bind9.9.0rc2 inline signing tests
I compiled and installed bind 9.9.0 rc2 on Ubuntu Oneiric x64. The zone jaspain.net used for testing was configured as a master zone with update-policy local, auto-dnssec maintain, and inline-signing yes. I tested by making changes to the unsigned zone, and used named-checkzone to output the unsigned and signed zone files before and after each change. 1. In the first test I used nsupdate -l to add an A record to the unsigned zone. Nsupdate added the record and incremented the serial number of the unsigned zone. The signed zone was updated appropriately including a serial number increment, resignature of the SOA, addition of the new A record, signing of the new A record, and addition/modification/signing of NSEC records. This is consistent with the results with bind 9.9.0rc1. 2. Prior to the second test, in an attempt to get rid of the journal files, I issued the command rndc sync -clear jaspain.net. This generated an error rndc: 'sync' failed: unknown class/type. I found that rndc sync and rndc sync jaspain.net both worked, so I think rndc just doesn't recognize the -clear parameter as described in the rndc usage message. With the journal files still present, I decided to use rndc freeze jaspain.net prior to the next test. 3. With the zone frozen, I manually edited the unsigned zone file, and my only change was to increment the SOA serial number. I then issued the command rndc reload. In the interest of saving time, I issued rndc sync to merge the journal file into the signed zone file. The unsigned zone file was unchanged after the reload. The signed zone file had its serial number incremented and the SOA record was resigned. I believe this demonstrates that the issue described in the thread bind 9.9 inline-signing issue.. for bind 9.9.0rc1 has been fixed in rc2. 4. Finally with regard to ZSK rollover testing, my zone jaspain.us has several RRSIGS that will be expiring on February 8. Currently ZSKs 30795 and 55158 are published, and 55158 is active. I am altering the metadata so that ZSK 30795 goes active on February 1, and 55158 goes inactive on February 2. By February 9, it should be apparent whether or not the inline-signing-related key rollover problem, for which you previously sent me an rc1 patch, has stayed fixed in rc2. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind9.9.0rc2 inline signing tests
Thank you for the testing! 2. Prior to the second test, in an attempt to get rid of the journal files, I issued the command rndc sync -clear jaspain.net. This generated an error rndc: 'sync' failed: unknown class/type. I found that rndc sync and rndc sync jaspain.net both worked, so I think rndc just doesn't recognize the -clear parameter as described in the rndc usage message. With the journal files still present, I decided to use rndc freeze jaspain.net prior to the next test. It's supposed to be rndc sync -clean, not -clear. I thought we'd fixed that, darn it... -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND 9.8.1-P1:'make test' fails
On No.v 22, 2011 Niall O'Reilly wrote: Since quite a few years, I habitually run 'make test' after building BIND from sources. I'me seiing a failure with 9.8.1-P1, and wonder whether anyone else is also. I got exactly the same error messages when testing xfer as well. We are running Linux Slamd64 12.0.0 . Our current bind is 9.6.1-P1. I tried upgrading to bind-9.6.1-ESV-R5-P1 . Compilation, i.e. make, went well but 'make test' failed because that single FAIL in xfer . The same story with bind-9.8.1-P1: compilation OK but 'make test' failed. We are stuck since we cannot go ahead with installing any new version when the test fails. Appreciate very much all your help. Tan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind9.9.0rc2 inline signing tests
It's supposed to be rndc sync -clean, not -clear. I thought we'd fixed that, darn it... Thanks. rndc sync -clean jaspain.net works and does remove the journal files. Jeff ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind9.9.0rc2 inline signing tests
2. Prior to the second test, in an attempt to get rid of the journal files, I issued the command rndc sync -clear jaspain.net. This generated an error rndc: 'sync' failed: unknown class/type. I found that rndc sync and rndc sync jaspain.net both worked, so I think rndc just doesn't recognize the -clear parameter as described in the rndc usage message. With the journal files still present, I decided to use rndc freeze jaspain.net prior to the next test. It's supposed to be rndc sync -clean, not -clear. I thought we'd fixed that, darn it... Also, for consideration along with a fix to the usage message, it would be more clear if the error message error rndc: 'sync' failed: unknown class/type could be changed to something like rndc: 'sync' failed: unknown option -clear. Apparently, using the above example, rndc's parameter parser regards -clear as the zone name and jaspain.net as the class name. As I read RFC 1035, domain names can't begin with a hyphen, so rndc should in theory be able to correctly discern this error. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.1-P1:'make test' fails
In message pine.lnx.4.64.1201311256380.12...@alcor.concordia.ca, TAN BUI writ es: On No.v 22, 2011 Niall O'Reilly wrote: Since quite a few years, I habitually run 'make test' after building BIND from sources. I'me seiing a failure with 9.8.1-P1, and wonder whether anyone else is also. I got exactly the same error messages when testing xfer as well. We are running Linux Slamd64 12.0.0 . Our current bind is 9.6.1-P1. I tried upgrading to bind-9.6.1-ESV-R5-P1 . Compilation, i.e. make, went well but 'make test' failed because that single FAIL in xfer . The same story with bind-9.8.1-P1: compilation OK but 'make test' failed. We are stuck since we cannot go ahead with installing any new version when the test fails. Appreciate very much all your help. Tan You havn't show the test output for the xfer tests but a lot of the test are particularly timing sensitive. When we find one like that we fix the test. The xfer system test does have some timing sensitivity. You can re-run the individual system test like this: cd bin/tests/system; sh run.sh xfer If you want us to have a look this in more detail open a ticket by emailing bind9-b...@isc.org with the output of the system test, then tar up bin/tests/system/ixfr and upload it via: https://pandora.isc.org/ Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind9.9.0rc2 inline signing tests
In message 7610864823c0d04d89342623a3adc9de2e2f0...@hopple.countryday.net, S pain, Dr. Jeffry A. writes: As I read RFC 1035, domain names can't begin with a hyphen, so rndc should in theory be able to correctly discern this error. Hostnames can't begin with a hyphen (RFC 952). Domain names can start with anything. e.g. \000. is how you would enter a TLD of one octet with all the bits set to zero. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.0 RC2 -- call for testing
As Evan mentioned earlier, we are coming close to releasing a final BIND 9.9.0. It's scheduled to go to our Forum members on the 7th of February and as a public release about a week later. Some inline signing defects were resolved earlier this week, and we've released 9.9.0RC2. This release candidate includes fixes for all major defects reported in inline signing and other features. We prefer to give at least two weeks between the final RC and the release. However, due to our use of improved code testing in our development process, and that most of the inline signing bugs were found earlier in the release cycle than is typical, we feel confident that this shortened RC-to-release time is a fairly safe choice to make. The 9.9.0 pre-releases have been the most user-tested of any of our releases to date, and we appreciate each and every tester's valuable time. But, we are asking for more. More testers, more reports of success, and of course of failures. The more people who test 9.9.0 RC2 before February the 7th, the better the release will be. While we hope for no major defects, we'd rather know of them than not. Please head on over to http://www.isc.org/software/bind/990rc2 and give it a try. If you don't want to send mail to this list for success or failure stories, sending them to me personally will get them to the right place. Thank you everyone for helping us make great software even better. --Michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.1-P1:'make test' fails
On Tue, Jan 31, 2012 at 01:13:54PM -0500, TAN BUI wrote: On No.v 22, 2011 Niall O'Reilly wrote: Go back just a bit further in the archive to my post on 2011-11-17 (16th in my TZ) Subject: Re: Can't compile bind 9.8.1-P1 on Solaris. Sorry, I should have changed the subject to indicate Slackware, but I was seeing the same problem as that. Since quite a few years, I habitually run 'make test' after building BIND from sources. I'me seiing a failure with 9.8.1-P1, and wonder whether anyone else is also. I got exactly the same error messages when testing xfer as well. We are running Linux Slamd64 12.0.0 . Our current bind is 9.6.1-P1. I tried upgrading to bind-9.6.1-ESV-R5-P1 . Compilation, i.e. make, went well but 'make test' failed because that single FAIL in xfer . The same story with bind-9.8.1-P1: compilation OK but 'make test' failed. We are stuck since we cannot go ahead with installing any new version when the test fails. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Newbie help - slave servers and dns updates
Hi all, Please excuse my ignorance but after spending several weeks Googling for information that would have endangered several rain forests in paper form, I've decided to ask for some help. I successfully setup two Bind9 servers in the usual master (DNS1), slave (DNS2) configuration to serve a local internal domain for around 60 users. Updates etc are allowed via the use of the rndc.key file (identical copies on both servers). I then added on DHCP to the servers which again works fine. The final step was adding dynamic DNS updates via the DHCP servers, which also went well. My problem is that if I turn off the master server (DNS1) to test fail over I can't update the DNS via DHCP. I get errors like the following: date/time client DNS2_IP#Random looking number: signer rndc-key denied date/time client DNS2_IP#same number as above: update forwarding 'my dns zone/IN' denied I tried using nsupdate to manually add entries but I just get REFUSED errors. As soon as I bring up the master server everything works fine again. Is this a limitation of Bind and I've just not understood the docs or have I done something silly in a config file? I've installed this on Ubuntu Server 10.04 and Debian 6 with the same results on both. Any advice would be gratefully received, Wayne ### Scanned by MailMarshal ### Attention: The information contained in this message is confidential and intended for the addressee(s) only. If you have received this message in error or there are any problems, please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Christian Vision or any of its subsidiaries will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. Please note that we reserve the right to monitor and read any e-mails sent or received by the company under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulation 2000. Christian Vision is registered in England as a limited company 2842414 and as a charity 1031031 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.0 RC2 -- call for testing
On 01/31/2012 16:06, Michael Graff wrote: Some inline signing defects were resolved earlier this week, and we've released 9.9.0RC2. This release candidate includes fixes for all major defects reported in inline signing and other features. I haven't seen a public announcement about this yet (sorry if I missed it) but I'll take this, and the fact that the code is on the ftp site as a sign that it's Ok to update the FreeBSD port. :) Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND 9.9.0 RC2 -- call for testing
I will grab the port update in a few, and give it a run..Worked overnight last night, so hadn't had a chance to grab the sources, so great timing for me.. --- Howard Leadmon -Original Message- From: bind-users-bounces+howard=leadmon@lists.isc.org [mailto:bind- users-bounces+howard=leadmon@lists.isc.org] On Behalf Of Doug Barton Sent: Tuesday, January 31, 2012 9:15 PM To: Michael Graff Cc: bind-users@lists.isc.org Subject: Re: BIND 9.9.0 RC2 -- call for testing On 01/31/2012 16:06, Michael Graff wrote: Some inline signing defects were resolved earlier this week, and we've released 9.9.0RC2. This release candidate includes fixes for all major defects reported in inline signing and other features. I haven't seen a public announcement about this yet (sorry if I missed it) but I'll take this, and the fact that the code is on the ftp site as a sign that it's Ok to update the FreeBSD port. :) Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.0rc2 is now available
Introduction BIND 9.9.0rc2 is the second release candidate for BIND 9.9.0 This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes new in 9.9.0rc2 - no new security fixes have been added since 9.9.0rc1 previously included in 9.9.0rc1 - BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] New Features new in 9.9.0rc2 - no wholly new features have been added since 9.9.0rc1 previously included in 9.9.0rc1 - NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of no such domain. This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] - Improved scalability by using multiple threads to listen for and process queries. Previously named only listened for queries on one thread regardless of the number of overall threads used. [RT #22992] - Improves startup and reconfiguration time by allowing zones to load in multiple threads. [RT #25333] - Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] - Improves the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with many zones will be serving that zone data much sooner. [RT #24406] - The new inline-signing option, in combination with the auto-dnssec option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Previously automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone. In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload, named detects the incremental changes that have been made to the raw version of the zone, and applies those changes to the signed version, adding signatures as needed. A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables bump in the wire signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data). [RT #26224/23657] - rndc flushtree name command removes the specified name and all names under it from the cache. [RT #19970] - rndc sync command dumps pending changes in a dynamic zone to disk without a freeze/thaw cycle. rndc sync -clean removes the journal file after syncing. rndc freeze no longer removes journal files. [RT #22473] - The new rndc signing command provides greater visibility and control of the automatic DNSSEC signing process. Options to this new command include -list zone which will show the current state of signing operations overall or per specified zone. [RT #23729] - The also-notify option now takes the same syntax as masters, thus it can use named master lists and TSIG keys. [RT #23508] - auto-dnssec zones can now have NSEC3 parameters set prior to signing. [RT #23684] - The dnssec-signzone -D option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put $INCLUDE example.com.signed into the zonefile for example.com, run dnssec-signzone -SD example.com, and the result is a fully signed zone which did
RE: bind9.9.0rc2 inline signing tests
Hostnames can't begin with a hyphen (RFC 952). Domain names can start with anything. I guess that makes the syntax rndc sync [-clean] [zone [class [view]]] unavoidably ambiguous. Maybe a way around this would be a new command rndc clean [zone [class [view]]]. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Permissions change after running dnssec-settime bind 9.9.0rc2
I ran dnssec-settime from bind 9.9.0rc2 today to change the metadata on two of my ZSKs. Before running dnssec-settime, using one of these keys as an example, the file permissions were: -rw-r--r-- 1 root bind 535 2012-01-31 11:47 Kjaspain.us.+005+30795.key -rw-r- 1 root bind 1058 2012-01-31 11:47 Kjaspain.us.+005+30795.private Afterwards the permissions on the private key were changed by dnssec-settime to: -rw-r--r-- 1 root bind 535 2012-01-31 11:47 Kjaspain.us.+005+30795.key -rw--- 1 root bind 1058 2012-01-31 11:47 Kjaspain.us.+005+30795.private Now the private key is inaccessible to the named process, which is running as user bind. User bind is a member of group bind. What do you recommend as a best practice? I could do chmod 640 on any private keys modified by dnssec-time to fix this, or I could probably do chown bind:bind on all the keys and not have to worry about it. Aside from this, is the permissions change made by dnssec-settime a feature or a bug? Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users