Weird problem with zone transfer...
Hello, since some days I have weird error messages in my [ '/var/log/namd.log' ]- snip May 28 08:31:53 vserver4 named[18289]: 28-May-2010 08:31:53.803 general: info: zone tamay-dogan.net/IN: Transfer started. May 28 08:31:53 vserver4 named[18289]: 28-May-2010 08:31:53.845 xfer-in: info: transfer of 'tamay-dogan.net/IN' from 88.168.69.36#53: connected using 217.147.94.23#35438 May 28 08:31:53 vserver4 named[18289]: 28-May-2010 08:31:53.940 general: error: dumping master file: /etc/bind/tmp-u1yHZe1oSu: open: permission denied May 28 08:31:53 vserver4 named[18289]: 28-May-2010 08:31:53.941 xfer-in: error: transfer of 'tamay-dogan.net/IN' from 88.168.69.36#53: failed while receiving responses: permission denied May 28 08:31:53 vserver4 named[18289]: 28-May-2010 08:31:53.941 xfer-in: info: transfer of 'tamay-dogan.net/IN' from 88.168.69.36#53: Transfer completed: 0 messages, 38 records, 0 bytes, 0.095 secs (0 bytes/sec) May 28 08:31:54 vserver4 named[18289]: 28-May-2010 08:31:54.286 general: info: zone itsystems.tamay-dogan.net/IN: Transfer started. May 28 08:31:54 vserver4 named[18289]: 28-May-2010 08:31:54.326 xfer-in: info: transfer of 'itsystems.tamay-dogan.net/IN' from 88.168.69.36#53: connected using 217.147.94.23#47256 May 28 08:31:54 vserver4 named[18289]: 28-May-2010 08:31:54.413 xfer-in: error: transfer of 'itsystems.tamay-dogan.net/IN' from 88.168.69.36#53: failed while receiving responses: permission denied May 28 08:31:54 vserver4 named[18289]: 28-May-2010 08:31:54.413 xfer-in: info: transfer of 'itsystems.tamay-dogan.net/IN' from 88.168.69.36#53: Transfer completed: 0 messages, 11 records, 0 bytes, 0.086 secs (0 bytes/sec) May 28 08:31:54 vserver4 named[18289]: 28-May-2010 08:31:54.420 general: error: dumping master file: /etc/bind/tmp-yCmtXsjs1h: open: permission denied snip I have no quota and permissions are right, so what can it be? Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Weird problem with zone transfer...
Hello Michelle Konzack, Am 2010-05-28 12:17:37, hacktest Du folgendes herunter: Hello, since some days I have weird error messages in my snip I have no quota and permissions are right, so what can it be? FSCK! -- Found the error... The replication of my pam-pgsql database was not successfull and when I installed bind9 on my dns2, pam-pgsql was not used but instead /etc/{passwd,groups} and goten another UID/GID which was confusig my admin scripts which do not run as root. However, how can I convince xfer no to change the files to the ownwer root:bind and permission 644? The files should be bind:adm and the permission 664 Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Regarding CNAME Chains
Hi, From the server I get a response like aaa CNAME bbb ccc CNAME ddd bbb CNAME ccc The ordering of the CNAME chain is incorrect, ideally it should be like aaa CNAME bbb bbb CNAME ccc ccc CNAME ddd Is there some RFC which prohibits the configuration of CNAME chains as given in the first example, ie CNAME chains not in order. I tried to search on the internet, and could come up with this para in RFC 2308: DNS NCACHE QNAME - the name in the query section of an answer, or where this resolves to a CNAME, or CNAME chain, the data field of the last CNAME. The last CNAME in this sense is that which contains a value which does not resolve to another CNAME. Implementations should note that including CNAME records in responses in order, so that the first has the label from the query section, and then each in sequence has the label from the data section of the previous (where more than one CNAME is needed) allows the sequence to be processed in one pass, and considerably eases the task of the receiver. It would be a great help if it can be confirmed that resolvers can expect CNAME chains to be in order. Thanks Regards Ashwin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec-keygen is waiting endless...
Hello *; I am retrying to setup DNSSEC but I have a problem with: dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net because if I issue the command, it waits forever and nothing happen. What can this be? Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
On Fri, 28 May 2010, Michelle Konzack wrote: Hello *; I am retrying to setup DNSSEC but I have a problem with: dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net because if I issue the command, it waits forever and nothing happen. What can this be? Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 My bet is that this is a VM and you have no entropy. Either generate some entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga) or create the keys on real iron instead of a VM. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dnssec-keygen is waiting endless...
Or it is a chroot jail and it does not have a source of entropy -Original Message- From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Paul Wouters Sent: Friday, May 28, 2010 9:34 AM To: Michelle Konzack Cc: Bind Users Subject: Re: dnssec-keygen is waiting endless... On Fri, 28 May 2010, Michelle Konzack wrote: Hello *; I am retrying to setup DNSSEC but I have a problem with: dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net because if I issue the command, it waits forever and nothing happen. What can this be? Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 My bet is that this is a VM and you have no entropy. Either generate some entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga) or create the keys on real iron instead of a VM. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
Hello Paul, Am 2010-05-28 12:34:16, hacktest Du folgendes herunter: My bet is that this is a VM and you have no entropy. Either generate some entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga) or create the keys on real iron instead of a VM. No, this a real machine:AMD Sempron 2200+ (Socket A) with 3 GByte of memory and only standard Debian in stallation. The thing with the find does not work... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
On Fri, May 28, 2010 at 10:41 AM, Michelle Konzack linux4miche...@tamay-dogan.net wrote: Hello Paul, Am 2010-05-28 12:34:16, hacktest Du folgendes herunter: My bet is that this is a VM and you have no entropy. Either generate some entropy (eg run in paralel something like: find / -type f | xargs grep KSdgajkgdaksdga) or create the keys on real iron instead of a VM. No, this a real machine:AMD Sempron 2200+ (Socket A) with 3 GByte of memory and only standard Debian in stallation. The thing with the find does not work... Running 'cat /proc/sys/kernel/random/entropy_avail' should show you what your available entropy is during the keygen process. There are a variety of things you can do to increase the size of the entropy pool, but if you're willing to accept less entropy at this point to get things going, pass '-r /dev/urandom' to dnssec-keygen (see 'man urandom'). Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
Hi again, Am 2010-05-28 10:36:51, hacktest Du folgendes herunter: Or it is a chroot jail and it does not have a source of entropy AFAIK does a chroot give a fals impression bind could be more secure... Currently I need to secure my bind9 since I had a massive attack on my dns1 which is the master. Also I have had more then 30 million queries in less then one week and bind9 has eaten arround 2.4 GByte of memory... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dnssec-keygen is waiting endless...
Disregard my statement. An incorrect chroot setup will affect the named executable, but not the dnssec-keygen -Original Message- From: bind-users-bounces+j.tavares=f5@lists.isc.org [mailto:bind-users-bounces+j.tavares=f5@lists.isc.org] On Behalf Of Michelle Konzack Sent: Friday, May 28, 2010 11:22 AM To: bind-users@lists.isc.org Subject: Re: dnssec-keygen is waiting endless... Hello Jack, Am 2010-05-28 10:36:51, hacktest Du folgendes herunter: Or it is a chroot jail and it does not have a source of entropy Ehm no... seufz Where must this entrophy be? Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 I get the same problem on Ubuntu, which is Debian-based. /dev/random runs out of entropy rapidly and takes a long time to recover. Using dnssec-keygen -r /dev/urandom will make it finish much faster, but that uses a pseudo-random number generator instead of true randomness, so it's not the best choice from the paranoid crypto viewpoint. I often use it for test zones and such. If I needed a proper bulletproof key on an Ubuntu box, and I didn't want to wait a long time for it, I'd probably generate the key on some other system and copy it over. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
Hello Casey, Am 2010-05-28 11:15:30, hacktest Du folgendes herunter: Running 'cat /proc/sys/kernel/random/entropy_avail' should show you what your available entropy is during the keygen process. It show me a number between 0 and several 100 There are a variety of things you can do to increase the size of the entropy pool, but if you're willing to accept less entropy at this point to get things going, pass '-r /dev/urandom' to dnssec-keygen (see 'man urandom'). This is working for now... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
On Fri, May 28, 2010 at 11:25 AM, Michelle Konzack linux4miche...@tamay-dogan.net wrote: Currently I need to secure my bind9 since I had a massive attack on my dns1 which is the master. Also I have had more then 30 million queries in less then one week and bind9 has eaten arround 2.4 GByte of memory... DNSSEC is for securing your namespace, not your server. With DNSSEC a validating resolver can prove the authenticity of an answer it receives, but that won't help with attacks targeting your name server. If you're looking to secure your server, you'll need to take other security measures with regards to server/firewall configuration. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
Hello Evan, Am 2010-05-28 18:33:14, hacktest Du folgendes herunter: Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 I get the same problem on Ubuntu, which is Debian-based. /dev/random runs out of entropy rapidly and takes a long time to recover. I have tries it on Debian Etch, Lenny and Sid with the same result... On all three machines I have touse -r /dev/urandom which is realy weird. Using dnssec-keygen -r /dev/urandom will make it finish much faster, but that uses a pseudo-random number generator instead of true randomness, so it's not the best choice from the paranoid crypto viewpoint. I often use it for test zones and such. If I needed a proper bulletproof key on an Ubuntu box, and I didn't want to wait a long time for it, I'd probably generate the key on some other system and copy it over. :-) I have 38.000 Zones and on my AMD Sempron 2200+ with 3 GByte of memory it take arround 40 Second to create ONE signed zone fro a script. This mean, if I want to sign 38.000 zones it will run 18 days... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen is waiting endless...
On 05/28/10 13:53, Michelle Konzack wrote: Hello Evan, Am 2010-05-28 18:33:14, hacktest Du folgendes herunter: Operating System is Debian GNU/Linux 5.0 Lenny with bind9 in version 1:9.7.0.dfsg.P1-1~bpo50+1 I get the same problem on Ubuntu, which is Debian-based. /dev/random runs out of entropy rapidly and takes a long time to recover. I have tries it on Debian Etch, Lenny and Sid with the same result... On all three machines I have touse -r /dev/urandom which is realy weird. ... :-) I have 38.000 Zones and on my AMD Sempron 2200+ with 3 GByte of memory it take arround 40 Second to create ONE signed zone fro a script. This mean, if I want to sign 38.000 zones it will run 18 days... If you're planning to do production DNSSEC on Linux you really need to configure an entropy gathering daemon in order to properly seed your /dev/random device. You should be able to find resources for doing this on line, or in a help forum for your particular brand(s) of Linux. You might also consider evaluating FreeBSD for your name servers, it comes with properly configured entropy gathering right out of the box, and our implementation of /dev/random uses a PRNG method that hands out high-quality random bits with very little danger of running out. hth, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
On 05/28/10 14:18, Michelle Konzack wrote: Hello DNSSEC Experts, I am ongoing to install 4 new Name Servers and increse my registrar and hosting service... OK, I have tried to make my own 4 domains with 16 zones signed and it took me one hour of my life! Since I have to re-sign the zones if something change it will give me headaches up to the end of my life, so my queston is: Is there a command line tool (or a daemon) which check for changes and re-sign the zone automated? Check out zkt (http://www.hznet.de/dns/zkt/). There are a few more involved tools out there, but zkt sounds like what you want. I can not believe, that you are signing each zone by hand! :-D *I'm* not. :) (I use a combination of zkt and the BIND tools in an automated script.) Can an expert please check 'dig ANY tamay-dogan.net' whether this is right? Looks good to me. The sigs seem to be within their validity interval, but there doesn't appear a DLV record in dlv.isc.org, so I can't validate. (Actually, I *could* snarf the ksk from the ANY query and manually configure it as a trust anchor, but I am lazy. Moreover, that won't tell us if something goes wrong if/when you publish a trust-anchor DLV record or DS record, when NET becomes signed.) Also I am not realy sure whether I need dnssec-validation yes in my options. For authoritative service, you don't need it. Only if you're running a validating nameserver do you need it, and it's 'yes' by default in recent versions of BIND. You still need to configure a trust anchor (or anchors) if you want to do validation. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
On Fri, May 28, 2010 at 2:18 PM, Michelle Konzack linux4miche...@tamay-dogan.net wrote: Hello DNSSEC Experts, I am ongoing to install 4 new Name Servers and increse my registrar and hosting service... OK, I have tried to make my own 4 domains with 16 zones signed and it took me one hour of my life! Since I have to re-sign the zones if something change it will give me headaches up to the end of my life, so my queston is: Is there a command line tool (or a daemon) which check for changes and re-sign the zone automated? Yes, and you really should use one. The two most important things with signed zones are that your signatures don't expire, and that the right DNSSEC RRs are included in the zone. So not only does it need to be resigned after changes (to include the proper DNSSEC RRs), but also periodically make sure signatures don't expire. Here are a few of the tools written for that purpose: http://dnssec-tools.org/ http://www.opendnssec.org/ http://www.hznet.de/dns/zkt/ http://zonetool.sourceforge.net/ I can not believe, that you are signing each zone by hand! :-D Can an expert please check 'dig ANY tamay-dogan.net' whether this is right? Looks okay to me. Here's what your signed zone looks like visually: http://dnsviz.net/d/tamay-dogan.net/dnssec/ Although, it looks like you perhaps didn't increment the zone serial, as only one of your authoritative servers is running a signed version of the zone. Also I am not realy sure whether I need dnssec-validation yes in my options. No, this is only for resolvers that are validating answers, not authoritative servers that are serving signed zones. Of course, if you're using the server for both and you would like to enable validation (i.e., of other signed zones), then you'll need to enable validation and establish some trusted keys as anchors. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
Hello Michael, Am 2010-05-28 14:40:30, hacktest Du folgendes herunter: Check out zkt (http://www.hznet.de/dns/zkt/). There are a few more involved tools out there, but zkt sounds like what you want. OK... Can an expert please check 'dig ANY tamay-dogan.net' whether this is right? Looks good to me. The sigs seem to be within their validity interval, but there doesn't appear a DLV record in dlv.isc.org, so I Right, it was setup for some hours in a experimet and is currently not setup with DLV. can't validate. (Actually, I *could* snarf the ksk from the ANY query and manually configure it as a trust anchor, but I am lazy. Moreover, that won't tell us if something goes wrong if/when you publish a trust-anchor DLV record or DS record, when NET becomes signed.) I have some problems with understanding DNSSEC in 6 Minutes from ISC. default in recent versions of BIND. You still need to configure a trust anchor (or anchors) if you want to do validation. This is what i have not understand currently... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
Hello Casey, Am 2010-05-28 14:43:54, hacktest Du folgendes herunter: Yes, and you really should use one. The two most important things with signed zones are that your signatures don't expire, and that the right DNSSEC RRs are included in the zone. So not only does it need to be resigned after changes (to include the proper DNSSEC RRs), but also periodically make sure signatures don't expire. Here are a few of the tools written for that purpose: http://dnssec-tools.org/ http://www.opendnssec.org/ http://www.hznet.de/dns/zkt/ http://zonetool.sourceforge.net/ Wow, I have to check the most suitabble for me Looks okay to me. Here's what your signed zone looks like visually: http://dnsviz.net/d/tamay-dogan.net/dnssec/ Cool tool... Although, it looks like you perhaps didn't increment the zone serial, as only one of your authoritative servers is running a signed version of the zone. Now I have a problem with it because HOW can I increase the serialnumber in this big file. In the old unsigned file I was working with a script, but now I know nothing anymore. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
Hello again, Am 2010-05-28 14:43:54, hacktest Du folgendes herunter: Looks okay to me. Here's what your signed zone looks like visually: http://dnsviz.net/d/tamay-dogan.net/dnssec/ Although, it looks like you perhaps didn't increment the zone serial, as only one of your authoritative servers is running a signed version of the zone. I have updated the serialnumber manualy and it just updated dns2... OK, now I have tried the second Zone http://dnsviz.net/d/itsystems.tamay-dogan.net/dnssec/ but it tell me: RRSIG itsystems.tamay-dogan.net/SOA by 005+19470: Signature is bogus realy weird, because the Zone is like others. How can I check this? Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
Hello Mark, Am 2010-05-29 09:06:40, hacktest Du folgendes herunter: You can just let named re-sign the zone for you. Treat the zones as dynamic and named from BIND 9.6 onwards will maintain the signatures for you. What do you mean with Treat the zones as dynamic? Is there a special option? Use nsupdate to change the contents of the zone. OK. I have to change my scripts to use nsupdate, but as I have understand it right, you can not add NEW hosts to a zone through nsupdate (has never worked) or has it changed now? Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automated DNSSEC (command line)
In message 20100529001832.gb4...@tamay-dogan.net, Michelle Konzack writes: Hello Mark, Am 2010-05-29 09:06:40, hacktest Du folgendes herunter: You can just let named re-sign the zone for you. Treat the zones as dynamic and named from BIND 9.6 onwards will maintain the signatures for you. What do you mean with Treat the zones as dynamic? Is there a special option? Add allow-update or update-policy clause. BIND 9.7.0 supports update-policy local; and nsupdate -l talks via it. Use nsupdate to change the contents of the zone. OK. I have to change my scripts to use nsupdate, but as I have understand it right, you can not add NEW hosts to a zone through nsupdate (has never worked) or has it changed now? You make any change you want to a zone via nsupdate and this has always been the case. You just can't create or destroy the zone. DHCP servers have been adding and deleting hosts for years using UPDATE. Thanks, Greetings and nice Day/Evening Michelle Konzack -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users