Re: glue record
On Wed, May 13, 2009 at 11:46:29AM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 14 lines which said: When an upper DNS returns a domain's authorised DNS server, will it also returns the authorised DNS server's IP address? So glue record works as this way? Why don't you test? Computer science is an experimental science. % dig @a.nic.fr A www.google.fr ; DiG 9.5.1-P1 @a.nic.fr A www.google.fr ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 47237 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.google.fr. IN A ;; AUTHORITY SECTION: google.fr. 172800 IN NS ns1.google.com. google.fr. 172800 IN NS ns2.google.com. google.fr. 172800 IN NS ns3.google.com. google.fr. 172800 IN NS ns4.google.com. ;; Query time: 2 msec ;; SERVER: 192.93.0.129#53(192.93.0.129) ;; WHEN: Wed May 13 09:00:19 2009 ;; MSG SIZE rcvd: 124 No glue was sent back, since all google.fr nameservers are outside of google.fr. % dig @a.nic.fr A www.wanadoo.fr ; DiG 9.5.1-P1 @a.nic.fr A www.wanadoo.fr ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 29937 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.wanadoo.fr.IN A ;; AUTHORITY SECTION: wanadoo.fr. 172800 IN NS ns11.wanadoo.fr. wanadoo.fr. 172800 IN NS ns.wanadoo.fr. wanadoo.fr. 172800 IN NS ns2.wanadoo.fr. wanadoo.fr. 172800 IN NS ns10.wanadoo.fr. ;; ADDITIONAL SECTION: ns.wanadoo.fr. 172800 IN A 80.12.255.24 ns2.wanadoo.fr. 172800 IN A 80.12.255.159 ns10.wanadoo.fr.172800 IN A 80.12.255.23 ns11.wanadoo.fr.172800 IN A 80.12.255.152 ;; Query time: 2 msec ;; SERVER: 192.93.0.129#53(192.93.0.129) ;; WHEN: Wed May 13 09:01:49 2009 ;; MSG SIZE rcvd: 180 Glue was sent back since wanadoo.fr's name servers are under wanadoo.fr (so you could not find their IP addresses, without the glue records). ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regexp issue in NAPTR rewrite
Mark Andrews wrote: In message 4a093b9c.5060...@afnic.fr, sandoche BALAKRICHENAN writes: I want to rewrite a query of the form sgtin.5.4.0.0.0.1.3.2.4.5.6.7.6.id.onsam.test to sgtin.5.4.0.0.0.1.3.2.4.5.6.7.6.id.onseu.test using NAPTR rewrite. The NAPTR RR in the zone config is as follows: sgtin.5.4.0.0.0.1.3.2.4.5.6.7.6.id.onsam.testIN NAPTR 00r !^sgtin\.([0-9])$!\1.id.onseu.test!. BIND does not accept backref \1 . It shows a syntax error. Is the above regexp correct? You failed to properly escape the string. From RFC2168. Recall that the regular expression used \2 to extract a domain name from the CID, and \. for matching the literal '.' characters seperating the domain name components. Since '\' is the escape character, literal occurances of a backslash must be escaped by another backslash. For the case of the cid.urn.net record above, the regular expression entered into the zone file should be /urn:cid:.+@([^\\.]+\\.)(.*)$/\\2/i. When the client code actually receives the record, the pattern will have been converted to /urn:cid:.+@([^.]+\.)(.*)$/\2/i. Thanks. With double \\ it works. begin:vcard fn:Sandoche BALAKRICHENAN n:;Sandoche BALAKRICHENAN org:AFNIC email;internet:sandoche.balakriche...@afnic.fr title:Ingenieur RD note;quoted-printable:Move Together=0D=0A= x-mozilla-html:FALSE version:2.1 end:vcard ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
error while attempting to use nsupdate on a DNSSEC signed zone
Hello - (bind9.6.0-P1) I have set up a zone that is signed. It is an island of security zone for testing purposes. I have set up a TSIG key and set the allow-update to accept the key. I have followed every step, afaict, in the various how-tos on how to sign a zone. But when I try to do an update, I get an error. All the error says is signer update.test.net approved 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': adding an RR at 'blah.test.net' A 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure failure is all it says for a reason. I looked at the bind source, and there are some more useful error messages about keys etc. But all I am getting is failure. If i do the same nsupdate without DNSSEC, it works. It appears there is something wrong with my setup and the regeneration of the RRSIG/NSEC keys is failing. (I have tried it with both NSEC and NSEC3 keys) I will put together a (simpler) named.conf and zone file that causes this and post that info, but I was hoping that maybe somebody has seen this and has an idea. Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: error while attempting to use nsupdate on a DNSSEC signed zone
I am running bind in a chroot jail, btw. I had this working a while ago, and left it for a while and then tried to set it up again, with no luck. I am sure it is something simple... -- Jack Tavares From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares [j.tava...@f5.com] Sent: Wednesday, May 13, 2009 10:27 To: bind-users@lists.isc.org Subject: error while attempting to use nsupdate on a DNSSEC signed zone Hello - (bind9.6.0-P1) I have set up a zone that is signed. It is an island of security zone for testing purposes. I have set up a TSIG key and set the allow-update to accept the key. I have followed every step, afaict, in the various how-tos on how to sign a zone. But when I try to do an update, I get an error. All the error says is signer update.test.net approved 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': adding an RR at 'blah.test.net' A 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure failure is all it says for a reason. I looked at the bind source, and there are some more useful error messages about keys etc. But all I am getting is failure. If i do the same nsupdate without DNSSEC, it works. It appears there is something wrong with my setup and the regeneration of the RRSIG/NSEC keys is failing. (I have tried it with both NSEC and NSEC3 keys) I will put together a (simpler) named.conf and zone file that causes this and post that info, but I was hoping that maybe somebody has seen this and has an idea. Thanks -- Jack Tavares ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: error while attempting to use nsupdate on a DNSSEC signed zone
In message 4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com Hello - (bind9.6.0-P1) I have set up a zone that is signed. It is an island of security zone for testing purposes. I have set up a TSIG key and set the allow-update to accept the key. I have followed every step, afaict, in the various how-tos on how to sign a zone. But when I try to do an update, I get an error. All the error says is signer update.test.net approved 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zon= e 'test.net/IN': adding an RR at 'blah.test.net' A 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zon= e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure failure is all it says for a reason. I looked at the bind source, and there are some more useful error messages = about keys etc. But all I am getting is failure. If i do the same nsupdate without DNSSEC, it works. It appears there is something wrong with my setup and the regeneration of t= he RRSIG/NSEC keys is failing. (I have tried it with both NSEC and NSEC3 keys) I will put together a (simpler) named.conf and zone file that causes this a= nd post that info, but I was hoping that maybe somebody has seen this and has an idea. Thanks -- Jack Tavares Have you told named where the private keys are (key-directory)? -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
--- On Wed, 13/5/09, Stephane Bortzmeyer bortzme...@nic.fr wrote: Glue was sent back since wanadoo.fr's name servers are under wanadoo.fr . Ok please see dig info below. if I understand for it correctly, gdpu.cn is not under b.dns.cn, why b.dns.cn returns glues? Thanks. # dig gdpu.cn ns @B.DNS.cn ; DiG 9.5.0-P2 gdpu.cn ns @B.DNS.cn ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53380 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;gdpu.cn. IN NS ;; AUTHORITY SECTION: gdpu.cn.21600 IN NS dns1.gdpu.cn. gdpu.cn.21600 IN NS dns2.gdpu.cn. ;; ADDITIONAL SECTION: dns1.gdpu.cn. 21600 IN A 219.136.229.41 dns2.gdpu.cn. 21600 IN A 219.136.229.42 Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
On Wed, May 13, 2009 at 03:37:19PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 39 lines which said: if I understand for it correctly, gdpu.cn is not under b.dns.cn, True, but irrelevant. why b.dns.cn returns glues? Because the name servers of gdpu.cn are under gdpu.cn. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
In article gudtlf$1u4...@sf1.isc.org,
Tech W. tech...@yahoo.com.cn wrote:
--- On Wed, 13/5/09, Stephane Bortzmeyer bortzme...@nic.fr wrote:
Glue was sent back since wanadoo.fr's name servers are
under
wanadoo.fr .
Ok please see dig info below.
if I understand for it correctly, gdpu.cn is not under b.dns.cn, why b.dns.cn
returns glues?
How would you look up anything in this domain if it didn't return glue?
To look up anything.gdpu.cn, you have to ask dns1.gdpu.cn or
dns2.gdpu.cn. This requires you to find the IP of dns{1,2}.gdpu.cn,
which you can only do by asking dns{1,2}.gdpu.cn. The glue keeps you
from getting stuck in this loop.
Thanks.
# dig gdpu.cn ns @B.DNS.cn
; DiG 9.5.0-P2 gdpu.cn ns @B.DNS.cn
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 53380
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;gdpu.cn. IN NS
;; AUTHORITY SECTION:
gdpu.cn.21600 IN NS dns1.gdpu.cn.
gdpu.cn.21600 IN NS dns2.gdpu.cn.
;; ADDITIONAL SECTION:
dns1.gdpu.cn. 21600 IN A 219.136.229.41
dns2.gdpu.cn. 21600 IN A 219.136.229.42
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: error while attempting to use nsupdate on a DNSSEC signed zone
yes.
And I when I previously failed to specify the correct key-directory, I got an
error
found no private keys, unable to generate any signatures
I corrected that error and now get the failure message
everything is owned by named .
options {
dnssec-enable yes;
dnssec-validation yes;
key-directory /config/namedb;
--
Jack Tavares
From: mark_andr...@isc.org [mark_andr...@isc.org]
Sent: Wednesday, May 13, 2009 10:38
To: Jack Tavares
Cc: bind-users@lists.isc.org
Subject: Re: error while attempting to use nsupdate on a DNSSEC signed zone
In message 4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com
Hello -
(bind9.6.0-P1)
I have set up a zone that is signed.
It is an island of security zone for testing purposes.
I have set up a TSIG key and set the allow-update
to accept the key.
I have followed every step, afaict, in the various
how-tos on how to sign a zone.
But when I try to do an update, I get an error.
All the error says is
signer update.test.net approved
13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zon=
e 'test.net/IN': adding an RR at 'blah.test.net' A
13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zon=
e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
failure is all it says for a reason.
I looked at the bind source, and there are some more useful error messages =
about keys etc.
But all I am getting is failure.
If i do the same nsupdate without DNSSEC, it works.
It appears there is something wrong with my setup and the regeneration of t=
he RRSIG/NSEC
keys is failing. (I have tried it with both NSEC and NSEC3 keys)
I will put together a (simpler) named.conf and zone file that causes this a=
nd post that info,
but I was hoping that maybe somebody has seen this and has an idea.
Thanks
--
Jack Tavares
Have you told named where the private keys are (key-directory)?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Cannot Delete Glue record
I have a glue (nameserver host) record which hasn't been used in years and I want to delete it (and ultimately re-use the name). Attempting a delete through UKreg (Fasthosts) gives me this: Error: NameServerHosts Delete (Nameserver deletion failed at registry: 420 Object association prohibits operation.) I cannot find any way to check what domains are attached to it, and UKreg support are unable to help (check manually was their answer). We don't have that many domains, so I've checked them all manually, both the zone files and what the registrar has listed as authoritive, but this glue record isn't used by us. Is there a way/tool which can check what domains are attached to a glue record. For reference, the name is ns0.broadbean.net Any advice appreciated. Thanks Luke ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
Oh yes, I have got it. Thanks. --- On Wed, 13/5/09, Stephane Bortzmeyer bortzme...@nic.fr wrote: From: Stephane Bortzmeyer bortzme...@nic.fr Subject: Re: glue record To: Tech W. tech...@yahoo.com.cn Cc: Stephane Bortzmeyer bortzme...@nic.fr, bind-users@lists.isc.org Received: Wednesday, 13 May, 2009, 3:40 PM On Wed, May 13, 2009 at 03:37:19PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 39 lines which said: if I understand for it correctly, gdpu.cn is not under b.dns.cn, True, but irrelevant. why b.dns.cn returns glues? Because the name servers of gdpu.cn are under gdpu.cn. Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
Your domain is still broken. You need to remove the NS record for your internal host. $ dig @dns2.gdpu.cn gdpu.cn ns ;; ANSWER SECTION: gdpu.cn.3600IN NS dns1.gdpu.cn. gdpu.cn.3600IN NS dns2.gdpu.cn. gdpu.cn.3600IN NS dns4.dmz.local.** ;; ADDITIONAL SECTION: dns1.gdpu.cn. 3600IN A 219.136.229.41 dns2.gdpu.cn. 3600IN A 219.136.229.42 dns4.dmz.local. 3600IN A 10.55.11.11** On 13/5/09 11:18 AM, Tech W. tech...@yahoo.com.cn wrote: Oh yes, I have got it. Thanks. --- On Wed, 13/5/09, Stephane Bortzmeyer bortzme...@nic.fr wrote: From: Stephane Bortzmeyer bortzme...@nic.fr Subject: Re: glue record To: Tech W. tech...@yahoo.com.cn Cc: Stephane Bortzmeyer bortzme...@nic.fr, bind-users@lists.isc.org Received: Wednesday, 13 May, 2009, 3:40 PM On Wed, May 13, 2009 at 03:37:19PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 39 lines which said: if I understand for it correctly, gdpu.cn is not under b.dns.cn, True, but irrelevant. why b.dns.cn returns glues? Because the name servers of gdpu.cn are under gdpu.cn. Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY 2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHR tX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creati veholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=ma iltagline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
--- On Wed, 13/5/09, Kal Feher kalman.fe...@melbourneit.com.au wrote: From: Kal Feher kalman.fe...@melbourneit.com.au Subject: Re: glue record To: bind-users@lists.isc.org Received: Wednesday, 13 May, 2009, 5:34 PM Your domain is still broken. You need to remove the NS record for your internal host. I have requested the hostmaster, who said the DNS server has been joined Windows domain, and has the hostname of dns4.dmz.local.. She can't remove this hostname from the windows DNS server. Once it was removed, after some time, it will be added into the name server automatically by windows. How can she handle this case? thanks. regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: glue record
On Wed, May 13, 2009 at 09:04:07PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 13 lines which said: Remove the allow-update directive. But she is running the windows DNS server not Bind.. Then it is probably off-topic for this list. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: two NS servers on a single host
In message 809645.28773...@web15601.mail.cnb.yahoo.com, Tech W. writes: Hello, I have a bind host installed. It has two public IP addresses. I want to give two NS records for my domain, each NS take each of the IP set in the host. more details, the host has two IPs: 61.145.121.59 211.66.80.59 surely policy reoute for two nics was enabled. I add these info into named.conf: mydomain.com. IN NS ns1.mydomain.com. mydomain.com. IN NS ns2.mydomain.com. ns1.mydomain.com. IN A 61.145.121.59 ns2.mydomain.com. IN A 211.66.80.59 There is only one named run in that host. Under this config, does it seem that there are two name servers exist for myd omain.com? Is it a right way? Thanks. The two nameserver rule is to provide redundancy. Two names that refer to the same machine does not provide redundancy. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: two NS servers on a single host
In article guel1o$2ds...@sf1.isc.org, Bradley Giesbrecht b...@pixilla.com wrote: On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 34 lines which said: I want to give two NS records for my domain, each NS take each of the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. But a in that case you would include one NS record for a host with two A records. Check the NS records for my own domain for an example. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: two NS servers on a single host
It is network redundancy only in so far the DOS attack doesn't cause your CPU and memory to get slammed. If you're doing redundancy you really ought to do the whole thing by getting another server and putting IT on the other network. Then you don't have a single point of failure (unless they're both in the same data center). If you really want to do two different IPs on one host you could probably use views to accomplish this but that would be all within a single BIND setup so your theoretical DOS attack would probably cause both views to have issues. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley Giesbrecht Sent: Wednesday, May 13, 2009 10:22 AM To: Stephane Bortzmeyer Cc: bind-users@lists.isc.org Subject: Re: two NS servers on a single host On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 34 lines which said: I want to give two NS records for my domain, each NS take each of the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. //Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: two NS servers on a single host
On May 13, 2009, at 7:29 AM, Jeff Lightner wrote: It is network redundancy only in so far the DOS attack doesn't cause your CPU and memory to get slammed. I would block the block the ip under attack upstream so no cpu or memory issues. I didn't claim anything other then there can be in fact value in having one computer on more then one network. This was in response to your comment This would be completely useless which I disagree with. //Brad If you're doing redundancy you really ought to do the whole thing by getting another server and putting IT on the other network. Then you don't have a single point of failure (unless they're both in the same data center). If you really want to do two different IPs on one host you could probably use views to accomplish this but that would be all within a single BIND setup so your theoretical DOS attack would probably cause both views to have issues. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley Giesbrecht Sent: Wednesday, May 13, 2009 10:22 AM To: Stephane Bortzmeyer Cc: bind-users@lists.isc.org Subject: Re: two NS servers on a single host On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 34 lines which said: I want to give two NS records for my domain, each NS take each of the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. //Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: error while attempting to use nsupdate on a DNSSEC signed zone
Thanks, but that is not my problem.
the error message you are getting at leasts give a hint:
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
failure
My error says:
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': prerequisites are OK
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: signer
update.test.net approved
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: update
'test.net/IN' approved
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': update section prescan OK
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': adding an RR at 'blarney.test.net' A
13-May-2009 22:04:59.665 client 127.0.0.1#4638: view external: updating zone
'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
failure that's it.
I am still having this problem.
It is intermittent.
one update will work.
than another update for the very same zone, using the very same key, will fail.
It works fine if I remove the signed zone.
I have tried removing from the chroot jail, in case I had an error in the setup
there and it
makes no difference.
the failure seems to be coming from dns_dnssec_sign, but it is just returning
ISC_R_FAILURE .
When I step through the code with the debug, it seems to work everytime
(naturally)
I am really scratching my head.
--
Jack Tavares
From: Alexa Petrean [apetr...@bluecatnetworks.com]
Sent: Wednesday, May 13, 2009 17:50
To: Jack Tavares
Cc: bind-users@lists.isc.org
Subject: RE: error while attempting to use nsupdate on a DNSSEC signed zone
I've encountered a similar issue when using DSA keys with BIND 9.5.1-P1.
The dynamic records weren't added to a master zone signed with DSA keys
- the journal file doesn't get created at all, just similar messages
logged in syslog:
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': adding an RR at 'h2.fred.com' A
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
failure
The solution was to sign every dynamic zone with RSASHA1 keys only.
Alex
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares
Sent: Wednesday, May 13, 2009 4:03 AM
To: unlisted-recipients
Cc: bind-users@lists.isc.org
Subject: RE: error while attempting to use nsupdate on a DNSSEC signed
zone
yes.
And I when I previously failed to specify the correct key-directory, I
got an error
found no private keys, unable to generate any signatures
I corrected that error and now get the failure message
everything is owned by named .
options {
dnssec-enable yes;
dnssec-validation yes;
key-directory /config/namedb;
--
Jack Tavares
From: mark_andr...@isc.org [mark_andr...@isc.org]
Sent: Wednesday, May 13, 2009 10:38
To: Jack Tavares
Cc: bind-users@lists.isc.org
Subject: Re: error while attempting to use nsupdate on a DNSSEC signed
zone
In message
4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com
Hello -
(bind9.6.0-P1)
I have set up a zone that is signed.
It is an island of security zone for testing purposes.
I have set up a TSIG key and set the allow-update
to accept the key.
I have followed every step, afaict, in the various
how-tos on how to sign a zone.
But when I try to do an update, I get an error.
All the error says is
signer update.test.net approved
13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external:
updating zon=
e 'test.net/IN': adding an RR at 'blah.test.net' A
13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external:
updating zon=
e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
failure is all it says for a reason.
I looked at the bind source, and there are some more useful error
messages =
about keys etc.
But all I am getting is failure.
If i do the same nsupdate without DNSSEC, it works.
It appears there is something wrong with my setup and the regeneration
of t=
he RRSIG/NSEC
keys is failing. (I have tried it with both NSEC and NSEC3 keys)
I will put together a (simpler) named.conf and zone file that causes
this a=
nd post that info,
but I was hoping that maybe somebody has seen this and has an idea.
Thanks
--
Jack Tavares
Have you told named where the private keys are (key-directory)?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
Re: Cannot Delete Glue record
Luke Hopkins wrote: I have a glue (nameserver host) record which hasn't been used in years and I want to delete it (and ultimately re-use the name). Attempting a delete through UKreg (Fasthosts) gives me this: Error: NameServerHosts Delete (Nameserver deletion failed at registry: 420 Object association prohibits operation.) I cannot find any way to check what domains are attached to it, and UKreg support are unable to help (check manually was their answer). We don't have that many domains, so I've checked them all manually, both the zone files and what the registrar has listed as authoritive, but this glue record isn't used by us. Is there a way/tool which can check what domains are attached to a glue record. For reference, the name is ns0.broadbean.net They should be able to look into the registry database to find this. It might be very difficult for you, as a customer, to ascertain, outside of the DNS protocol itself, what domain(s) might be delegated to that name. If your registry is lax about checking such things, it's conceivable that someone has delegated their domain(s) to your nameserver without your consent, in order to meet a 2-nameserver delegation requirement, while only actually having a single authoritative nameserver hosting the zone. In that scenario, if you have everything in a single view, and open access to the cache, and with open recursion (or one of your trusted recursive clients went rogue), they might even be able to poke your nameserver periodically, in order to populate your cache with desired records, and thus leech off your resolution services. That's another reason why it's recommended to either a) strictly limit access to your cache (later versions of BIND do this more conveniently and by default), or b) have separate views for recursive and non-recursive (hosting) service. But I digress... One investigative approach would be to point that name at a valid address in your Internet-facing range, and record -- by using a sniffer, or bringing up a minimal nameserver and turning on query logging -- what queries you're getting, and for what zones. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: two NS servers on a single host
Jeff, my apologies. I read the quoting levels wrong. On May 13, 2009, at 8:01 AM, Bradley Giesbrecht wrote: On May 13, 2009, at 7:29 AM, Jeff Lightner wrote: It is network redundancy only in so far the DOS attack doesn't cause your CPU and memory to get slammed. I would block the block the ip under attack upstream so no cpu or memory issues. I didn't claim anything other then there can be in fact value in having one computer on more then one network. This was in response to your comment This would be completely useless which I disagree with. //Brad If you're doing redundancy you really ought to do the whole thing by getting another server and putting IT on the other network. Then you don't have a single point of failure (unless they're both in the same data center). If you really want to do two different IPs on one host you could probably use views to accomplish this but that would be all within a single BIND setup so your theoretical DOS attack would probably cause both views to have issues. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley Giesbrecht Sent: Wednesday, May 13, 2009 10:22 AM To: Stephane Bortzmeyer Cc: bind-users@lists.isc.org Subject: Re: two NS servers on a single host On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 34 lines which said: I want to give two NS records for my domain, each NS take each of the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. //Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: two NS servers on a single host
No worries. Compared to some posts directed my way in various forums (even this list) this was mild and I just wanted to set the record straight. In one list I'm on this kind of response would immediately result in a 3 day thread about why top posting (or bottom posting or in line posting or maybe all 3) is evil and causes cancer. :) -Original Message- From: Bradley Giesbrecht [mailto:b...@pixilla.com] Sent: Wednesday, May 13, 2009 1:17 PM To: Bradley Giesbrecht Cc: Jeff Lightner; bind-users@lists.isc.org Subject: Re: two NS servers on a single host Jeff, my apologies. I read the quoting levels wrong. On May 13, 2009, at 8:01 AM, Bradley Giesbrecht wrote: On May 13, 2009, at 7:29 AM, Jeff Lightner wrote: It is network redundancy only in so far the DOS attack doesn't cause your CPU and memory to get slammed. I would block the block the ip under attack upstream so no cpu or memory issues. I didn't claim anything other then there can be in fact value in having one computer on more then one network. This was in response to your comment This would be completely useless which I disagree with. //Brad If you're doing redundancy you really ought to do the whole thing by getting another server and putting IT on the other network. Then you don't have a single point of failure (unless they're both in the same data center). If you really want to do two different IPs on one host you could probably use views to accomplish this but that would be all within a single BIND setup so your theoretical DOS attack would probably cause both views to have issues. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley Giesbrecht Sent: Wednesday, May 13, 2009 10:22 AM To: Stephane Bortzmeyer Cc: bind-users@lists.isc.org Subject: Re: two NS servers on a single host On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 34 lines which said: I want to give two NS records for my domain, each NS take each of the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. //Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
