Re: What means -EDC in bind9 logs ?
Jean-François Leroux leroux.jeanfranc...@gmail.com writes: Hi, must be a stupid question but I hadn't noticed before that some queries in my server are labelled like that query IN A -ED (or EDC, or EC) What does this mean ? you'll find the documentation for query-log entries in the BIND Administrators Reference Manual (ARM), search for The category phrase. - : query received was an iterative query (no-recursion, RD flag clear) E : query indicated support for EDNS0 on the sender side D : query had DO flag (DNSSEC OK) set, sender understands DNSSEC C : query had CD flag set (DNSSEC checking disabled), requestor wants to see all DNSSEC data, even if it does not validate Best regards Carsten Date: Thu, 24 Apr 2014 11:35:00 +0200 Message-ID: 87d2g7oyt7@csgate4.strotmann.de ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: All client resolvers support DNSSEC compatible queries ???
Hello Jeronimo, Jeronimo L. Cabral jelocab...@gmail.com writes: Dear, we have several hosts in our LAN that ask our BIND DNS: Debian, Windows 7, Red Hat and CentOS. If we implement DNSSEV validation support in our BIND9 server...how can I know if our hosts' resolvers are compatible with DNSSEC queries ??? client host resolvers are usually not DNSSEC aware today. Certain applications (Browser with a DNSSEC validator plugin, postfix MTA ...) running on a client can be DNSSEC aware. You can enable DNSSEC validation support on a BIND 9 caching server that is used as a resolver by your clients. BIND 9 9.9.x already comes with DNSSEC validation enabled, for older versions you need to enable it manually in the configuration. Legacy (non DNSSEC aware) clients will send just regular DNS queries towards the BIND 9 caching resolver. BIND 9 will send queries with the DO-Flag (DNSSEC OK) towards the authoritative DNS server in the network. For DNSSEC signed zones, BIND 9 will validate the DNSSEC data. If the data is validating without issues, the data is returned to the client as normal DNS (no DNSSEC). If the data fails to validate, the bad data is not send to the clients, instead a SERVFAIL error message is send to the client. DNSSEC is backwards compatible in the sense that you can enable DNSSEC validation without the need to make changes to legacy clients. Windows 7 and Windows 8 clients can build a special trust relationship with an AD integrated Windows DNS Server to secure the last mile between the client and the resolving DNS cache. However to my knowledge this is not possible with Windows and a BIND 9 DNS. Best regards Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: All client resolvers support DNSSEC compatible queries ???
Carsten Strotmann c...@strotmann.de wrote: You can enable DNSSEC validation support on a BIND 9 caching server that is used as a resolver by your clients. BIND 9 9.9.x already comes with DNSSEC validation enabled, for older versions you need to enable it manually in the configuration. DNSSEC validation needs to be explicitly enabled in every version of BIND. Since version 9.8 BIND ships with a built-in root trust anchor, so to enable validation you can just add dnssec-validation auto; (and dnssec-lookaside auto; if you like). The dnssec-enable option defaults to yes (since version 9.5), but this just makes BIND DNSSEC-aware (so it supports the special semantics of DNSSEC RR types) but does not make it validate. The rest of what you said is correct. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Fair Isle, Faeroes, South-east Iceland: Mainly southeasterly 5 or 6, decreasing 4 at times. Moderate or rough. Occasional rain, fog patches. Moderate or good, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: All client resolvers support DNSSEC compatible queries ???
2014-04-24 13:46 GMT+04:00 Carsten Strotmann c...@strotmann.de: Hello Jeronimo, Jeronimo L. Cabral jelocab...@gmail.com writes: Dear, we have several hosts in our LAN that ask our BIND DNS: Debian, Windows 7, Red Hat and CentOS. If we implement DNSSEV validation support in our BIND9 server...how can I know if our hosts' resolvers are compatible with DNSSEC queries ??? client host resolvers are usually not DNSSEC aware today. Certain applications (Browser with a DNSSEC validator plugin, postfix MTA ...) running on a client can be DNSSEC aware. You can enable DNSSEC validation support on a BIND 9 caching server that is used as a resolver by your clients. BIND 9 9.9.x already comes with DNSSEC validation enabled, for older versions you need to enable it manually in the configuration. Legacy (non DNSSEC aware) clients will send just regular DNS queries towards the BIND 9 caching resolver. BIND 9 will send queries with the DO-Flag (DNSSEC OK) towards the authoritative DNS server in the network. For DNSSEC signed zones, BIND 9 will validate the DNSSEC data. If the data is validating without issues, the data is returned to the client as normal DNS (no DNSSEC). If the data fails to validate, the bad data is not send to the clients, instead a SERVFAIL error message is send to the client. Actually a resolver sends to client an answer with AD (authenticated data) bit set if response from authoritative server is successfully validated. If zone in question isn't secured by DNSSec, then client receives response without AD bit. If validation fails - SERVFAIL. DNSSEC is backwards compatible in the sense that you can enable DNSSEC validation without the need to make changes to legacy clients. Windows 7 and Windows 8 clients can build a special trust relationship with an AD integrated Windows DNS Server to secure the last mile between the client and the resolving DNS cache. However to my knowledge this is not possible with Windows and a BIND 9 DNS. IPSec, AFAIK. Best regards Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Is there any problem Exterminatus cannot solve? I have not found one yet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC domain and sub-domains
r...@iastate.edu r...@iastate.edu wrote: If we implement DNSSEC for iastate.edu, admin.iastate.edu and its.iastate.edu, must DNSSEC be implemented for the delegated zones as well? No, in exactly the same way that signing .edu does not mean iastate.edu has to be signed. If there are no DS records at the delegation point for cs.iastate.edu that means that cs.iastate.edu is insecure. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ South Biscay: Easterly 4 or 5, veering westerly 5 to 7. Rough. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC domain and sub-domains
On Apr 24, 2014, at 11:01 AM, Tony Finch d...@dotat.at wrote: r...@iastate.edu r...@iastate.edu wrote: If we implement DNSSEC for iastate.edu, admin.iastate.edu and its.iastate.edu, must DNSSEC be implemented for the delegated zones as well? No, in exactly the same way that signing .edu does not mean iastate.edu has to be signed. If there are no DS records at the delegation point for cs.iastate.edu that means that cs.iastate.edu is insecure. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ South Biscay: Easterly 4 or 5, veering westerly 5 to 7. Rough. Rain or showers. Good, occasionally poor. I knew that, but I started to doubt what I knew. Thanks for the confirmation and setting my mind as ease. -- Rod Eldridge Network Infrastructure, Authentication, Directory Services Team Mac OS X Development Team IT Services, Iowa State University of Science and Technology ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Strange validation failure for answers.ssh.com
We have a couple of recursive servers running 9.9.5 which are persistently unable to validate answers.ssh.com, returning SERVFAIL. With debug logging turned on we get (amongst lots of other things): 24-Apr-2014 16:41:23.087 client 131.111.56.28#35569 (answers.ssh.com): query (cache) 'answers.ssh.com/A/IN' approved 24-Apr-2014 16:41:23.087 client 131.111.56.28#35569 (answers.ssh.com): replace 24-Apr-2014 16:41:23.127 validating @2e4e75b8: answers.ssh.com A: starting 24-Apr-2014 16:41:23.127 validating @2e4e75b8: answers.ssh.com A: attempting insecurity proof 24-Apr-2014 16:41:23.127 validating @2e4e75b8: answers.ssh.com A: checking existence of DS at 'com' 24-Apr-2014 16:41:23.127 validating @2e4e75b8: answers.ssh.com A: checking existence of DS at 'ssh.com' 24-Apr-2014 16:41:24.114 validating @252fd3f0: ssh.com DS: starting 24-Apr-2014 16:41:24.114 validating @252fd3f0: ssh.com DS: attempting positive response validation 24-Apr-2014 16:41:24.114 validating @252fd3f0: ssh.com DS: keyset with trust secure 24-Apr-2014 16:41:24.114 validating @252fd3f0: ssh.com DS: verify rdataset (keyid=56657): success 24-Apr-2014 16:41:24.114 validating @252fd3f0: ssh.com DS: marking as secure, noqname proof not needed 24-Apr-2014 16:41:24.115 validating @2e4e75b8: answers.ssh.com A: in dsfetched2: success 24-Apr-2014 16:41:24.115 validating @2e4e75b8: answers.ssh.com A: resuming proveunsecure 24-Apr-2014 16:41:24.115 validating @2e4e75b8: answers.ssh.com A: checking existence of DS at 'answers.ssh.com' 24-Apr-2014 16:41:24.115 validating @2e4e75b8: answers.ssh.com A: bad cache hit (answers.ssh.com/DS) 24-Apr-2014 16:41:24.115 error (broken trust chain) resolving 'answers.ssh.com/A/IN': 208.109.255.50#53 24-Apr-2014 16:41:24.117 client 131.111.56.28#35569 (answers.ssh.com): query failed (SERVFAIL) for answers.ssh.com/IN/A at query.c:7005 24-Apr-2014 16:41:24.117 fetch completed at resolver.c:4173 for answers.ssh.com/A in 1.028114: broken trust chain/broken trust chain [domain:ssh.com,referral:1,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:1] Questions: Why is it attempting an insecurity proof? Why is there a bad cache hit for one of the DS queries? With a bit more debugging turned on we see that named is getting a response from the authoritative server without EDNS and without DNSSEC (see below). Is it omitting EDNS from its query, and if so why? rndc flushname on answers.ssh.com and ssh.com and all the name servers for ssh.com doesn't fix it. (If I understand it correctly, in 9.9 flushname should clear an entry from the bad cache but flushtree does not. The latter is improved in 9.10.) It might be nice at this debugging level to log queries as well as responses, and the source and destination addresses of packets. 24-Apr-2014 17:55:31.395 resquery 126e5060 (fctx 18262460(answers.ssh.com/A)): response 24-Apr-2014 17:55:31.395 received packet: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62966 ;; flags: qr aa; QUESTION: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;answers.ssh.com. IN A ;; ANSWER SECTION: answers.ssh.com.3600IN A 194.137.52.201 ;; AUTHORITY SECTION: ssh.com.3600IN NS pdns02.domaincontrol.com. ssh.com.3600IN NS pdns01.domaincontrol.com. ssh.com.3600IN NS ns2.ssh.com. ssh.com.3600IN NS ns1.ssh.com. ;; ADDITIONAL SECTION: ns2.ssh.com.600 IN A 208.109.255.50 ns1.ssh.com.600 IN A 216.69.185.50 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Lundy: Variable 4, becoming southeast 5 or 6. Slight or moderate. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to modify NTASKS and NRECVS in lwresd?
Hello, I have a customer who is trying to eke out additional performance in lwresd but increasing the number/ration of NTASKS:NRECVS in lwresd. Is there an option to modify this in stock bind 9.8.x or 9.9.x? Thanks. - Sam Roza, RHCE Technical Account Manager Global Support Services Red Hat, Inc. Desk: 650-254-4004 Cell: 408-829-9591 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users