Re: Multiple BIND instances
On 07.02.12 14:10, Lightner, Jeff wrote: Virtualization doesn't reduce use of resources but DOES separate into what are perceived to be multiple servers so I'm not sure what you mean by you still have one server. one machine, one piece of hardware. There's not much to separate there, unless if gives you some kind of safety or other advantage, but I don't know about any that would help in such case. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
Hi, thanks for the quick answer, but my problem is still not resolved, i check all your solutions but nothing. I'll show you my file zone which i wanted to sign and the command i used. My file zone: ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.* ; Created: 20120207101131 (Tue Feb 7 11:11:31 2012) ; Publish: 20120207101131 (Tue Feb 7 11:11:31 2012) ; Activate: 20120207101131 (Tue Feb 7 11:11:31 2012) *../etc/toto.com*. IN DNSKEY 256 3 5 AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE Command line that i used for sign this zone ./dnssec-signzone -p -t -g -k KSK.key -o toto.com ../etc/toto.com ZSK.key Have you seen some mistake? Thanks for your help. 2012/2/7 Spain, Dr. Jeffry A. spa...@countryday.net dnssec-signzone: fatal: key myKSK.key not at origin What are the contents of myKSK.key? The format is mydomain.com. IN DNSKEY ... where mydomain.com is the domain origin. Jeffry A. Spain Network Administrator Cincinnati Country Day School -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PLEASE READ: An Important Security Announcement from ISC
Searching the title of the vulnerability with google results one PDF document. http://www.google.co.jp/#q=Ghost+Domain+Names:+Revoked+Yet+Still+Resolvable+PDF It shows details. -- Kazunori Fujiwara From: Michael McNally mcna...@isc.org PLEASE READ: An important security announcement from ISC ISC has been notified by Haixin Duan (a professor at Tsinghua University in Beijing China, who is currently visiting the International Computer Science Institute (ICSI) at the University of California, Berkeley) about a DNS resolver vulnerability that potentially allows a party to keep a domain name in the cache even after that domain name has been expired ISC is evaluating the risk of this vulnerability, but his published paper shows how this was demonstrated, live across the Internet. It lists several DNS implementations and open resolver deployments as vulnerable. All BIND 9 versions are currently considered vulnerable. A more detailed description of this vulnerability and ISC's planned response can be found at: https://www.isc.org/software/bind/advisories/cve-2012-1033 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
William Thierry SAMEN thierry.sa...@gmail.com wrote: My file zone: Er this looks like a key file, not a zone file. The key has been generated incorrectly: it has a file name where the zone name should be. ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.* ; Created: 20120207101131 (Tue Feb 7 11:11:31 2012) ; Publish: 20120207101131 (Tue Feb 7 11:11:31 2012) ; Activate: 20120207101131 (Tue Feb 7 11:11:31 2012) *../etc/toto.com*. IN DNSKEY 256 3 5 AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North Utsire: Southerly 5 to 7, occasionally gale 8 in Viking. Rough, becoming very rough in Viking. Rain later. Good, becoming moderate later. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
Absolutely Tony that was a key file which has been generated by dnssec-keygen command. My zone file is so simple and its look like that i have checked it before with the named-checkzone and all is good in my file zone. I changed option -o absolute way of my domain by the option -o my domain only and now i had this error: dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at top of zone dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at top of zone at the line 12 of my file zone i haven't seen any mistake. here is my zone file: $ORIGIN . $TTL 17200 ; 4 hours 46 minutes 40 seconds toto.com. IN SOA ns10.boom.fr. postmaster.boom.com. ( 2012020802 ; serial 216000 ; refresh (2 days 12 hours) 3600 ; retry (1 hour) 360; expire (5 weeks 6 days 16 hours) 172800 ; minimum (2 days) ) NS ns.boom.fr. NS ns2.boom.fr. A 217.128.32.85 $ORIGIN toto.com. * A 217.128.32.85 ;DNSsec keys starts here $include /exec/applis/thierry/DNS/sbin/K%2Fexec%2Fapplis%2Fthierry%2Fdns%2Fetc%2Ftoto.com.+005+12762.key $include /exec/applis/thierry/DNS/sbin/K%2Fexec%2Fapplis%2Fthierry%2Fdns%2Fetc%2Ftoto.com.+005+60826.key Thanks 2012/2/8 Tony Finch d...@dotat.at William Thierry SAMEN thierry.sa...@gmail.com wrote: My file zone: Er this looks like a key file, not a zone file. The key has been generated incorrectly: it has a file name where the zone name should be. ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.* ; Created: 20120207101131 (Tue Feb 7 11:11:31 2012) ; Publish: 20120207101131 (Tue Feb 7 11:11:31 2012) ; Activate: 20120207101131 (Tue Feb 7 11:11:31 2012) *../etc/toto.com*. IN DNSKEY 256 3 5 AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North Utsire: Southerly 5 to 7, occasionally gale 8 in Viking. Rough, becoming very rough in Viking. Rain later. Good, becoming moderate later. -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
William Thierry SAMEN thierry.sa...@gmail.com wrote: dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at top of zone dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at top of zone This is because your zone uses an include directive to import the key files, and keys were generated incorrectly: they have file names where the zone name should be. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Bailey: Southerly or southwesterly 4 or 5, increasing 6 to gale 8 for a time in north and west. Very rough or high. Showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to validate DNSSEC signed record with dig?
William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' rather
than explicitly signing the zone with dnssec-signzone. I believe I recall that
you are using bind 9.8, so this should work for you as well. Here's something
you can try:
In your bind configuration use the following zone stanza:
zone toto.com {
type master;
file /var/lib/bind/toto.com/toto.com.db;
key-directory /var/lib/bind/toto.com;
auto-dnssec maintain;
};
You will probably want to add some access control to this as well.
Now in the directory /var/lib/bind/toto.com (or the directory of your choice as
long as it is specified in the configuration above), place all of your *.key
and *.private files. Also place your unsigned zone file toto.com.db with
contents as follows (Omit the DNSSEC info you currently have at the bottom):
$ORIGIN .
$TTL 17200 ; 4 hours 46 minutes 40 seconds
toto.com. IN SOA ns10.boom.fr. postmaster.boom.com. (
2012020802 ; serial
216000 ; refresh (2 days 12 hours)
3600 ; retry (1 hour)
360; expire (5 weeks 6 days 16 hours)
172800 ; minimum (2 days)
)
NS ns.boom.fr.
NS ns2.boom.fr.
A 217.128.32.85
$ORIGIN toto.com.
* A 217.128.32.85
If you are running bind under a UID other than root, make sure all the files
are readable, and that the zone file is writable, by that UID. Restart the bind
service, and bind will sign your zone using the keys you have provided as long
as their metadata is timed appropriately, i.e. Publish and Activate dates are
in the past, and Inactive and Delete dates in the future. To see the metadata,
execute 'dnssec-settime -p all your_key_file_name.private'. If you need to
change the timing metadata, use dnssec-settime again. See the ARM for details.
Caution: dnssec-setime will 'chmod 600' your private key files.
I have been successful with this approach, and hope it works well for you also.
Jeff.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: PLEASE READ: An Important Security Announcement from ISC
Chris Thompson c...@cam.ac.uk wrote: More directly, http://www.cs.indiana.edu/classes/b649-gupt/kangLiNDSS12.pdf This is definitely worth reading, being an interesting new twist on a fairly old theme. Paul Vixie was trying to do something about risks in this area a couple of years ago: http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Northwest FitzRoy: Southerly 4 or 5. Moderate or rough. Occasional rain or drizzle. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting a formerr 'invalid response' for winqual.microsoft.com. but dig +trace works.
On 2/8/2012 10:32 PM, Matt Doughty wrote: I have spend the afternoon trying to figure this out. The response I get back from their nameserver looks fine to me, and dig +trace works fine, but a regular dig returns a servfail. I have looked at the code for invalid response, but I don't quite follow what is going on there, and the comment 'responder is insane' leaves something to be desired. Any help would be appreciated here. I have included the dig +trace output below: dig +trace winqual.partners.extranet.microsoft.com. ; DiG 9.7.0-P1 +trace winqual.partners.extranet.microsoft.com. ;; global options: +cmd . 518004 IN NS j.root-servers.net. . 518004 IN NS e.root-servers.net. . 518004 IN NS l.root-servers.net. . 518004 IN NS c.root-servers.net. . 518004 IN NS m.root-servers.net. . 518004 IN NS d.root-servers.net. . 518004 IN NS b.root-servers.net. . 518004 IN NS h.root-servers.net. . 518004 IN NS k.root-servers.net. . 518004 IN NS a.root-servers.net. . 518004 IN NS g.root-servers.net. . 518004 IN NS i.root-servers.net. . 518004 IN NS f.root-servers.net. ;; Received 228 bytes from 172.16.255.1#53(172.16.255.1) in 1 ms com.172800 IN NS h.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. ;; Received 497 bytes from 192.33.4.12#53(c.root-servers.net) in 18 ms microsoft.com. 172800 IN NS ns3.msft.net. microsoft.com. 172800 IN NS ns1.msft.net. microsoft.com. 172800 IN NS ns5.msft.net. microsoft.com. 172800 IN NS ns2.msft.net. microsoft.com. 172800 IN NS ns4.msft.net. ;; Received 235 bytes from 192.43.172.30#53(i.gtld-servers.net) in 67 ms partners.extranet.microsoft.com. 3600 IN NS dns10.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NS dns13.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NS dns11.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NS dns12.one.microsoft.com. ;; Received 236 bytes from 64.4.59.173#53(ns2.msft.net) in 3 ms winqual.partners.extranet.microsoft.com. 10 IN A 131.107.97.31 ;; Received 112 bytes from 131.107.125.65#53(dns10.one.microsoft.com) in 23 ms If I just dig at their servers for NS, I get a trunc and retry over TCP that times out. If I signal a bufsize, I get back a 777 byte response with NS that don't match the parent and an additional full of private 10/8 addresses # dig +norecurse +bufsize=1024 ns partners.extranet.microsoft.com @dns10.one.microsoft.com. ; DiG 9.8.1 +norecurse +bufsize=1024 ns partners.extranet.microsoft.com @dns10.one.microsoft.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 10678 ;; flags: qr ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 17 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; ANSWER SECTION: partners.extranet.microsoft.com. 1076 IN NS tk5-ptnr-dc-02.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 1076 IN NS kaw-ptnr-dc-02.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 1076 IN NS co2-ptnr-dc-02.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 1076 IN NS co2-ptnr-dc-01.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 1076 IN NS tk5-ptnr-dc-01.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 1076 IN NS db3-ptnr-dc-02.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 1076 IN NS db3-ptnr-dc-01.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 1076 IN NS tk5-ptnr-dc-03.partners.extranet.microsoft.com. partners.extranet.microsoft.com. 1076 IN NS
about the MX and NS values
I was thinking why RFC requires the values of MX and NS must be hostname not IP. Any glue? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the MX and NS values
In message 4f337229.1090...@staff.dnsbed.com, Jeff Peng writes: I was thinking why RFC requires the values of MX and NS must be hostname not IP. Any glue? Thanks. When you serve 10 zones do you want to update 1 address record or 10 NS record on a address change? When you serve 10 mail domains do you want to update 1 address record or 10 MX records on a address change? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the MX and NS values
δΊ 2012-2-9 15:27, Mark Andrews ει: When you serve 10 zones do you want to update 1 address record or 10 NS record on a address change? When you serve 10 mail domains do you want to update 1 address record or 10 MX records on a address change? Yup that's clean. thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
