Re: DNSSEC
Comcast has taken a pragmatic view. I'm glad to see they've turned on validation, but I can see why they need to configure exceptions. Without being able to manage exceptions, large ISPs are not going to turn on validation. Indeed, which brings on the question why BIND (still) doesn't have the a negative trust anchor feature. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: erros in logs
Hi, Currently we using ipv4 network for our customers and all.By the way, we do not block any ipv6 , so why we got ipv6 resolution as network unreachable in logs? On 10/05/12 09:47, Ben wrote: Hi, I just enable bind as caching name server and when watching logs i got below erros. It looks like you have broken IPv6 connectivity - your machine believes it has an IPv6 address and possibly a default route, but it doesn't work. Check your networking config. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK stays published 3 days after delete time
Am 10.05.2012 um 23:52 schrieb Evan Hunt: key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set. It has been deleted from the repository at 2012-05-07T14:55:02.569706, but is still included by named 9.9.0 in the zone framail.de (as of 2012-05-10T19:51:32). To clarify: I'm using inline-signing. The repository is the key-directory configured in named.conf. Deleted means: My script deleted it. Named won't delete the key from the zone unless you explicitly tell it to do so. For all it knows, your key file may have been removed by mistake. The correct way to remove a key from your zone is to schedule it for deletion. If it already has a successor published, then you can schedule the event immediately: $ dnssec-settime -K repository-path -D now Kframail.de.+007+13245 That's what I mean with key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set. $ rndc loadkeys framail.de The -D option says the key should be deleted after the specified time, which in this case is now. rndc loadkeys tells named to examine the keys in the repository and note any changes to the scheduled events. named will see that the specified KSK is scheduled for deletion, it will remove it from the DNSKEY RRset, and it will resign the DNSKEY RRset wth the remaining key(s). I have auto-dnssec maintain; set and my understanding is, that named does not require a rndc loadkeys to remove the key from the DNSKEY RRSET if the delete time, set with dnssec-settime, has passed. Is this wrong? After that's happened, you can remove the key file from the repository if you wish. If you still have a copy of the key file, put it back and follow the above steps. Otherwise, I suggest resigning the zone from scratch with the remaining keys. (Update the SOA serial number in the unsigned zonefile to something higher than the current serial number in the signed zone; move file.signed and file.signed.jnl to some other location; restart named. A new signed zone should be generated with the correct keyset.) Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: erros in logs
Ben wrote: Hi, Currently we using ipv4 network for our customers and all.By the way, we do not block any ipv6 , so why we got ipv6 resolution as network unreachable in logs? BIND believes your OS has IPv6 and tries to use it. One option for disabling use of IPv6 in BIND is to tell BIND that it shouldn't even try to use IPv6 (start the named command with option -4). If you're using for example RHEL / CentOS with the vendor-provided RPMs, you can do this by editing /etc/sysconfig/named and adding/editing this line: OPTIONS=-4 Regards Eivind Olsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: random-device purpose in DNSSEC
Warren wrote on 05/10/2012 04:14:01 PM: Multiple options: 1: install haveged (http://www.irisa.fr/caps/projects/hipsor/) -- this will provide you with much randomness [0]. 2: buy a USB entropy widget (for example: http://www.entropykey.co.uk/) 3: See if there is a driver for your TPM -- many boxes have them, and many provide good randomness. 4: NOT RECOMMENDED: use /dev/urandom (only for testing) You forgot an option: 5: Patience, Grasshopper. /dev/random will eventually fill and the crypto function will get enough data to complete. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
Jan-Piet wrote on 05/11/2012 02:17:53 AM: Indeed, which brings on the question why BIND (still) doesn't have the a negative trust anchor feature. So how do we implement one? Create a separate caching server with DNSSEC validation turned off and forward all queries for the broken domain to it? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
wbr...@e1b.org wbr...@e1b.org wrote: So how do we implement one? Create a separate caching server with DNSSEC validation turned off and forward all queries for the broken domain to it? That won't work, because a validating server validates replies from a forwarding server. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ FitzRoy: Northeasterly 5 to 7, occasionally gale 8 in southeast. Moderate or rough, becoming very rough in southeast. Occasional rain. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
So how do we implement one? Create a separate caching server with DNSSEC validation turned off and forward all queries for the broken domain to it? Unbound can be configured (on the fly) to ignore DNSSEC for individual zones. From the unbound.conf(5) page: domain-insecure: domain name Sets domain name to be insecure, DNSSEC chain of trust is ignored towards the domain name. So a trust anchor above the domain name can not make the domain secure with a DS record, such a DS record is then ignored. Also keys from DLV are ignored for the domain. Can be given multiple times to specify multiple domains that are treated as if unsigned. If you set trust anchors for the domain they override this setting (and the domain is secured). I assume it would be possible to implement something along the lines of `rndc insecure domain`, but I wouldn't know... -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Secondary Master
I found this article about setting up a secondary master. This may be useful as we are bringing up a disaster recovery site. The author explains that the zone type should be 'slave'' so it can receive db updates from the normal master. Seems like that makes it a slave instead of a master for that zone? We are also looking at the app rsync for db transfers so we will have mirrored masters, IP traffic separated by routers. Thanks https://help.ubuntu.com/8.04/serverguide/dns-configuration.html John Manson CAO/HIR/NI/Data-Communications U.S. House of Representatives Desk: 202-226-4244 john.man...@mail.house.gov ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary Master
John wrote on 05/11/2012 11:05:58 AM: I found this article about setting up a secondary master. This may be useful as we are bringing up a disaster recovery site. The author explains that the zone type should be ?slave?? so it can receive db updates from the normal master. Seems like that makes it a slave instead of a master for that zone? We are also looking at the app rsync for db transfers so we will have mirrored masters, IP traffic separated by routers. Thanks https://help.ubuntu.com/8.04/serverguide/dns-configuration.html What they describe is a typical slave server. I wonder if they are misusing the term master for authoritative. They are correct that more than one server is needed in order to maintain the availability of the domain should the Primary become unavailable. It's a good idea to make sure that your DNS servers are physically separated so a network failure does not block access to all of them. I would just let zone transfers take care of keeping things in sync instead of using rsync and a bunch of custom procedures to so it. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary Master
The concept of a secondary master is sound. It basically provides for a healthy means of handling the situation where your primary master is unusable. To enable and support a primary/backup dns master, the backup master is initially setup as noted as a slave server. Any other slave servers for the primary master also need to be pre-configured to treat the secondary master as a master. Thus, when the primary master is unavailable, the task is simply to reconfigure the secondary master as a true master and to temporarily break the link between the primary and secondary. Upon recovery, you would have to convert the original primary master as a slave to get updates from the secondary and then re-enable it as the primary. This is a relatively simply explanation of what can be done to support a primary/secondary master. Obviously, there's a lot of work to support the flipping of masters which requires intelligent scripting to make it failure resistant. It would be nice if bind natively supported the concept. However, until such time, manual / scripting means are needed. On 05/11/2012 11:27 AM, wbr...@e1b.org wrote: John wrote on 05/11/2012 11:05:58 AM: I found this article about setting up a secondary master. This may be useful as we are bringing up a disaster recovery site. The author explains that the zone type should be ?slave?? so it can receive db updates from the normal master. Seems like that makes it a slave instead of a master for that zone? We are also looking at the app rsync for db transfers so we will have mirrored masters, IP traffic separated by routers. Thanks https://help.ubuntu.com/8.04/serverguide/dns-configuration.html What they describe is a typical slave server. I wonder if they are misusing the term master for authoritative. They are correct that more than one server is needed in order to maintain the availability of the domain should the Primary become unavailable. It's a good idea to make sure that your DNS servers are physically separated so a network failure does not block access to all of them. I would just let zone transfers take care of keeping things in sync instead of using rsync and a bunch of custom procedures to so it. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary Master
In article mailman.780.1336757913.63724.bind-us...@lists.isc.org, John Wingenbach b...@wingenbach.org wrote: The concept of a secondary master is sound. It basically provides for a healthy means of handling the situation where your primary master is unusable. That's true, but the sample configurations in the OP's link did not show this. They clearly used the term master to refer to authoritative servers, and secondary in the obsolete sense of slave servers. So in the section where it showed how to configure a secondary master, all it showed was how to configure an ordinary slave -- nothing to do with turning that slave into a replacement master. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: measuring dns query
thanks for the reply Daniel this is what i need. On Thu, May 10, 2012 at 2:38 AM, Daniel Migault mglt@gmail.com wrote: Hi, Maybe you are looking for dnsperf and resperf [1]. We have done some tests similar to these in [2] and [3], so maybe it helps. Replaying captures of traffic may also be recommended especially to consider, for example, queries with no answers. At least for DNSSEC this matters. [1] http://www.nominum.com/resources/measurement-tools [2] http://www.iepg.org/2010-11-ietf79/iepg79-mglt.pdf [3] http://www-public.it-sudparis.eu/~lauren_m/articles/Migault-CNSM2010.pdf BR Daniel On Thu, May 10, 2012 at 7:21 AM, PFUnix Mail pfu...@gmail.com wrote: all, im looking for a way to measure dns queries and am looking for an opensource solution if possible. any suggestions? i want to measure the time it takes for 1DNS query in bind vs. dns Active-Directory integrated. thanks, B ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Daniel Migault Orange Labs / Security Lab +33 (0) 1 45 29 60 52 +33 (0) 6 70 72 69 58 -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users