Re: problem validate key of isc dlv
On 03/21/11 02:13, fakessh @ wrote: Yes, I bothered to redeploy new keys, fields TXT, a new signature. and more on a new rehabilitation isc dlv. I still get the same error nb : Simply debuggers dnssec still provide all kinds of resultasts And that's probably the main problem. Two of your nameservers have either disabled DNSSec, or don't support it at all: Correct answer: $ dig +dnssec +norecurse +noall +answer dnskey fakessh.eu @r13151.ovh.net. fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8= fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE= fakessh.eu. 38400 IN RRSIG DNSKEY 5 2 38400 20110419151040 20110320151040 10231 fakessh.eu. VeCJRPlvC6gr+3f/OuMCrFQR42oQkDxJ7nTfLcJMH2XwPyvBOdR/nv55 ZSs5wJ5Bl5CKAZjMRyWrUtM/wSGdTw== fakessh.eu. 38400 IN RRSIG DNSKEY 5 2 38400 20110419151040 20110320151040 30111 fakessh.eu. Y1DqOwGfRTxNdFruvOSalp8pVy+FWd/G+pqs+Qu4tkkLvanHcTisDSXA JqbKvZpRrwGoL9o+5wKwPisDDqtf6g== And incorrect (note missing RRSIGs): dig +dnssec +noall +answer dnskey fakessh.eu @ns0.xname.org. fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8= fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE= dig +dnssec +noall +answer dnskey fakessh.eu @ns2.xname.org. fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYEA fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8A ISC doesn't publish your DLV record, because it has to see consistent view of your zone. And it doesn't as you have missing RRSIGS from some nameservers. Either convince admins to deploy DNSSec or drop those nameservers. Then it should work. Torinthiel signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem validate key of isc dlv
I managed to walk isc dlv with only 2 servers with active dnssec above. and I quote ns1.novacrea.fr and ns1.xname.org. it produced no problem before Le lundi 21 mars 2011 à 07:45 +0100, Torinthiel a écrit : On 03/21/11 02:13, fakessh @ wrote: Yes, I bothered to redeploy new keys, fields TXT, a new signature. and more on a new rehabilitation isc dlv. I still get the same error nb : Simply debuggers dnssec still provide all kinds of resultasts And that's probably the main problem. Two of your nameservers have either disabled DNSSec, or don't support it at all: Correct answer: $ dig +dnssec +norecurse +noall +answer dnskey fakessh.eu @r13151.ovh.net. fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8= fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE= fakessh.eu. 38400 IN RRSIG DNSKEY 5 2 38400 20110419151040 20110320151040 10231 fakessh.eu. VeCJRPlvC6gr+3f/OuMCrFQR42oQkDxJ7nTfLcJMH2XwPyvBOdR/nv55 ZSs5wJ5Bl5CKAZjMRyWrUtM/wSGdTw== fakessh.eu. 38400 IN RRSIG DNSKEY 5 2 38400 20110419151040 20110320151040 30111 fakessh.eu. Y1DqOwGfRTxNdFruvOSalp8pVy+FWd/G+pqs+Qu4tkkLvanHcTisDSXA JqbKvZpRrwGoL9o+5wKwPisDDqtf6g== And incorrect (note missing RRSIGs): dig +dnssec +noall +answer dnskey fakessh.eu @ns0.xname.org. fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8= fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE= dig +dnssec +noall +answer dnskey fakessh.eu @ns2.xname.org. fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYEA fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8A ISC doesn't publish your DLV record, because it has to see consistent view of your zone. And it doesn't as you have missing RRSIGS from some nameservers. Either convince admins to deploy DNSSec or drop those nameservers. Then it should work. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on DNS reporter
Hi, Actually i am looking for open source software which can be installed on redhat linux BIND server to geneerate report from the DNS logs. Regards Papdheen M --- On Sun, 20/3/11, Warren Kumari war...@kumari.net wrote: From: Warren Kumari war...@kumari.net Subject: Re: Need help on DNS reporter To: babu dheen babudh...@yahoo.co.in Cc: terry te...@list.dnsbed.com, bind-users@lists.isc.org Date: Sunday, 20 March, 2011, 8:10 PM Enable query logging, then: cat queries.log | grep 'query: example.com' | awk '{print $6}' | sed 's/#.*//' | sort -n | uniq -c | sort -rn | head -100 | more or something similar? W On Mar 20, 2011, at 10:09 AM, babu dheen wrote: Hi, I am getting below status on this command.. Only internal DNS servers are allowed to query our gateway DNS server as client. number of zones: 12 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 1/1000 tcp clients: 0/100 server is up and running --- On Sun, 20/3/11, terry te...@list.dnsbed.com wrote: From: terry te...@list.dnsbed.com Subject: Re: Need help on DNS reporter To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Sunday, 20 March, 2011, 12:42 PM How will rndc status take something good for you? 2011/3/20 babu dheen babudh...@yahoo.co.in Hi, Can anyone let me know is there any open source software available to generate report for DNS service based on DNS BIND query logs. We have BIND DNS running RHEL 5.0. Would like to generate report based on its logs so that we can identify list of clients quering external domains and its query count. Many clients in our company infected with malware which thus send unnecessary query to remote external domain (non available domain). So if we have any software which can generate the report from DNS BIND logs, will be very helpful. Regards Babu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- www.DNSbed.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Not Exact error
Can someone tell me the cause of the not exact error and how to troubleshoot? 21-Mar-2011 11:01:24.931 xfer-in: error: transfer of '219.130.IN-ADDR.ARPA/IN' from 130.219.31.5#53: failed while receiving responses: not exact After this message appears, a retry on the transfer runs error free. Thanks, Steve___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on DNS reporter
What's more open source than a one line shell script? It is too simple to spend the time packaging it for rh linux. Try running this against your query logs to see if it does what you want then tweak it as needed. If all else fails look at DNSTOP. Simple single purpose tool that may fit your need, depending on what your need is. Don't know if is is packaged specificly for linux but building from source is easy. Sent from Garminfone by T-Mobile. babu dheen babudh...@yahoo.co.in wrote: Hi, Actually i am looking for open source software which can be installed on redhat linux BIND server to geneerate report from the DNS logs. Regards Papdheen M --- On Sun, 20/3/11, Warren Kumari war...@kumari.net wrote: From: Warren Kumari war...@kumari.net Subject: Re: Need help on DNS reporter To: babu dheen babudh...@yahoo.co.in Cc: terry te...@list.dnsbed.com, bind-users@lists.isc.org Date: Sunday, 20 March, 2011, 8:10 PM Enable query logging, then: cat queries.log | grep 'query: example.com' | awk '{print $6}' | sed 's/#.*//' | sort -n | uniq -c | sort -rn | head -100 | more or something similar? W On Mar 20, 2011, at 10:09 AM, babu dheen wrote: Hi, I am getting below status on this command.. Only internal DNS servers are allowed to query our gateway DNS server as client. number of zones: 12 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 1/1000 tcp clients: 0/100 server is up and running --- On Sun, 20/3/11, terry te...@list.dnsbed.com wrote: From: terry te...@list.dnsbed.com Subject: Re: Need help on DNS reporter To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Sunday, 20 March, 2011, 12:42 PM How will rndc status take something good for you? 2011/3/20 babu dheen babudh...@yahoo.co.in Hi, Can anyone let me know is there any open source software available to generate report for DNS service based on DNS BIND query logs. We have BIND DNS running RHEL 5.0. Would like to generate report based on its logs so that we can identify list of clients quering external domains and its query count. Many clients in our company infected with malware which thus send unnecessary query to remote external domain (non available domain). So if we have any software which can generate the report from DNS BIND logs, will be very helpful. Regards Babu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- www.DNSbed.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not Exact error
In message f7c01ac623c2bd48a4b5a1e91ba1dc562456c33...@2008mbx.utmck.edu, Dav enport, Steve M writes: Can someone tell me the cause of the not exact error and how to troublesh= oot? 21-Mar-2011 11:01:24.931 xfer-in: error: transfer of '219.130.IN-ADDR.ARPA/= IN' from 130.219.31.5#53: failed while receiving responses: not exact After this message appears, a retry on the transfer runs error free. Thanks, Steve Not exact indicates that the nameserver found a change in a IXFR delta which it could not apply to the cleanly. It got asked to remove a record which didn't exist. It got asked to add a record that already existed. The TTL of the added record doesn't match that of the existing records of the RRset. If named detects a anomally like this it just re-transfers the zone. The following bug fix address one potential cause of these messages. The fix is currentl available in the following release: 9.6.3, 9.7.3 and 9.8.0. 3007. [bug] Named failed to preserve the case of domain names in rdata which is not compressible when writing master files. [RT #22863] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users