Re: Slowing down bind answers
Unless the goal is to move all DNS services off that subnet. Our network staff would love to reclaim the /24 our DNS servers are tying up with very little else on it wasting 250 addresses. I'm not sure I'm describing a properly configured anycast environment well. Since in anycast the client never see the physical address of a DNS server, it matters not where they (the DNS server(s)) physically are (only if they are in the anycast cloud or not). You can move them around (insert/delete servers to/from the cloud) to your heart's content and the client doesn't know. The requirement here (to avoid having clients left on legacy devices) is that all the affected servers be in the anycast cloud and all of your client devices point to the logical anycast address for DNS resolution NOT the physical address(es) of the DNS server(s). You add the new server(s) to the cloud and delete the legacy server(s) from the cloud. Easy peasey. Obviously, this takes some up front planning and having a group of servers on the same subnet is probably not a good idea (although it could be interesting from a load sharing perspective...). YMMV, it's just a thought. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slowing down bind answers
On 07/01/14 14.16, Bob McDonald wrote: Unless the goal is to move all DNS services off that subnet. Our network staff would love to reclaim the /24 our DNS servers are tying up with very little else on it wasting 250 addresses. I'm not sure I'm describing a properly configured anycast environment well. Since in anycast the client never see the physical address of a DNS server, it matters not where they (the DNS server(s)) physically are (only if they are in the anycast cloud or not). You can move them around (insert/delete servers to/from the cloud) to your heart's content and the client doesn't know. The requirement here (to avoid having clients left on legacy devices) is that all the affected servers be in the anycast cloud and all of your client devices point to the logical anycast address for DNS resolution NOT the physical address(es) of the DNS server(s). You add the new server(s) to the cloud and delete the legacy server(s) from the cloud. Easy peasey. Obviously, this takes some up front planning and having a group of servers on the same subnet is probably not a good idea (although it could be interesting from a load sharing perspective...). YMMV, it's just a thought. If I understood the problem correctly, the address the anycast would take is the address the clients actually use and the new servers can be set anywhere. In this case they want to free that address for other purposes. Again if I understand this correctly anycast might be fine for future but a bit too late in this case. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Disable DNSSEC
My DNS appliances are not well-suited for this yet, so I want to disable DNSSEC for my for domain. Anyone know the proper steps to take and what order if there is any order? I have a DS record in my parent domain. Do I need to remove that first? Thanks in advance. Eric ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable DNSSEC
On 01/07/2014 05:01 PM, Eric Davis wrote: My DNS appliances are not well-suited for this yet, so I want to disable DNSSEC for my for domain. Anyone know the proper steps to take and what order if there is any order? I have a DS record in my parent domain. Do I need to remove that first? Thanks in advance. Eric ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Yes, first remove the DS from parent zone, then wait for the DS ttl to expire and then you can start removing DNSKEY's from your zone. -- Georg ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Disable DNSSEC
So I guess my DS record has the same TTL as my default TTL for my records? My default is 8 hours, so if I wait 8 hours after I remove the DS from my parent zone then I should be ok? My parent zone is a TLD(.edu). -Original Message- From: bind-users-bounces+eric=rockefeller@lists.isc.org [mailto:bind-users-bounces+eric=rockefeller@lists.isc.org] On Behalf Of Georg Kahest Sent: Tuesday, January 07, 2014 10:12 AM To: bind-users@lists.isc.org Subject: Re: Disable DNSSEC On 01/07/2014 05:01 PM, Eric Davis wrote: My DNS appliances are not well-suited for this yet, so I want to disable DNSSEC for my for domain. Anyone know the proper steps to take and what order if there is any order? I have a DS record in my parent domain. Do I need to remove that first? Thanks in advance. Eric ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Yes, first remove the DS from parent zone, then wait for the DS ttl to expire and then you can start removing DNSKEY's from your zone. -- Georg ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable DNSSEC
On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote: So I guess my DS record has the same TTL as my default TTL for my records? My default is 8 hours, so if I wait 8 hours after I remove the DS from my parent zone then I should be ok? My parent zone is a TLD(.edu). The DS record is in the parent zone (.edu) and it has a one-day TTL: ;; AUTHORITY SECTION: rockefeller.edu.172800 IN NS r2d2.rockefeller.edu. rockefeller.edu.172800 IN NS rockyd.rockefeller.edu. rockefeller.edu.86400 IN DS 40486 5 1 954F779D591F011288CAD43D64D96EA543E0D3E5 rockefeller.edu.86400 IN RRSIG DS 8 2 86400 20140113054536 20140106043536 20750 edu. 0XmRgd7FPG56t7etP2dK0W9gvVVm5oJlaCXufHlWnLsPWwNcAGIEQBCp RxBicOFdPgmxvm1VV+IXq7W2qEKiFOchCgfqm9ugqQ7/DOR0DJW1edgI ZqUVLfMgp/VT1+6EXU+wGiR7D2rZs1xvyu82cMQCkBseiKVAJv2F35LK MSE= Bill. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Disable DNSSEC
Duh...silly mistake...I did a DIG on the NS record..Once the DS record is removed DNS queries should work fine right? Thanks Bill. -Original Message- From: Bill Owens [mailto:ow...@nysernet.org] Sent: Tuesday, January 07, 2014 11:28 AM To: Eric Davis Cc: bind-users@lists.isc.org Subject: Re: Disable DNSSEC On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote: So I guess my DS record has the same TTL as my default TTL for my records? My default is 8 hours, so if I wait 8 hours after I remove the DS from my parent zone then I should be ok? My parent zone is a TLD(.edu). The DS record is in the parent zone (.edu) and it has a one-day TTL: ;; AUTHORITY SECTION: rockefeller.edu.172800 IN NS r2d2.rockefeller.edu. rockefeller.edu.172800 IN NS rockyd.rockefeller.edu. rockefeller.edu.86400 IN DS 40486 5 1 954F779D591F011288CAD43D64D96EA543E0D3E5 rockefeller.edu.86400 IN RRSIG DS 8 2 86400 20140113054536 20140106043536 20750 edu. 0XmRgd7FPG56t7etP2dK0W9gvVVm5oJlaCXufHlWnLsPWwNcAGIEQBCp RxBicOFdPgmxvm1VV+IXq7W2qEKiFOchCgfqm9ugqQ7/DOR0DJW1edgI ZqUVLfMgp/VT1+6EXU+wGiR7D2rZs1xvyu82cMQCkBseiKVAJv2F35LK MSE= Bill. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable DNSSEC
On Tue, Jan 07, 2014 at 04:34:27PM +, Eric Davis wrote: Duh...silly mistake...I did a DIG on the NS record..Once the DS record is removed DNS queries should work fine right? Thanks Bill. Once the DS record is removed from the .edu zone, queriers won't expect your zone to be signed any more. At that point, you can leave it signed or remove the signatures, and it won't make any difference. You just need to wait at least 24 hours from the time the record disappears from the .edu zone. Bill. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable DNSSEC
Once the DS record is removed from the .edu zone, queriers won't expect your zone to be signed any more. At that point, you can leave it signed or remove the signatures, and it won't make any difference. You just need to wait at least 24 hours from the time the record disappears from the .edu zone. I suggest you wait a little bit longer then that. There are multiple name servers for edu and you want to make sure that all of them have removed the DS record. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
When Updates Fail
Is there any way to tell what is actually being sent to bind when attempting a dynamic update? I have a perl script which is obviously broken because every forward update it tries to send fails. 07-Jan-2014 15:38:09.458 client 192.168.1.5#17352: request has invalid signature: TSIG ns: tsig verify failure (BADKEY) The key is actually one we use all the time for nsupdates and they are still working fine. For all I know, I am sending a null string due to a typo I haven't noticed yet but the zone name and key look okay when single-stepping through the script. Heaven only knows what is actually being received by bind. Is there any way to narrow down wht part of the request is broken/missing? Thank you. Martin McCormick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: When Updates Fail
On Jan 7, 2014, at 2:05 PM, Martin McCormick mar...@dc.cis.okstate.edu wrote: Is there any way to tell what is actually being sent to bind when attempting a dynamic update? I have a perl script which is obviously broken because every forward update it tries to send fails. 07-Jan-2014 15:38:09.458 client 192.168.1.5#17352: request has invalid signature: TSIG ns: tsig verify failure (BADKEY) Are you using Net::DNS to send your updates? If so, what version? There is a bug in 0.73 with regard to TSIG. One solution, for the time being, is to downgrade to 0.72. Or there’s a release candidate for 0.74 that apparently fixes it, but I haven’t tested it. Regards, Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users