Re: adding zone forwards without restart

2016-09-30 Thread Matus UHLAR - fantomas
On 29.09.16 12:25, Frank Even wrote: I am running chrooted. I'm relying on the "feature" of BIND "mounting" the standard dirs into a chroot via the standard startup scripts in Cent6/7. My understanding is it's not "copying" the files anywhere, but using those that are there. I am modifying

Re: broken trust chain on forwarder

2016-09-30 Thread jratliff
On Fri, 30 Sep 2016 11:37:39 -0500, /dev/rob0 wrote: >> >> This seems to indicate that the servers at 10.21.0.100 and 101 are >> telling me that stc.corp domain is DNSSEC enabled. However, the new >> server fails to find any DS or RRSIG records, so validating this >> claim is

Re: Multiple IPs Associated With A Single Name

2016-09-30 Thread Tim Daneliuk
On 09/30/2016 12:46 PM, John Miller wrote: > On Fri, Sep 30, 2016 at 1:15 PM, Tim Daneliuk wrote: >> On 09/30/2016 11:17 AM, Hrant Dadivanyan wrote: >>> Won't port redirection work better then ? > >> get sudo for even limited access to things on their sandboxes. So, we're

Re: Multiple IPs Associated With A Single Name

2016-09-30 Thread Tim Daneliuk
On 09/30/2016 11:17 AM, Hrant Dadivanyan wrote: > Won't port redirection work better then ? Yes it would, but redirecting a privileged port requires root. Since so many people have kindly responded here, it might be worth explaining a bit of the backstory. The client is a large corporate

Re: broken trust chain on forwarder

2016-09-30 Thread /dev/rob0
On Fri, Sep 30, 2016 at 12:04:33PM -0400, John Ratliff wrote: > I am building a new recursive DNS server. I have it set to forward > records for a single zone to our HQ DNS servers. When I try to > resolve a record, I get errors like this: > > Sep 30 11:25:39 bltn-dns-04 named[2012]: validating

Re: broken trust chain on forwarder

2016-09-30 Thread Warren Kumari
On Friday, September 30, 2016, /dev/rob0 wrote: > On Fri, Sep 30, 2016 at 12:04:33PM -0400, John Ratliff wrote: > > I am building a new recursive DNS server. I have it set to forward > > records for a single zone to our HQ DNS servers. When I try to > > resolve a record, I get

Re: Multiple IPs Associated With A Single Name

2016-09-30 Thread Reindl Harald
Am 30.09.2016 um 17:22 schrieb Tim Daneliuk: On 09/30/2016 10:12 AM, Reindl Harald wrote: Am 30.09.2016 um 16:22 schrieb Tim Daneliuk: On 09/29/2016 04:45 PM, Darcy Kevin (FCA) wrote: Yeah, sure, just run it with your own special config file (with -c); in that config file, set the

broken trust chain on forwarder

2016-09-30 Thread John Ratliff
I am building a new recursive DNS server. I have it set to forward records for a single zone to our HQ DNS servers. When I try to resolve a record, I get errors like this: Sep 30 11:25:39 bltn-dns-04 named[2012]: validating @0x7fb51810b8f0: stc.corp SOA: got insecure response; parent indicates it

Re: broken trust chain on forwarder

2016-09-30 Thread Miguel Mucio Santos Moreira
Hi John, I've had the same problem than you. Either I'm gonna sign each zone on my authoritative server that I need to be forward internally on my Recursive Server or  I'm gonna create two layers of Recursive DNS, the first layer just with forward zones like your example but with DNSSEC

Re: broken trust chain on forwarder

2016-09-30 Thread Miguel Mucio Santos Moreira
Dears, I understood John has an invalid internal domain called stc.corp (Microsoft AD). Some users will use a new Recursive DNS Server he said before and this new Recursive DNS needs to querie records on the internet and on the stc.corp Authoritative Server, then he created a forward zone in

Re: Multiple IPs Associated With A Single Name

2016-09-30 Thread Hrant Dadivanyan
> On 09/29/2016 04:33 PM, Matthew Pounsett wrote: > > > > > > On 29 September 2016 at 14:18, Tim Daneliuk > > wrote: > > > > > > What I am stuck on is this: Is there any simple (i.e., non-root) way > > to write a client or

Re: Multiple IPs Associated With A Single Name

2016-09-30 Thread John Miller
On Fri, Sep 30, 2016 at 1:15 PM, Tim Daneliuk wrote: > On 09/30/2016 11:17 AM, Hrant Dadivanyan wrote: >> Won't port redirection work better then ? > get sudo for even limited access to things on their sandboxes. So, we're > trying to figure out a way to work around the

Re: Multiple IPs Associated With A Single Name

2016-09-30 Thread /dev/rob0
On Fri, Sep 30, 2016 at 10:22:35AM -0500, Tim Daneliuk wrote: > In my particular case, I am trying to figure out a way to redirect > gethostbyname() calls to the resolver of my choice so that existing > code will run without change. The problem is that I need to do > this without root or sudo

Re: broken trust chain on forwarder

2016-09-30 Thread Miguel Mucio Santos Moreira
Dears, Once I've tried to use stub zone to solve the same kind of problem with no success. John if it works for you tell us what you did. Thanks -- Miguel Mucio Santos Moreira Gerente GSR - Gerência de Serviços de Rede (31)3339-1401 PRODEMGE - Companhia de Tecnologia da Informação do

Re: broken trust chain on forwarder

2016-09-30 Thread /dev/rob0
On Fri, Sep 30, 2016 at 01:32:29PM -0400, jratl...@bluemarble.net wrote: > On Fri, 30 Sep 2016 11:37:39 -0500, /dev/rob0 wrote: > >> > >> This seems to indicate that the servers at 10.21.0.100 and 101 > >> are telling me that stc.corp domain is DNSSEC enabled. However, > >> the

ip6tables with raw table(no conntrack) drop fragmented packet

2016-09-30 Thread Larry Larson
Greetings, I've followed instructions in this BIND Knowledge base article and installed ip6tables on my DNS server, using raw table with no conntrack for DNS: https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html But for IPv6 it drops fragmented packets, for example this

Re: adding zone forwards without restart

2016-09-30 Thread Tony Finch
> On 29.09.16 12:25, Frank Even wrote: > > I am running chrooted. I'm relying on the "feature" of BIND "mounting" the > > standard dirs into a chroot via the standard startup scripts in Cent6/7. Aha, I should have actually read setup-named-chroot.sh rather than assuming that it copied the

Re: Multiple IPs Associated With A Single Name

2016-09-30 Thread Tim Daneliuk
On 09/29/2016 04:45 PM, Darcy Kevin (FCA) wrote: > Yeah, sure, just run it with your own special config file (with -c); in that > config file, set the listen-on to an unprivileged port, and make sure all of > the pathnames (including implicit pathnames like the pid-file) are to >

Re: Multiple IPs Associated With A Single Name

2016-09-30 Thread Reindl Harald
Am 30.09.2016 um 16:22 schrieb Tim Daneliuk: On 09/29/2016 04:45 PM, Darcy Kevin (FCA) wrote: Yeah, sure, just run it with your own special config file (with -c); in that config file, set the listen-on to an unprivileged port, and make sure all of the pathnames (including implicit pathnames

Re: Multiple IPs Associated With A Single Name

2016-09-30 Thread Tim Daneliuk
On 09/30/2016 10:12 AM, Reindl Harald wrote: > > Am 30.09.2016 um 16:22 schrieb Tim Daneliuk: >> On 09/29/2016 04:45 PM, Darcy Kevin (FCA) wrote: >>> Yeah, sure, just run it with your own special config file (with -c); in >>> that config file, set the listen-on to an unprivileged port, and make