Re: DNS RPZ triggers

2017-01-27 Thread Mukund Sivaraman 
Hi ard

On Fri, Jan 27, 2017 at 08:51:14PM +, der...@mskcc.org wrote:
> Hi All,
> 
> Back in December 2016, I worked on a problem in which a particular hostname 
> (a website) would not resolve from our DNS servers, but Level3, Google DNS, 
> and OpenDNS resolved it.  It was clear that somewhere outside our network 
> there was policy (security or otherwise) that prevented us from getting the 
> resolution.  It was not easy to get the website owners to work on this from 
> their side, but eventually the problem was corrected.  How this case is 
> relevant to bind-users is that we implement RPZs and I had hoped that I could 
> add the hostname to the RPZ zone and return to clients the IP that I knew was 
> correct (from Level3, OpenDNS).  However, I was told by our vendor that that 
> was no possible because RPZs only trigger when there is an actual resolution 
> for the queried A record.
> 
> Doing some reading today, I came across Paul Vixie's (creator of DNS RPZ) 
> article "What are the features of the DNS RPZ firewall?" on the ISC.org site 
> (https://deepthought.isc.org/article/AA-00516/0).  There he lists the 
> triggers that a DNS RPZ honors.  Here is the section:
> 
> In a DNS firewall based on DNS RPZ, each rule can use one of four policy 
> triggers and specify one of four policy actions.
> 
> A response policy in DNS RPZ can be triggered as follows:
> 
>   1.  by the query name.
>   2.  by an address which would be present in a truthful response.
>   3.  by the name or address of an authoritative name server 
> responsible for publishing the original response.
> 
> So, there it is: trigger 1 is what I was looking for.
> 
> Our DNS platform is BIND based, and I don't understand why the vendor's 
> implementation (mostly ISC code from my understanding) does not comport 
> itself according to Paul Vixie's specs above.  Instead it has added a 
> dependency in which the server must receive a response in order for a 
> response policy action to be triggered.

It is not clear which "vendor's implementation" you're talking about,
but in this case you ought to contact the vendor if it is not ISC, and
not this list. This list is about vanilla BIND.

In vanilla BIND, see the "qname-wait-recurse" option.

Mukund


signature.asc
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS RPZ triggers

2017-01-27 Thread derasa 
Hi All,

Back in December 2016, I worked on a problem in which a particular hostname (a 
website) would not resolve from our DNS servers, but Level3, Google DNS, and 
OpenDNS resolved it.  It was clear that somewhere outside our network there was 
policy (security or otherwise) that prevented us from getting the resolution.  
It was not easy to get the website owners to work on this from their side, but 
eventually the problem was corrected.  How this case is relevant to bind-users 
is that we implement RPZs and I had hoped that I could add the hostname to the 
RPZ zone and return to clients the IP that I knew was correct (from Level3, 
OpenDNS).  However, I was told by our vendor that that was no possible because 
RPZs only trigger when there is an actual resolution for the queried A record.

Doing some reading today, I came across Paul Vixie's (creator of DNS RPZ) 
article "What are the features of the DNS RPZ firewall?" on the ISC.org site 
(https://deepthought.isc.org/article/AA-00516/0).  There he lists the triggers 
that a DNS RPZ honors.  Here is the section:

In a DNS firewall based on DNS RPZ, each rule can use one of four policy 
triggers and specify one of four policy actions.

A response policy in DNS RPZ can be triggered as follows:

  1.  by the query name.
  2.  by an address which would be present in a truthful response.
  3.  by the name or address of an authoritative name server 
responsible for publishing the original response.

So, there it is: trigger 1 is what I was looking for.

Our DNS platform is BIND based, and I don't understand why the vendor's 
implementation (mostly ISC code from my understanding) does not comport itself 
according to Paul Vixie's specs above.  Instead it has added a dependency in 
which the server must receive a response in order for a response policy action 
to be triggered.

Has anyone here had any experience with this behavior, or do you think the 
vendor must add this "feature" to its BIND flavor?

Thanks,
ard

=

 Please note that this e-mail and any files transmitted from
 Memorial Sloan Kettering Cancer Center may be privileged, confidential,
 and protected from disclosure under applicable law. If the reader of
 this message is not the intended recipient, or an employee or agent
 responsible for delivering this message to the intended recipient,
 you are hereby notified that any reading, dissemination, distribution,
 copying, or other use of this communication or any of its attachments
 is strictly prohibited.  If you have received this communication in
 error, please notify the sender immediately by replying to this message
 and deleting this message, any attachments, and all copies and backups
 from your computer.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec key events too often?

2017-01-27 Thread Sten Carlsen 
Right, thank you so much. I now will look at logging to reduce the
clutter in the syslog since this does not call for any attention on my side.

Thanks.


On 27/01/2017 20:53, Mark Andrews wrote:
> In message , Sten Carlsen 
> writes:
>> Hi all
>>
>> I have recently started using dnssec on my authoritative zones. I have
>> bind 9.9.4 (Centos7).
>>
>> I see for each zone:
>>
>> ...
>>
>> general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
>> 26-Jan-2017 02:03:40.860: 1 Time
>> (s)
>> general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
>> 26-Jan-2017 03:03:40.860: 1 Time
>> (s)
>> general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
>> 26-Jan-2017 04:03:40.860: 1 Time
>> (s)
>> general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
>> 26-Jan-2017 05:03:40.861: 1 Time
>> (s)
>>
>> ...
>>
>> This happens every hour, I think this is probably way too often? Access to 
>> the name in question is probably
>>  a few times pr. day.
>>
>> The only reasonable conclusion is that I have done something stupid or not 
>> done the right thing.
>>
>> Question: what stupid thing might I have done (how to fix?)  or what did
>> I miss to do?
> Nothing.  You have key management in automatic mode and named needs
> to periodically check if you have created new keys or changed the
> timers of existing keys or removed a old key.
>  
> Mark
>
>> -- 
>> Best regards
>>
>> Sten Carlsen
>>
>> No improvements come from shouting:
>>
>>"MALE BOVINE MANURE!!!" 
>>
>>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec key events too often?

2017-01-27 Thread Mark Andrews 

In message , Sten Carlsen 
writes:
> 
> Hi all
> 
> I have recently started using dnssec on my authoritative zones. I have
> bind 9.9.4 (Centos7).
> 
> I see for each zone:
> 
> ...
> 
> general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
> 26-Jan-2017 02:03:40.860: 1 Time
> (s)
> general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
> 26-Jan-2017 03:03:40.860: 1 Time
> (s)
> general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
> 26-Jan-2017 04:03:40.860: 1 Time
> (s)
> general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
> 26-Jan-2017 05:03:40.861: 1 Time
> (s)
> 
> ...
> 
> This happens every hour, I think this is probably way too often? Access to 
> the name in question is probably
>  a few times pr. day.
> 
> The only reasonable conclusion is that I have done something stupid or not 
> done the right thing.
> 
> Question: what stupid thing might I have done (how to fix?)  or what did
> I miss to do?

Nothing.  You have key management in automatic mode and named needs
to periodically check if you have created new keys or changed the
timers of existing keys or removed a old key.
 
Mark

> -- 
> Best regards
> 
> Sten Carlsen
> 
> No improvements come from shouting:
> 
>"MALE BOVINE MANURE!!!" 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec key events too often?

2017-01-27 Thread Sten Carlsen 
Hi all

I have recently started using dnssec on my authoritative zones. I have
bind 9.9.4 (Centos7).

I see for each zone:

...

general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
26-Jan-2017 02:03:40.860: 1 Time(s)
general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
26-Jan-2017 03:03:40.860: 1 Time(s)
general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
26-Jan-2017 04:03:40.860: 1 Time(s)
general: info: zone s-carlsen.dk/IN/external (signed): next key event: 
26-Jan-2017 05:03:40.861: 1 Time(s)

...

This happens every hour, I think this is probably way too often? Access to the 
name in question is probably a few times pr. day.

The only reasonable conclusion is that I have done something stupid or not done 
the right thing.

Question: what stupid thing might I have done (how to fix?)  or what did
I miss to do?

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

2017-01-27 Thread Wolfgang Riedel 
Hi Fajar,

OK sounds familiar to me ;-)

OK let me try your proposal and install libssl1.0-dev and see if I can get 
bind-9.11.0-P2 to build.

Many thanks,
Wolfgang

> On 27 Jan 2017, at 14:40PM, Fajar A. Nugraha  wrote:
> 
> On Fri, Jan 27, 2017 at 7:20 PM, Wolfgang Riedel  > wrote:
> Just wonder if there is some agreed guidance on what steps I SHOULD take to 
> get bind-9.11.0-P2 successfully build on Debian 9.0?
> 
> 
> The generic recommendation on debian would probably be 'use whatever the 
> distro comes with, as they maintain security fixes for those as well'. 
> Debian's bind9 package uses native-pkcs11 with libsofthsm2.so, but I haven't 
> been able to get this to work with bind-9.11.0-P2.
> 
> If you 'just want to build bind-9.11.0-P2', debian stretch has libssl1.0-dev. 
> Install that, then bind's simple ./configure (plus --prefix=/opt/bind9, if 
> you want) should be able to pick it up correctly.
> 
> --
> Fajar



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

2017-01-27 Thread Thomas Schulz 
> Just wonder if there is some agreed guidance on what steps I SHOULD take =
> to get bind-9.11.0-P2 successfully build on Debian 9.0?
> 
> 
> /usr/bin/ld: //lib64/libcrypto.a(a_object.o):
> relocation R_X86_64_PC32 against symbol `ASN1_OBJECT_free'
> can not be used when making a shared object; 
> recompile with -fPIC

It looks like openssl was not built to create shared libraries. So bind
built against your self compiled openssl can not create shared libraries.
Either rebuild openssl to create shared libraries or change binds configure
to remove --enable-shared, possibly adding --disable-shared.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

2017-01-27 Thread Fajar A. Nugraha 
On Fri, Jan 27, 2017 at 7:20 PM, Wolfgang Riedel  wrote:

> Just wonder if there is some agreed guidance on what steps I SHOULD take
> to get bind-9.11.0-P2 successfully build on Debian 9.0?
>
>
The generic recommendation on debian would probably be 'use whatever the
distro comes with, as they maintain security fixes for those as well'.
Debian's bind9 package uses native-pkcs11 with libsofthsm2.so, but I
haven't been able to get this to work with bind-9.11.0-P2.

If you 'just want to build bind-9.11.0-P2', debian stretch has
libssl1.0-dev. Install that, then bind's simple ./configure (plus
--prefix=/opt/bind9, if you want) should be able to pick it up correctly.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

2017-01-27 Thread Wolfgang Riedel 
Hi Folks,

many thanks for the candidate feedback and the deep dive on what I should not 
have done ;-)
Not a big deal as it’s just a VM and I can easily start from scratch but I am 
burning a lot of time trying instead of learning.

Just wonder if there is some agreed guidance on what steps I SHOULD take to get 
bind-9.11.0-P2 successfully build on Debian 9.0?

Many thanks for your help!
Wolfgang




signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users