Re: Disable DNSSEC Validation for selected Domains
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > I know that BIND has no feature to disable DNSSEC validation for selected > Zones/Domains (when working as a recursor). > One can only enable/disable DNSSEC validation globally per view (as a boolean > on/off). [...] > I'm just wondering, is an option like unbound's "domain-insecure" > intentionally not implemented in in BIND? Or did just nobody care enough to > implement it yet? While you wait for this to become generally available, you can do what I like to do for my customers: Use two layers of recursive DNS servers. The first layer takes queries from clients, knows about your insecure domains (through stub zones, slave zones, or conditional forwarding), and does not perform DNSSEC validation. The first layer globally forwards to the second layer, which does DNSSEC validation and recursion. This second layer can also have a few other features: - Placed in the DMZ, outside the internal firewall - No access to internal namespace, internal devices, etc. - RPZ filtering, if you're going to use this You can also achieve much of this within a single named instance using two views, with forwarding from one view to the other. Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FYI: adobe.com GSLB DNS servers choking on "nsid"
We tried. Its "we don't get enough complaints" so we won't actually ask our nameserver vendor how to fix this despite us telling them that they just need to add a CNAME record to the backend zone. The load balancer has a front end that answers A and queries. CNAME/TXT/SOA and "unsual" A and queries are passed to the backend (a regular nameserver). This backend is not configured with a CNAME record for ardownload.wip4.adobe.com / airdownload.wip4.adobe.com so it returns NXDOMAIN. Adding CNAME records to the regular zone will fix some of the errors with these nameservers. There are other errors which require the load balancer vendor to fix. Mark In message <54b50f21.6010...@imperial.ac.uk>, Phil Mayers writes: > Just to save anyone else the trouble, I've just found that some of the > GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present: > > # dig +norec +dnssec +nsid @193.104.215.247 ardownload.wip4.adobe.com > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50062 > > ...versus: > > # dig +norec +dnssec @193.104.215.247 ardownload.wip4.adobe.com > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20650 > > ;; ANSWER > SECTION: > > I will make a (doubtless futile) effort to contact them, but if anyone > has a decent route in... > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FYI: adobe.com GSLB DNS servers choking on "nsid"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2015-01-13 at 12:49 +, Phil Mayers wrote: > Just found another; dns{0,1}.getsurfed.com are returning crazy error > codes with "nsid" (and presumably other) edns options: > # dig +norec +nsid @213.162.97.177 www.london-nano.com > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: ?17, id: 21450 > Sigh... > I'd advise strongly against people enabling "sit" in 9.10 right now... After adding the getsurfed ones, I have: // adobe servers that don't understand edns options server 192.150.16.247 { request-sit no; }; server 192.150.19.247 { request-sit no; }; server 193.104.215.247 { request-sit no; }; // eia.gov servers that don't understand edns options server 205.254.135.9{ request-sit no; }; server 199.36.140.199 { request-sit no; }; // lctcs.edu servers that don't understand edns options server 76.165.120.16{ request-sit no; }; server 76.165.210.249 { request-sit no; }; // london-nano.com servers that don't understand edns options server 213.162.97.177 { request-sit no; }; server 213.162.97.178 { request-sit no; }; -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlS1QrQACgkQL6j7milTFsEbQACfRVVodh7gaZTOe1Tb9Qnwqp+I LlsAnRw/bRWwjyMvehdSk0jxDIJ3iA6B =hQJd -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable DNSSEC Validation for selected Domains
Hello Stefan You may also try to disable all DNSSEC algorithms for a zone: https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html Regards, Daniel On 13.01.15 14:53, stefan.las...@t-systems.com wrote: > Hi Mukund > > and thanks a lot for pointing that out! > It is already more than I was hoping for :) > > Regards, > Stefan > > > >> BIND will get support for negative trust anchors in 9.11, which will provide >> the feature that you seek. An implementation is now in the master branch. >> >> https://tools.ietf.org/html/draft-livingood-negative-trust-anchors-07 >> >> In partnership with our subscription customers who support future feature >> development by helping to fund our engineering work, we currently have a >> subscription branch where features critical to their current needs are >> backported from master and are currently available for their use. We are >> trialling the > negative trust anchors feature there now. If you absoutely >> need this now, please contact ISC about it. >> >> Another option is to run the master branch, but we don't recommend it as it >> is a development branch with several new features, some of which may be >> unstable or changing rapidly. Negative trust anchors will be released to the >> public in the 9.11 release. >> >> Mukund > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable DNSSEC Validation for selected Domains
Hi Mukund and thanks a lot for pointing that out! It is already more than I was hoping for :) Regards, Stefan > BIND will get support for negative trust anchors in 9.11, which will provide > the feature that you seek. An implementation is now in the master branch. > > https://tools.ietf.org/html/draft-livingood-negative-trust-anchors-07 > > In partnership with our subscription customers who support future feature > development by helping to fund our engineering work, we currently have a > subscription branch where features critical to their current needs are > backported from master and are currently available for their use. We are > trialling the > negative trust anchors feature there now. If you absoutely > need this now, please contact ISC about it. > > Another option is to run the master branch, but we don't recommend it as it > is a development branch with several new features, some of which may be > unstable or changing rapidly. Negative trust anchors will be released to the > public in the 9.11 release. > > Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FYI: adobe.com GSLB DNS servers choking on "nsid"
On 13/01/15 12:39, Phil Mayers wrote: On 13/01/15 12:37, Anand Buddhdev wrote: On 13/01/15 13:27, Phil Mayers wrote: Just to save anyone else the trouble, I've just found that some of the GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present: It's not just NSID. They're responding with NXDOMAIN if you send any EDNS option they don't understand, so it's the same with the EXPIRE and SUBNET options as well. Yeah, I just found that. Turns out we're getting caught out because we have "sit" enabled (accidentally). This must be recent(-ish) though; we've been on 9.10 since December and only just had the report. Just found another; dns{0,1}.getsurfed.com are returning crazy error codes with "nsid" (and presumably other) edns options: # dig +norec +nsid @213.162.97.177 www.london-nano.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: ?17, id: 21450 Sigh... I'd advise strongly against people enabling "sit" in 9.10 right now... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FYI: adobe.com GSLB DNS servers choking on "nsid"
On 13/01/15 12:37, Anand Buddhdev wrote: On 13/01/15 13:27, Phil Mayers wrote: Just to save anyone else the trouble, I've just found that some of the GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present: It's not just NSID. They're responding with NXDOMAIN if you send any EDNS option they don't understand, so it's the same with the EXPIRE and SUBNET options as well. Yeah, I just found that. Turns out we're getting caught out because we have "sit" enabled (accidentally). This must be recent(-ish) though; we've been on 9.10 since December and only just had the report. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FYI: adobe.com GSLB DNS servers choking on "nsid"
On 13/01/15 13:27, Phil Mayers wrote: > Just to save anyone else the trouble, I've just found that some of the > GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present: It's not just NSID. They're responding with NXDOMAIN if you send any EDNS option they don't understand, so it's the same with the EXPIRE and SUBNET options as well. Regards, Anand Buddhdev RIPE NCC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FYI: adobe.com GSLB DNS servers choking on "nsid"
On 13/01/15 12:27, Phil Mayers wrote: Just to save anyone else the trouble, I've just found that some of the GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present: ...and in fact "sit", which is the actual problem option we're hitting (our 9.10 package seems to have been unintentionally compiled with that enabled g...) Presumably any unknown edns option. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
FYI: adobe.com GSLB DNS servers choking on "nsid"
Just to save anyone else the trouble, I've just found that some of the GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present: # dig +norec +dnssec +nsid @193.104.215.247 ardownload.wip4.adobe.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50062 ...versus: # dig +norec +dnssec @193.104.215.247 ardownload.wip4.adobe.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20650 ;; ANSWER SECTION: I will make a (doubtless futile) effort to contact them, but if anyone has a decent route in... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable DNSSEC Validation for selected Domains
Hi Stefen On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote: > Some of the internal Domains of our customers will fail the > proof-of-non-existence. While this is technically correct, we still > need access to their internal Domain to do our business... So the > current all-or-nothing approach of BIND prevents us from activating > DNSSEC all together (and will probably do so for years to come). > > I'm just wondering, is an option like unbound's "domain-insecure" > intentionally not implemented in in BIND? Or did just nobody care > enough to implement it yet? BIND will get support for negative trust anchors in 9.11, which will provide the feature that you seek. An implementation is now in the master branch. https://tools.ietf.org/html/draft-livingood-negative-trust-anchors-07 In partnership with our subscription customers who support future feature development by helping to fund our engineering work, we currently have a subscription branch where features critical to their current needs are backported from master and are currently available for their use. We are trialling the negative trust anchors feature there now. If you absoutely need this now, please contact ISC about it. Another option is to run the master branch, but we don't recommend it as it is a development branch with several new features, some of which may be unstable or changing rapidly. Negative trust anchors will be released to the public in the 9.11 release. Mukund pgpPLCLP3rGqn.pgp Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable DNSSEC Validation for selected Domains
stefan.las...@t-systems.com wrote: > > I know that BIND has no feature to disable DNSSEC validation for > selected Zones/Domains (when working as a recursor). BIND 9.11 will have negative trust anchors. Tony. -- f.anthony.n.finchhttp://dotat.at/ Fair Isle: Southwest 6 to gale 8, occasionally severe gale 9 at first. Very rough or high, but rough east of northern isles. Thundery wintry showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Disable DNSSEC Validation for selected Domains
Hi @all, I know that BIND has no feature to disable DNSSEC validation for selected Zones/Domains (when working as a recursor). One can only enable/disable DNSSEC validation globally per view (as a boolean on/off). I found that Microsoft's DNS Server has a feature to skip the validation for some Domains. They call it NRPT (Name Resolution Policy Table). Unbound also has such a similar Feature (domain-insecure). Some of the internal Domains of our customers will fail the proof-of-non-existence. While this is technically correct, we still need access to their internal Domain to do our business... So the current all-or-nothing approach of BIND prevents us from activating DNSSEC all together (and will probably do so for years to come). I'm just wondering, is an option like unbound's "domain-insecure" intentionally not implemented in in BIND? Or did just nobody care enough to implement it yet? Regards, Stefan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users