Re: split horizon and zone transfers to secondary DNS servers

2011-11-25 Thread Jan-Piet Mens
> May I transfer *views* rather than zone description files? No. That's why it is called "zone" transfer. :) > May I transfer two zone description files for a single zone to a > single server? Again no. (See previous thread on your request to serve two zone files for the same zone in the one vi

split horizon and zone transfers to secondary DNS servers

2011-11-25 Thread Marek Kozlowski
:-) I have defined two views (let's call them an `internal' and an `external') for my zones on the primary DNS server. Let's assume I'd like the secondary DNS server to use the same two views synchronized to the primary DNS. May I transfer *views* rather than zone description files? May I transfer

Re: multiple `zone' clauses for a single domain?

2011-11-25 Thread Jan-Piet Mens
> The documentation for `match-clients' isn't comprehensive enough... Can > I add all host from, for example 172.16/16 except a single host? Does: > > match-clients { 172.16.0.0/16;!172.16.1.1; } BIND checks the ACL in the order you specify. In your example, 172.16.1.1 will be allowed by the firs

Re: Bind 9.9.0b2 inline signing...

2011-11-25 Thread Danny Mayer
On 11/24/2011 11:21 AM, Jan-Piet Mens wrote: > Jeffry, > >> I have had a tendency to dig axfr from my Windows workstation > > +1 to you for using `dig' on Windows; most don't even know it exists > and suffer the `nslookup' pain. ;-) > It comes with the Windows version of BIND9. Danny _

Re: multiple `zone' clauses for a single domain?

2011-11-25 Thread Anand Buddhdev
On 25/11/2011 23:36, Marek Kozlowski wrote: > One more question: > The documentation for `match-clients' isn't comprehensive enough... Can > I add all host from, for example 172.16/16 except a single host? Does: > > match-clients { 172.16.0.0/16;!172.16.1.1; } List the exception first, otherwise

Re: multiple `zone' clauses for a single domain?

2011-11-25 Thread Marek Kozlowski
:-) One more question: The documentation for `match-clients' isn't comprehensive enough... Can I add all host from, for example 172.16/16 except a single host? Does: match-clients { 172.16.0.0/16;!172.16.1.1; } form an AND or an OR? Best regards, /m _

Re: multiple `zone' clauses for a single domain?

2011-11-25 Thread Matthew Seaman
On 25/11/2011 16:59, Marek Kozlowski wrote: > Is it allowed to use a few `zone' clauses for a single domain? Is > something like this correct: > > zone "mickey.mouse.com" in { > type master; > file "pri/mickey-public.zone"; > allow-query { any; }; > allow-transfer {

Re: Exercising RFC 5011 rollovers

2011-11-25 Thread Evan Hunt
> I looked at the DNSSEC section of the bind test suite > (bind-9.9.0b2/bin/tests/system/dnssec) to see if a key rollover test is > part of it. I didn't see that, but it may be elsewhere, as the test suite > is pretty elaborate. The test suite does contain a simulated root server > (ns1), so I bet

RE: Exercising RFC 5011 rollovers

2011-11-25 Thread Spain, Dr. Jeffry A.
> Does anyone provide a zone with a trust anchor that is frequently rolled over in that way, just so that one can see whether it really works? Then one's feelings might be warmer and less fuzzy... I looked at the DNSSEC section of the bind test suite (bind-9.9.0b2/bin/tests/system/dnssec) to see

Re: Exercising RFC 5011 rollovers

2011-11-25 Thread Jan-Piet Mens
> given that their respective administrators have > declared an intention to follow RFC 5011 if they ever roll over their > KSKs. As you say "if they ever roll"; I'm not placing any money on that. ;-) > I could of course set up such a test zone and try to perform an RFC 5011 > rollover on it, usi

Exercising RFC 5011 rollovers

2011-11-25 Thread Chris Thompson
Using "managed-keys" for the root zone and for dlv.isc.org can give one a warm fuzzy feeling, given that their respective administrators have declared an intention to follow RFC 5011 if they ever roll over their KSKs. Except, they never have changed their KSKs so far, so the relevant code in BIND

Re: multiple `zone' clauses for a single domain?

2011-11-25 Thread Jan-Piet Mens
> Do I *have* to use views to deal with such distinction or can I specify > it just as above without views? You have to use views so that the server can decide which clients get which responses. This you specify in a match-clients {} stanza within the view. -JP __

Re: DNSSEC and IXFR

2011-11-25 Thread Evan Hunt
> Is it possible to update DNSSEC-signed domain, re-sign and generate > small differencies to be transferred by IXFR? > > Does it apply with dynamic updates, and with manually configur4ed > zones (via ixfr-from-differencies turned on)? It works fine with dynamic updates, and as of 9.9.0 it will

Re: multiple `zone' clauses for a single domain?

2011-11-25 Thread Rick Dicaire
On Fri, Nov 25, 2011 at 11:59 AM, Marek Kozlowski wrote: > Do I *have* to use views to deal with such distinction or can I specify > it just as above without views? Pretty sure you have to use views, in the least doing so would likely be the best good practice to follow. -- aRDy Music and Ric

multiple `zone' clauses for a single domain?

2011-11-25 Thread Marek Kozlowski
:-) Forgive me a stupid question but I can't find the answer... Is it allowed to use a few `zone' clauses for a single domain? Is something like this correct: zone "mickey.mouse.com" in { type master; file "pri/mickey-public.zone"; allow-query { any; }; allow-trans

Re: bad cache hit

2011-11-25 Thread Bryton
On 11/25/2011 03:19 PM, Tony Finch wrote: > Bryton wrote: >> I wonder if anyone has ever got the error > In my logs I have some of this: > > 25-Nov-2011 11:23:00.332 dnssec: info: validating @0xabe00470: uofk.edu MX: > bad cache hit (uofk.edu/DNSKEY) > > Which is fairly nicely explained by this:

Re: bad cache hit

2011-11-25 Thread Tony Finch
Bryton wrote: > > I wonder if anyone has ever got the error In my logs I have some of this: 25-Nov-2011 11:23:00.332 dnssec: info: validating @0xabe00470: uofk.edu MX: bad cache hit (uofk.edu/DNSKEY) Which is fairly nicely explained by this: http://dnsviz.net/d/uofk.edu/dnssec/ Tony. -- f.a

Re: DNSSEC and IXFR

2011-11-25 Thread Tony Finch
Matus UHLAR - fantomas wrote: > > Is it possible to update DNSSEC-signed domain, re-sign and generate small > differencies to be transferred by IXFR? Yes, it just works with no special effort if you use dynamic updates and auto-dnssec maintain. Tony. -- f.anthony.n.finchhttp://dotat.at/ Sou

bad cache hit

2011-11-25 Thread Bryton
Hi, I am having a problem, I am signing a zone with opendnssec, After signing it seems fine and If issue a *dig @[dnssec-aware-recursive-server] [zone] +dnssec SOA* from this [*dnssec-aware-recursive-server*] And the answer is returned with RRSIGS and ad bit But after some time if I issue a

Re:

2011-11-25 Thread Doug Barton
On 11/25/2011 00:38, Matus UHLAR - fantomas wrote: > not mentioning new features (mostly DNSSEC related) that new servers have. The OP explicitly excluded DNSSEC, but, yeah. :) -- "We could put the whole Internet into a book." "Too practical." Breadth o

DNSSEC and IXFR

2011-11-25 Thread Matus UHLAR - fantomas
Hello, Just for my curiosity: Is it possible to update DNSSEC-signed domain, re-sign and generate small differencies to be transferred by IXFR? Does it apply with dynamic updates, and with manually configur4ed zones (via ixfr-from-differencies turned on)? OT: if anyone uses opendnssec, doe

Re:

2011-11-25 Thread Matus UHLAR - fantomas
On 11/24/2011 20:10, Loganathan Thirukkumaran wrote: Master is in internal running on Bind 9.2.1, On 25.11.11 00:14, Doug Barton wrote: You want to update this one as well. I know that the theory is that it's "hidden," but the first time an attacker finds it, it's going to get 0wn3d. not me

Re:

2011-11-25 Thread Doug Barton
On 11/24/2011 20:10, Loganathan Thirukkumaran wrote: > Hello All, > > We have our slave servers running compiled Bind 9.6.1-P3 on CentOS 5.4. > > Can I upgrade to 9.8.1-P1 directly from the current version 9.6.1-P3? > Or It has to be on the same 9.6.ESV-R5-P1 latest version? Should be Ok unl