Weird problem with zone transfer...

2010-05-28 Thread Michelle Konzack 
Hello,

since some days I have weird error messages in my

[ '/var/log/namd.log' ]-
snip
May 28 08:31:53 vserver4 named[18289]: 28-May-2010 08:31:53.803 general: info: 
zone tamay-dogan.net/IN: Transfer started.
May 28 08:31:53 vserver4 named[18289]: 28-May-2010 08:31:53.845 xfer-in: info: 
transfer of 'tamay-dogan.net/IN' from 88.168.69.36#53: connected using 
217.147.94.23#35438
May 28 08:31:53 vserver4 named[18289]: 28-May-2010 08:31:53.940 general: error: 
dumping master file: /etc/bind/tmp-u1yHZe1oSu: open: permission denied
May 28 08:31:53 vserver4 named[18289]: 28-May-2010 08:31:53.941 xfer-in: error: 
transfer of 'tamay-dogan.net/IN' from 88.168.69.36#53: failed while receiving 
responses: permission denied
May 28 08:31:53 vserver4 named[18289]: 28-May-2010 08:31:53.941 xfer-in: info: 
transfer of 'tamay-dogan.net/IN' from 88.168.69.36#53: Transfer completed: 0 
messages, 38 records, 0 bytes, 0.095 secs (0 bytes/sec)
May 28 08:31:54 vserver4 named[18289]: 28-May-2010 08:31:54.286 general: info: 
zone itsystems.tamay-dogan.net/IN: Transfer started.
May 28 08:31:54 vserver4 named[18289]: 28-May-2010 08:31:54.326 xfer-in: info: 
transfer of 'itsystems.tamay-dogan.net/IN' from 88.168.69.36#53: connected 
using 217.147.94.23#47256
May 28 08:31:54 vserver4 named[18289]: 28-May-2010 08:31:54.413 xfer-in: error: 
transfer of 'itsystems.tamay-dogan.net/IN' from 88.168.69.36#53: failed while 
receiving responses: permission denied
May 28 08:31:54 vserver4 named[18289]: 28-May-2010 08:31:54.413 xfer-in: info: 
transfer of 'itsystems.tamay-dogan.net/IN' from 88.168.69.36#53: Transfer 
completed: 0 messages, 11 records, 0 bytes, 0.086 secs (0 bytes/sec)
May 28 08:31:54 vserver4 named[18289]: 28-May-2010 08:31:54.420 general: error: 
dumping master file: /etc/bind/tmp-yCmtXsjs1h: open: permission denied
snip


I have no quota and permissions are right, so what can it be?

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Weird problem with zone transfer...

2010-05-28 Thread Michelle Konzack 
Hello Michelle Konzack,

Am 2010-05-28 12:17:37, hacktest Du folgendes herunter:
 Hello,
 
 since some days I have weird error messages in my
snip
 I have no quota and permissions are right, so what can it be?

FSCK!  --  Found the error...

The replication of my pam-pgsql database was not successfull and when  I
installed bind9 on  my  dns2,  pam-pgsql  was  not  used  but  instead
/etc/{passwd,groups} and goten another UID/GID  which  was  confusig  my
admin scripts which do not run as root.

However, how can I convince xfer no to change the files  to  the  ownwer
root:bind and permission 644?

The files should be bind:adm and the permission 664

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Regarding CNAME Chains

2010-05-28 Thread Ashwin 
 

 Hi, 

 

  From the server I get a response like

 

aaa CNAME bbb

ccc CNAME ddd

bbb CNAME ccc

 

The ordering of the CNAME chain is incorrect, ideally it should be like

 

aaa CNAME bbb

bbb CNAME ccc

ccc CNAME ddd

 

Is there some RFC which prohibits the configuration of CNAME chains as given
in the first example, ie CNAME chains not in order.

 

I tried to search on the internet, and could come up with this para in RFC
2308: DNS NCACHE

 

QNAME - the name in the query section of an answer, or where this resolves
to a CNAME, or CNAME chain, the data field of the last CNAME. The last CNAME
in this sense is that which contains a value which does not resolve to
another CNAME. Implementations should note that including CNAME records in
responses in order, so that the first has the label from the query section,
and then each in sequence has the label from the data section of the
previous (where more than one CNAME is needed) allows the sequence to be
processed in one pass, and considerably eases the task of the receiver. 



It would be a great help if it can be confirmed that resolvers can expect
CNAME chains to be in order.

 

Thanks  Regards

Ashwin

 

 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec-keygen is waiting endless...

2010-05-28 Thread Michelle Konzack 
Hello *;

I am retrying to setup DNSSEC but I have a problem with:

dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net

because if I issue the command, it waits forever and nothing happen.

What can this be?

Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version
1:9.7.0.dfsg.P1-1~bpo50+1

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Paul Wouters 

On Fri, 28 May 2010, Michelle Konzack wrote:


Hello *;

I am retrying to setup DNSSEC but I have a problem with:

   dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net

because if I issue the command, it waits forever and nothing happen.

What can this be?

Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version
1:9.7.0.dfsg.P1-1~bpo50+1


My bet is that this is a VM and you have no entropy. Either generate some
entropy (eg run in paralel something like: find / -type f | xargs grep 
KSdgajkgdaksdga)
or create the keys on real iron instead of a VM.

Paul
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dnssec-keygen is waiting endless...

2010-05-28 Thread Jack Tavares 
Or it is a chroot jail and it does not have a source of entropy


-Original Message-
From: bind-users-bounces+j.tavares=f5@lists.isc.org 
[mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Paul 
Wouters
Sent: Friday, May 28, 2010 9:34 AM
To: Michelle Konzack
Cc: Bind Users
Subject: Re: dnssec-keygen is waiting endless...

On Fri, 28 May 2010, Michelle Konzack wrote:

 Hello *;

 I am retrying to setup DNSSEC but I have a problem with:

dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net

 because if I issue the command, it waits forever and nothing happen.

 What can this be?

 Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version
 1:9.7.0.dfsg.P1-1~bpo50+1

My bet is that this is a VM and you have no entropy. Either generate some
entropy (eg run in paralel something like: find / -type f | xargs grep 
KSdgajkgdaksdga)
or create the keys on real iron instead of a VM.

Paul
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Michelle Konzack 
Hello Paul,

Am 2010-05-28 12:34:16, hacktest Du folgendes herunter:
 My bet is that this is a VM and you have no entropy. Either generate some
 entropy (eg run in paralel something like: find / -type f | xargs grep 
 KSdgajkgdaksdga)
 or create the keys on real iron instead of a VM.

No, this a real machine:AMD Sempron 2200+ (Socket A) with 3 GByte of
memory and only standard Debian in stallation. The thing with the find
does not work...

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Casey Deccio 
On Fri, May 28, 2010 at 10:41 AM, Michelle Konzack 
linux4miche...@tamay-dogan.net wrote:

 Hello Paul,

 Am 2010-05-28 12:34:16, hacktest Du folgendes herunter:
  My bet is that this is a VM and you have no entropy. Either generate some
  entropy (eg run in paralel something like: find / -type f | xargs grep
 KSdgajkgdaksdga)
  or create the keys on real iron instead of a VM.

 No, this a real machine:AMD Sempron 2200+ (Socket A) with 3 GByte of
 memory and only standard Debian in stallation. The thing with the find
 does not work...


Running 'cat /proc/sys/kernel/random/entropy_avail' should show you what
your available entropy is during the keygen process.

There are a variety of things you can do to increase the size of the entropy
pool, but if you're willing to accept less entropy at this point to get
things going, pass '-r /dev/urandom' to dnssec-keygen (see 'man urandom').

Regards,
Casey
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Michelle Konzack 
Hi again,

Am 2010-05-28 10:36:51, hacktest Du folgendes herunter:
 Or it is a chroot jail and it does not have a source of entropy

AFAIK does a chroot give a fals impression bind could be more secure...

Currently I need to secure my bind9 since I had a massive attack  on  my
dns1 which is the master. Also I have had more then 30 million queries
in less then one week and bind9 has eaten arround 2.4 GByte of memory...

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dnssec-keygen is waiting endless...

2010-05-28 Thread Jack Tavares 
Disregard my statement.
An incorrect chroot setup will affect the named executable, but not
the dnssec-keygen



-Original Message-
From: bind-users-bounces+j.tavares=f5@lists.isc.org 
[mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of 
Michelle Konzack
Sent: Friday, May 28, 2010 11:22 AM
To: bind-users@lists.isc.org
Subject: Re: dnssec-keygen is waiting endless...

Hello Jack,

Am 2010-05-28 10:36:51, hacktest Du folgendes herunter:
 Or it is a chroot jail and it does not have a source of entropy

Ehm no...   seufz

Where must this entrophy be?

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Evan Hunt 
 Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version
 1:9.7.0.dfsg.P1-1~bpo50+1

I get the same problem on Ubuntu, which is Debian-based.  /dev/random
runs out of entropy rapidly and takes a long time to recover.

Using dnssec-keygen -r /dev/urandom will make it finish much
faster, but that uses a pseudo-random number generator instead of true
randomness, so it's not the best choice from the paranoid crypto viewpoint.
I often use it for test zones and such.  If I needed a proper bulletproof
key on an Ubuntu box, and I didn't want to wait a long time for it, I'd
probably generate the key on some other system and copy it over.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Michelle Konzack 
Hello Casey,

Am 2010-05-28 11:15:30, hacktest Du folgendes herunter:
 Running 'cat /proc/sys/kernel/random/entropy_avail' should show you what
 your available entropy is during the keygen process.

It show me a number between 0 and several 100

 There are a variety of things you can do to increase the size of the entropy
 pool, but if you're willing to accept less entropy at this point to get
 things going, pass '-r /dev/urandom' to dnssec-keygen (see 'man urandom').

This is working for now...

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Casey Deccio 
On Fri, May 28, 2010 at 11:25 AM, Michelle Konzack 
linux4miche...@tamay-dogan.net wrote:


 Currently I need to secure my bind9 since I had a massive attack  on  my
 dns1 which is the master. Also I have had more then 30 million queries
 in less then one week and bind9 has eaten arround 2.4 GByte of memory...


DNSSEC is for securing your namespace, not your server. With DNSSEC a
validating resolver can prove the authenticity of an answer it receives, but
that won't help with attacks targeting your name server.

If you're looking to secure your server, you'll need to take other security
measures with regards to server/firewall configuration.

Regards,
Casey
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Michelle Konzack 
Hello Evan,

Am 2010-05-28 18:33:14, hacktest Du folgendes herunter:
  Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version
  1:9.7.0.dfsg.P1-1~bpo50+1
 
 I get the same problem on Ubuntu, which is Debian-based.  /dev/random
 runs out of entropy rapidly and takes a long time to recover.

I have tries it on Debian Etch, Lenny and Sid with the same result... On
all three machines I have touse -r /dev/urandom which is realy weird.

 Using dnssec-keygen -r /dev/urandom will make it finish much
 faster, but that uses a pseudo-random number generator instead of true
 randomness, so it's not the best choice from the paranoid crypto viewpoint.
 I often use it for test zones and such.  If I needed a proper bulletproof
 key on an Ubuntu box, and I didn't want to wait a long time for it, I'd
 probably generate the key on some other system and copy it over.

:-)   I have 38.000 Zones and on my AMD Sempron 2200+ with 3 GByte  of
memory it take arround 40 Second to create ONE signed zone fro a script.

This mean, if I want to sign 38.000 zones it will run 18 days...

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec-keygen is waiting endless...

2010-05-28 Thread Doug Barton 

On 05/28/10 13:53, Michelle Konzack wrote:

Hello Evan,

Am 2010-05-28 18:33:14, hacktest Du folgendes herunter:

Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version
1:9.7.0.dfsg.P1-1~bpo50+1


I get the same problem on Ubuntu, which is Debian-based.  /dev/random
runs out of entropy rapidly and takes a long time to recover.


I have tries it on Debian Etch, Lenny and Sid with the same result... On
all three machines I have touse -r /dev/urandom which is realy weird.

...

:-)   I have 38.000 Zones and on my AMD Sempron 2200+ with 3 GByte  of
memory it take arround 40 Second to create ONE signed zone fro a script.

This mean, if I want to sign 38.000 zones it will run 18 days...


If you're planning to do production DNSSEC on Linux you really need to 
configure an entropy gathering daemon in order to properly seed your 
/dev/random device. You should be able to find resources for doing this 
on line, or in a help forum for your particular brand(s) of Linux.


You might also consider evaluating FreeBSD for your name servers, it 
comes with properly configured entropy gathering right out of the box, 
and our implementation of /dev/random uses a PRNG method that hands out 
high-quality random bits with very little danger of running out.



hth,

Doug

--

... and that's just a little bit of history repeating.
-- Propellerheads

Improve the effectiveness of your Internet presence with
a domain name makeover!http://SupersetSolutions.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automated DNSSEC (command line)

2010-05-28 Thread Michael Sinatra 

On 05/28/10 14:18, Michelle Konzack wrote:

Hello DNSSEC Experts,

I am ongoing to install 4 new Name Servers and increse my registrar  and
hosting service...

OK, I have tried to make my own 4 domains with 16 zones  signed  and  it
took me one hour of my life!

Since I have to re-sign the zones if something change it  will  give  me
headaches up to the end of my life, so my queston is:

 Is there a command line tool (or a daemon) which
 check for changes and re-sign the zone automated?


Check out zkt (http://www.hznet.de/dns/zkt/).

There are a few more involved tools out there, but zkt sounds like what 
you want.



I can not believe, that you are signing each zone by hand!  :-D


*I'm* not. :)  (I use a combination of zkt and the BIND tools in an 
automated script.)



Can an expert please check  'dig ANY tamay-dogan.net'  whether  this  is
right?


Looks good to me.  The sigs seem to be within their validity interval, 
but there doesn't appear a DLV record in dlv.isc.org, so I can't 
validate.  (Actually, I *could* snarf the ksk from the ANY query and 
manually configure it as a trust anchor, but I am lazy.  Moreover, that 
won't tell us if something goes wrong if/when you publish a trust-anchor 
DLV record or DS record, when NET becomes signed.)



Also I am not realy sure whether I need  dnssec-validation yes  in  my
options.


For authoritative service, you don't need it.  Only if you're running a 
validating nameserver do you need it, and it's 'yes' by default in 
recent versions of BIND.  You still need to configure a trust anchor (or 
anchors) if you want to do validation.


michael
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automated DNSSEC (command line)

2010-05-28 Thread Casey Deccio 
On Fri, May 28, 2010 at 2:18 PM, Michelle Konzack 
linux4miche...@tamay-dogan.net wrote:

 Hello DNSSEC Experts,

 I am ongoing to install 4 new Name Servers and increse my registrar  and
 hosting service...

 OK, I have tried to make my own 4 domains with 16 zones  signed  and  it
 took me one hour of my life!

 Since I have to re-sign the zones if something change it  will  give  me
 headaches up to the end of my life, so my queston is:

Is there a command line tool (or a daemon) which
check for changes and re-sign the zone automated?


Yes, and you really should use one.  The two most important things with
signed zones are that your signatures don't expire, and that the right
DNSSEC RRs are included in the zone.  So not only does it need to be
resigned after changes (to include the proper DNSSEC RRs), but also
periodically make sure signatures don't expire.  Here are a few of the tools
written for that purpose:

http://dnssec-tools.org/
http://www.opendnssec.org/
http://www.hznet.de/dns/zkt/
http://zonetool.sourceforge.net/


 I can not believe, that you are signing each zone by hand!  :-D

 Can an expert please check  'dig ANY tamay-dogan.net'  whether  this  is
 right?


Looks okay to me.  Here's what your signed zone looks like visually:

http://dnsviz.net/d/tamay-dogan.net/dnssec/

Although, it looks like you perhaps didn't increment the zone serial, as
only one of your authoritative servers is running a signed version of the
zone.

Also I am not realy sure whether I need  dnssec-validation yes  in  my
 options.


No, this is only for resolvers that are validating answers, not
authoritative servers that are serving signed zones.

Of course, if you're using the server for both and you would like to enable
validation (i.e., of other signed zones), then you'll need to enable
validation and establish some trusted keys as anchors.

Regards,
Casey
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automated DNSSEC (command line)

2010-05-28 Thread Michelle Konzack 
Hello Michael,

Am 2010-05-28 14:40:30, hacktest Du folgendes herunter:
 Check out zkt (http://www.hznet.de/dns/zkt/).
 
 There are a few more involved tools out there, but zkt sounds like
 what you want.

OK...

 Can an expert please check  'dig ANY tamay-dogan.net'  whether  this  is
 right?
 Looks good to me.  The sigs seem to be within their validity
 interval, but there doesn't appear a DLV record in dlv.isc.org, so I

Right, it was setup for some hours in a experimet and is  currently  not
setup with DLV.

 can't validate.  (Actually, I *could* snarf the ksk from the ANY
 query and manually configure it as a trust anchor, but I am lazy.
 Moreover, that won't tell us if something goes wrong if/when you
 publish a trust-anchor DLV record or DS record, when NET becomes
 signed.)

I have some problems with understanding DNSSEC in 6 Minutes from ISC.

 default in recent versions of BIND.  You still need to configure a
 trust anchor (or anchors) if you want to do validation.

This is what i have not understand currently...

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automated DNSSEC (command line)

2010-05-28 Thread Michelle Konzack 
Hello Casey,

Am 2010-05-28 14:43:54, hacktest Du folgendes herunter:
 Yes, and you really should use one.  The two most important things with
 signed zones are that your signatures don't expire, and that the right
 DNSSEC RRs are included in the zone.  So not only does it need to be
 resigned after changes (to include the proper DNSSEC RRs), but also
 periodically make sure signatures don't expire.  Here are a few of the tools
 written for that purpose:
 
 http://dnssec-tools.org/
 http://www.opendnssec.org/
 http://www.hznet.de/dns/zkt/
 http://zonetool.sourceforge.net/

Wow, I have to check the most suitabble for me

 Looks okay to me.  Here's what your signed zone looks like visually:
 
 http://dnsviz.net/d/tamay-dogan.net/dnssec/

Cool tool...

 Although, it looks like you perhaps didn't increment the zone serial, as
 only one of your authoritative servers is running a signed version of the
 zone.

Now I have a problem with it because HOW can I increase the serialnumber
in this big file.  In the old unsigned file I was working with a script,
but now I know nothing anymore.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automated DNSSEC (command line)

2010-05-28 Thread Michelle Konzack 
Hello again,

Am 2010-05-28 14:43:54, hacktest Du folgendes herunter:
 Looks okay to me.  Here's what your signed zone looks like visually:
 
 http://dnsviz.net/d/tamay-dogan.net/dnssec/
 
 Although, it looks like you perhaps didn't increment the zone serial, as
 only one of your authoritative servers is running a signed version of the
 zone.

I have updated the serialnumber manualy and it just updated dns2...

OK, now I have tried the second Zone

http://dnsviz.net/d/itsystems.tamay-dogan.net/dnssec/

but it tell me:

  RRSIG itsystems.tamay-dogan.net/SOA by 005+19470: Signature is bogus 

realy weird, because the Zone is like others. How can I check this?

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automated DNSSEC (command line)

2010-05-28 Thread Michelle Konzack 
Hello Mark,

Am 2010-05-29 09:06:40, hacktest Du folgendes herunter:
 You can just let named re-sign the zone for you.  Treat the zones
 as dynamic and named from BIND 9.6 onwards will maintain the
 signatures for you.

What do you mean with Treat the zones as dynamic?
Is there a special option?

 Use nsupdate to change the contents of the zone.

OK. I have to change my  scripts  to  use  nsupdate,  but  as  I  have
understand it right, you can  not  add  NEW  hosts  to  a  zone  through
nsupdate (has never worked) or has it changed now?

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

http://www.itsystems.tamay-dogan.net/  http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automated DNSSEC (command line)

2010-05-28 Thread Mark Andrews 

In message 20100529001832.gb4...@tamay-dogan.net, Michelle Konzack writes:
 
 Hello Mark,
 
 Am 2010-05-29 09:06:40, hacktest Du folgendes herunter:
  You can just let named re-sign the zone for you.  Treat the zones
  as dynamic and named from BIND 9.6 onwards will maintain the
  signatures for you.
 
 What do you mean with Treat the zones as dynamic?
 Is there a special option?

Add allow-update or update-policy clause.

BIND 9.7.0 supports update-policy local; and nsupdate -l talks via it.
 
  Use nsupdate to change the contents of the zone.
 
 OK. I have to change my  scripts  to  use  nsupdate,  but  as  I  have
 understand it right, you can  not  add  NEW  hosts  to  a  zone  through
 nsupdate (has never worked) or has it changed now?

You make any change you want to a zone via nsupdate and this has
always been the case.  You just can't create or destroy the zone.
DHCP servers have been adding and deleting hosts for years using
UPDATE.

 Thanks, Greetings and nice Day/Evening
 Michelle Konzack
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users