UDP)
D
Marc,
A stub zone tells BIND to load SOA and NS records from its masters {}.
(forwarders {} is, I belive, both useless and incorrect here.) From that
point onwards, your BIND will use the data in the stub to recursively
find answers to queries for that zone.
The forwarder on the other hand, instr
101 - 178 of 178 matches
Mail list logo