Re: Latest BIND on Debian 8.7 (jessie) crashed due to assertion failure

2017-04-19 Thread Carlos Pizarro
Thanks Munukd, this was the info I was looking for.

Have a great day.

On Apr 20, 2017 2:54 AM, "Mukund Sivaraman"  wrote:

Hi Carlos

On Thu, Apr 20, 2017 at 12:54:47AM -0300, Carlos Pizarro wrote:
> Today the bind9 service crashed and this were the last few log lines when
> it happened:
>
> Apr 19 20:46:23 host named[32115]: error (unexpected RCODE REFUSED)
> resolving 'heroditus.touchtype-systems.com/A/IN':
> 2400:cb00:2049:1::c629:defe#53
> Apr 19 20:46:23 host named[32115]: error (unexpected RCODE REFUSED)
> resolving 'heroditus.touchtype-systems.com/A/IN': 64.68.192.10#53
> Apr 19 20:46:23 host named[32115]: error (unexpected RCODE REFUSED)
> resolving 'heroditus.touchtype-systems.com/A/IN': 198.41.222.254#53
> Apr 19 20:46:23 host named[32115]: error (unexpected RCODE REFUSED)
> resolving 'heroditus.touchtype-systems.com/A/IN': 64.68.196.10#53
> Apr 19 20:46:24 host named[32115]: error (unexpected RCODE REFUSED)
> resolving 'heroditus.touchtype-systems.com/A/IN':
> 2400:cb00:2049:1::a29f:1835#53
> Apr 19 20:46:24 host named[32115]: error (unexpected RCODE REFUSED)
> resolving 'heroditus.touchtype-systems.com/A/IN':
> 2400:cb00:2049:1::c629:defe#53
> Apr 19 20:46:24 host named[32115]: error (unexpected RCODE REFUSED)
> resolving 'heroditus.touchtype-systems.com/A/IN': 198.41.222.254#53
> Apr 19 20:46:24 host named[32115]: resolver.c:4350: INSIST(fctx->type ==
> ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type ==
> ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type ==
> ((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace
> Apr 19 20:46:24 host named[32115]: #0 0x7f4aebd27a00 in ??
> Apr 19 20:46:24 host named[32115]: #1 0x7f4ae9f038ea in ??
> Apr 19 20:46:24 host named[32115]: #2 0x7f4aeb5e914e in ??
> Apr 19 20:46:24 host named[32115]: #3 0x7f4ae9f25d5b in ??
> Apr 19 20:46:24 host named[32115]: #4 0x7f4ae98d6064 in ??
> Apr 19 20:46:24 host named[32115]: #5 0x7f4ae92a462d in ??
> Apr 19 20:46:24 host named[32115]: exiting (due to assertion failure)
>
> ( Same log on Pastebin https://pastebin.com/a1K0L3wJ )
>
>
> Looking at the code line where it crashed I thought that it was related
> to CVE-2016-9131 but it was patched already on this Debian build:
>
> http://metadata.ftp-master.debian.org/changelogs/main/b/
bind9/bind9_9.9.5.dfsg-9+deb8u10_changelog
>
>
> Does anyone has any insight on what may be happening? I'm trying to avoid
> backporting the newest BIND from Stretch but I would if this won't happen
> on that version but I'm unsure as changelog seems to be quite similar to
> the changelog of my version:
>
> http://metadata.ftp-master.debian.org/changelogs/main/b/
bind9/bind9_9.10.3.dfsg.P4-12.1_changelog

This should be covered by the fix for CVE-2017-3137. See the following link:

https://security-tracker.debian.org/tracker/CVE-2017-3137

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slow zone signing with ECDSA

2017-04-19 Thread Paul Kosinski
"The tinfoil hat brigade in some distributions has resisted using them,
fearing some conspiracy to provide not-so-random numbers."

I think the NSA *did*, in fact, compromise the "Dual Elliptic Curve
Deterministic Random Bit Generator" and paid RSA to make it the default
in one of their products -- https://en.wikipedia.org/wiki/Dual_EC_DRBG.


On Wed, 19 Apr 2017 22:09:28 -0400
Timothe Litt  wrote:

> 
> On 19-Apr-17 21:43, Mark Andrews wrote:
> > ...
> > DSA requires random values as part of the signing process.  Really
> > all CPU's should have real random number sources built into them
> > and new genuine random values should only be a instruction code
> > away.
> >
> > Mark
> Most recent ones do.  See RDRAND for Intel (and AMD).  Even Raspberry
> Pi.
> 
> The tinfoil hat brigade in some distributions has resisted using them,
> fearing some conspiracy to provide not-so-random numbers.  (Despite
> the fact that /dev/random hashes/whitens the inputs to the entropy
> pool.) You may need to take a positive action to enable use of the
> hardware source.  Google RDRAND for plenty of entertainment.
> 
> There are also fairly inexpensive (~usd 50) USB devices that provide
> reasonable entropy quality at decent speeds.  (But much lower than
> RDRAND.)  They're good for the old hardware that you recycle for
> single-purpose servers.
> 
> Systems that have low activity/low entropy can benefit from
> entropybroker (https://www.vanheusden.com/entropybroker/).  Use it to
> distribute entropy from those who have to those who don't.  It's
> really handy for VMs, and for that isolated system that you use for
> your root keys.
> 
> For most uses, use /dev/urandom - which doesn't block.  /dev/random
> will block if the entropy pool is depleted.  (However, if you have a
> hardware source, very, very rarely.)  /dev/random is recommended for
> long lived keys - which usually includes KSKs, and may include ZSKs.
> I don't believe named makes a distinction...you get to pick one for
> everything.
> 
> Timothe Litt
> ACM Distinguished Engineer
> --
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed. 
> 
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Latest BIND on Debian 8.7 (jessie) crashed due to assertion failure

2017-04-19 Thread Carlos Pizarro
Hello,

I'm running the latest stable BIND available on Debian 8.7:

root@host:~# named -v
BIND 9.9.5-9+deb8u10-Debian (Extended Support Version)

root@host:~# dpkg -s bind9 | grep 'Version'
Version: 1:9.9.5.dfsg-9+deb8u10

https://packages.debian.org/jessie/bind9


Today the bind9 service crashed and this were the last few log lines when
it happened:

Apr 19 20:46:23 host named[32115]: error (unexpected RCODE REFUSED)
resolving 'heroditus.touchtype-systems.com/A/IN':
2400:cb00:2049:1::c629:defe#53
Apr 19 20:46:23 host named[32115]: error (unexpected RCODE REFUSED)
resolving 'heroditus.touchtype-systems.com/A/IN': 64.68.192.10#53
Apr 19 20:46:23 host named[32115]: error (unexpected RCODE REFUSED)
resolving 'heroditus.touchtype-systems.com/A/IN': 198.41.222.254#53
Apr 19 20:46:23 host named[32115]: error (unexpected RCODE REFUSED)
resolving 'heroditus.touchtype-systems.com/A/IN': 64.68.196.10#53
Apr 19 20:46:24 host named[32115]: error (unexpected RCODE REFUSED)
resolving 'heroditus.touchtype-systems.com/A/IN':
2400:cb00:2049:1::a29f:1835#53
Apr 19 20:46:24 host named[32115]: error (unexpected RCODE REFUSED)
resolving 'heroditus.touchtype-systems.com/A/IN':
2400:cb00:2049:1::c629:defe#53
Apr 19 20:46:24 host named[32115]: error (unexpected RCODE REFUSED)
resolving 'heroditus.touchtype-systems.com/A/IN': 198.41.222.254#53
Apr 19 20:46:24 host named[32115]: resolver.c:4350: INSIST(fctx->type ==
((dns_rdatatype_t)dns_rdatatype_any) || fctx->type ==
((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type ==
((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace
Apr 19 20:46:24 host named[32115]: #0 0x7f4aebd27a00 in ??
Apr 19 20:46:24 host named[32115]: #1 0x7f4ae9f038ea in ??
Apr 19 20:46:24 host named[32115]: #2 0x7f4aeb5e914e in ??
Apr 19 20:46:24 host named[32115]: #3 0x7f4ae9f25d5b in ??
Apr 19 20:46:24 host named[32115]: #4 0x7f4ae98d6064 in ??
Apr 19 20:46:24 host named[32115]: #5 0x7f4ae92a462d in ??
Apr 19 20:46:24 host named[32115]: exiting (due to assertion failure)

( Same log on Pastebin https://pastebin.com/a1K0L3wJ )


Looking at the code line where it crashed I thought that it was related
to CVE-2016-9131 but it was patched already on this Debian build:

http://metadata.ftp-master.debian.org/changelogs/main/b/bind9/bind9_9.9.5.dfsg-9+deb8u10_changelog


Does anyone has any insight on what may be happening? I'm trying to avoid
backporting the newest BIND from Stretch but I would if this won't happen
on that version but I'm unsure as changelog seems to be quite similar to
the changelog of my version:

http://metadata.ftp-master.debian.org/changelogs/main/b/bind9/bind9_9.10.3.dfsg.P4-12.1_changelog

Thanks, any help will be appreciated.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: Slow zone signing with ECDSA

2017-04-19 Thread Timothe Litt

On 19-Apr-17 21:43, Mark Andrews wrote:
> ...
> DSA requires random values as part of the signing process.  Really
> all CPU's should have real random number sources built into them
> and new genuine random values should only be a instruction code away.
>
> Mark
Most recent ones do.  See RDRAND for Intel (and AMD).  Even Raspberry Pi.

The tinfoil hat brigade in some distributions has resisted using them,
fearing some conspiracy to provide not-so-random numbers.  (Despite the
fact that /dev/random hashes/whitens the inputs to the entropy pool.) 
You may need to take a positive action to enable use of the hardware
source.  Google RDRAND for plenty of entertainment.

There are also fairly inexpensive (~usd 50) USB devices that provide
reasonable entropy quality at decent speeds.  (But much lower than
RDRAND.)  They're good for the old hardware that you recycle for
single-purpose servers.

Systems that have low activity/low entropy can benefit from
entropybroker (https://www.vanheusden.com/entropybroker/).  Use it to
distribute entropy from those who have to those who don't.  It's really
handy for VMs, and for that isolated system that you use for your root keys.

For most uses, use /dev/urandom - which doesn't block.  /dev/random will
block if the entropy pool is depleted.  (However, if you have a hardware
source, very, very rarely.)  /dev/random is recommended for long lived
keys - which usually includes KSKs, and may include ZSKs.  I don't
believe named makes a distinction...you get to pick one for everything.

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slow zone signing with ECDSA

2017-04-19 Thread Mark Andrews

In message , "Spain, Dr. Jeffry A." writes:
> > Install and run haveged... The problem is your system doesn't have
> > enough entropy
>
> This was clearly the problem. I built a new test server with haveged
> installed, and the bind9 completed ECDSAP256SHA256 signing in 5 seconds.
> I used 9.11.1 this time since it was just released today.

DSA requires random values as part of the signing process.  Really
all CPU's should have real random number sources built into them
and new genuine random values should only be a instruction code away.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Slow zone signing with ECDSA

2017-04-19 Thread Spain, Dr. Jeffry A.
> Install and run haveged... The problem is your system doesn't have enough 
> entropy
This was clearly the problem. I built a new test server with haveged installed, 
and the bind9 completed ECDSAP256SHA256 signing in 5 seconds. I used 9.11.1 
this time since it was just released today.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind 9.11.1, linking with 'supported' OpenSSL fails at use of deprecated/undef'd v10x api symbol, ERR_load_crypto_strings

2017-04-19 Thread PGNet Dev
Upgrading from bind 9.10.3-P5 -> 9.11.1 release on linux64,

cat CHANGES
../dns/.libs/libdns.so: undefined reference to 
`ERR_load_crypto_strings'
collect2: error: ld returned 1 exit status
--- 9.11.0 released ---
...
4497.   [port]  Add support for OpenSSL 1.1.0. [RT 
#41284]
...
--- 9.11.0 released ---


Building, as always, with openssl v10x, all's well:

bind -V
BIND 9.11.1 
running on Linux x86_64 4.10.10-2.ga78ebd0-default #1 SMP 
PREEMPT Wed Apr 12 11:18:29 UTC 2017 (a78ebd0)
...
compiled by GCC 6.3.1 20170331 [gcc-6-branch revision 246609]
compiled with OpenSSL version: OpenSSL 1.0.2k  26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k  26 Jan 2017
...

OTOH,

Building, similarly, with openssl v110x FAILs still, at

...
Makefile:465: recipe for target 'sample-gai' failed
make[2]: *** [sample-gai] Error 1
...
libtool: link: /usr/bin/gcc-6 -O3 -Wall -fstack-protector 
-funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 
-grecord-gcc-switches -march=native -mtune=native -I/usr/include 
-I/usr/local/lmdb/include -I/usr/include/libxml2 -fPIC -Wl,-rpath 
-Wl,/usr/local/openssl11/lib64 -Wl,-rpath -Wl,/usr/local/lmdb/lib64 -Wl,-rpath 
-Wl,/usr/local/lib64 -o .libs/resolve .libs/resolve.o  
-L/usr/local/openssl11/lib64 -L/usr/local/lmdb/lib64 -L/usr/local/lib64 
../irs/.libs/libirs.so -L/usr/lib -L/usr/local/lmdb/lib -L/lib64 
../dns/.libs/libdns.so -L/usr/local/openssl11/lib ../isccfg/.libs/libisccfg.so 
/usr/local/src/bind-9.11.1/lib/dns/.libs/libdns.so 
/usr/local/src/bind-9.11.1/lib/isc/.libs/libisc.so ../isc/.libs/libisc.so -lssl 
-lcrypto -lcap -ljson-c -lpthread /usr/local/lib64/libGeoIP.so -llmdb 
/usr/lib64/libxml2.so -lz -llzma -lm -ldl -Wl,-rpath 
-Wl,/usr/local/bind-9.11.1/lib64
../dns/.libs/libdns.so: undefined reference to `ERR_load_crypto_strings'
collect2: error: ld returned 1 exit status
Makefile:457: recipe for target 'resolve' failed
make[2]: *** [resolve] Error 1
../dns/.libs/libdns.so: undefined reference to `ERR_load_crypto_strings'
collect2: error: ld returned 1 exit status
Makefile:473: recipe for target 'sample-request' failed
make[2]: *** [sample-request] Error 1
libtool: link: /usr/bin/gcc-6 -O3 -Wall -fstack-protector 
-funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 
-grecord-gcc-switches -march=native -mtune=native -I/usr/include 
-I/usr/local/lmdb/include -I/usr/include/libxml2 -fPIC -Wl,-rpath 
-Wl,/usr/local/openssl11/lib64 -Wl,-rpath -Wl,/usr/local/lmdb/lib64 -Wl,-rpath 
-Wl,/usr/local/lib64 -o .libs/sample-async .libs/sample-async.o  
-L/usr/local/openssl11/lib64 -L/usr/local/lmdb/lib64 -L/usr/local/lib64 
../dns/.libs/libdns.so -L/usr/local/openssl11/lib -L/usr/lib 
-L/usr/local/lmdb/lib -L/lib64 ../isccfg/.libs/libisccfg.so 
/usr/local/src/bind-9.11.1/lib/dns/.libs/libdns.so 
/usr/local/src/bind-9.11.1/lib/isc/.libs/libisc.so ../isc/.libs/libisc.so -lssl 
-lcrypto -lcap -ljson-c -lpthread /usr/local/lib64/libGeoIP.so -llmdb 
/usr/lib64/libxml2.so -lz -llzma -lm -ldl -Wl,-rpath 
-Wl,/usr/local/bind-9.11.1/lib64
../dns/.libs/libdns.so: undefined reference to `ERR_load_crypto_strings'
collect2: error: ld returned 1 exit status
Makefile:461: recipe for target 'sample-async' failed
make[2]: *** [sample-async] Error 1
make[2]: Leaving directory '/usr/local/src/bind-9.11.1/lib/samples'
Makefile:78: recipe for target 'subdirs' failed
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory '/usr/local/src/bind-9.11.1/lib'
Makefile:83: recipe for target 'subdirs' failed
make: *** [subdirs] Error 1

'ERR_load_crypto_strings' is an openssl10x symbol, deprecated in 11x.

it appears in bind sources,

cd bind-9.11.1
grep -rln ERR_load_crypto_strings .
./lib/dns/openssl_link.c


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Slow zone signing with ECDSA

2017-04-19 Thread Spain, Dr. Jeffry A.
> Install and run haveged... The problem is your system doesn't have enough 
> entropy in the processor or maybe it's a VM but either way there is not 
> enough entropy to produce random seeds which is why it is taking so long.

Thanks, David. The system is a Microsoft Azure VM. I assumed that while entropy 
is required for ECDSA key generation, which in any event I did on another 
system, additional entropy would not be required for the zone signing process 
itself. Jeff.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Slow zone signing with ECDSA

2017-04-19 Thread Spain, Dr. Jeffry A.
I'm testing a bind9 v11.1.0-P5 server signing 8 small zones de novo with 
ECDSAP256SHA256. The process takes about 12 hours to complete vs. signing with 
RSASHA256, which is almost immediate, but signing is ultimately successful. The 
server is running Ubuntu 16.04 LTS with current patches. I don't see any 
indication of resource starvation. I understand that ECDSAP256SHA256 is more 
computationally intensive than RSASHA256. Is bind9 throttling the signing 
process? Is such throttling configurable?

Jeffry A. Spain * Network Administrator
**
Cincinnati Country Day School * 6905 Given Road, Cincinnati, OH 45243-2898
CountryDay.net * 513 979-0299 * 513 527-7632 (f) 
(UTC-5)
PGP Public Key ID 0xD17AFA13 (4E7B 8F1E F541 43E2 
85D3 3638 76AB 9A4B D17A FA13)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: views

2017-04-19 Thread Grant Taylor via bind-users

On 04/19/2017 10:58 AM, Victoria Risk wrote:

We have implemented ECS for recursive queries in 9.10.5-S, the
subscriber preview edition of BIND, which will be released today. For
now, ECS recursion is available only to users with a support contract
with ISC. Development of this feature was a significant effort,
sponsored by an OEM user of BIND. As part of the agreement with the
sponsor, we agreed to embargo the feature from the open source until 2018.


Despite possibly selfishly not liking having to wait, I do completely 
understand and support what was done.


Thank you.

I look forward to the EDNS0 Client Subnet feature coming to open source 
in 2018.  :-)




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: views

2017-04-19 Thread Victoria Risk

> On Apr 19, 2017, at 8:47 AM, Nico CARTRON  wrote:
> 
>> Nor did I see
>> details on how to have BIND send ECS with queries when it's a recursive
>> server.
> 
> As far as I know, ECS for Recursive queries is not yet implemented by ISC, or
> at least it is not publicly available.

We have implemented ECS for recursive queries in 9.10.5-S, the subscriber 
preview edition of BIND, which will be released today. For now, ECS recursion 
is available only to users with a support contract with ISC. Development of 
this feature was a significant effort, sponsored by an OEM user of BIND. As 
part of the agreement with the sponsor, we agreed to embargo the feature from 
the open source until 2018.

Victoria Risk
Internet Systems Consortium
vi...@isc.org






signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: views

2017-04-19 Thread Grant Taylor via bind-users

On 04/19/2017 09:49 AM, Nico CARTRON wrote:

Of course I meant +subnet / +nosubnet


;-)

Thank you for the pointers Nico & Tony.  I'm sure I'll find a way to get 
myself into trouble with what you've provided.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: views

2017-04-19 Thread Nico CARTRON
On 19-Apr-2017 16:47 BST,  wrote:

> On 19-Apr-2017 15:59 BST,  wrote:
> [...] 
> > I'd also like to see if it's possible to have dig send ECS info.
> 
> +edns / +noedns , but you'll need a recent dig version.

Of course I meant +subnet / +nosubnet

-- 
Nico
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: views

2017-04-19 Thread Nico CARTRON
Hi Grant,

On 19-Apr-2017 15:59 BST,  wrote:

> On 04/19/2017 03:37 AM, Tony Finch wrote:
> > This is what the EDNS client subnet option is about. You can use it in
> > BIND by adding "ecs" clauses to your address match lists for views or
> > acls. However it isn't documented in the ARM and it has significant
> > problems. See
> > https://kb.isc.org/article/AA-01432/0/BIND-9.11.0-Release-Notes.html
> > and especially
> > https://kb.isc.org/article/AA-01480/0/BIND-9.11.1rc3-Release-Notes.html
> 
> The only occurrences I found for "ecs" on the two release notes didn't
> include more details about how to configure views to use it.  

As pointed out by Tony, it is not document in the ARM, so you need to dig a
little bit :)

Googling a little, you'll find things such as:

acl ecs-area01 { ecs 192.168.164.0/24; }
acl no-ecs-area01 { 192.168.164.0/24; };

and then you can use these ACLs as part of your DNS views.

> Nor did I see
> details on how to have BIND send ECS with queries when it's a recursive
> server.  

As far as I know, ECS for Recursive queries is not yet implemented by ISC, or
at least it is not publicly available.

> I'd also like to see if it's possible to have dig send ECS info.

+edns / +noedns , but you'll need a recent dig version.

Cheers,

-- 
Nico
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: views

2017-04-19 Thread Tony Finch
Grant Taylor via bind-users  wrote:
>
> The only occurrences I found for "ecs" on the two release notes didn't
> include more details about how to configure views to use it.

Yes, it's a bit mysterious.

> Nor did I see details on how to have BIND send ECS with queries when
> it's a recursive server.

The 9.11.0 release notes say "supported for authoritative servers" which
is meant to imply that named can't send ECS queries. (ECS has difficult
implications for DNS caches.)

> I'd also like to see if it's possible to have dig send ECS info.

See the +subnet option in `dig -h` and the man page
https://ftp.isc.org/isc/bind9/9.11.0/doc/arm/man.dig.html

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Lundy, Fastnet: Variable 3 or 4. Smooth or slight, occasionally moderate later
in southwest Fastnet. Fair. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: views

2017-04-19 Thread Grant Taylor via bind-users

On 04/19/2017 03:37 AM, Tony Finch wrote:

This is what the EDNS client subnet option is about. You can use it in
BIND by adding "ecs" clauses to your address match lists for views or
acls. However it isn't documented in the ARM and it has significant
problems. See
https://kb.isc.org/article/AA-01432/0/BIND-9.11.0-Release-Notes.html
and especially
https://kb.isc.org/article/AA-01480/0/BIND-9.11.1rc3-Release-Notes.html


The only occurrences I found for "ecs" on the two release notes didn't 
include more details about how to configure views to use it.  Nor did I 
see details on how to have BIND send ECS with queries when it's a 
recursive server.  I'd also like to see if it's possible to have dig 
send ECS info.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: views

2017-04-19 Thread Alberto Rinaudo
I understand the concept, but I'm not sure I fully understand how to
configure it.
I've updated my bind to 9.11 P05 compiled with "--with-ecdsa", and as far
as I can read EDNS is enabled for authoritative bind installations
automatically.
But I'm still getting wrong answers from my installation.
Here are my configurations:

named.conf:
options {
  listen-on port 53 { any; };
  listen-on-v6 port 53 { any; };
  directory "/var/named";
  dump-file "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-recursion { internal; };
  allow-query { any; };
  allow-query-cache { none; };
};
acl internal {
  service_server_subnet/24;
  service_server_wan_ip;
};
view "internal" {
  match-clients { internal; };
  zone "example.net" IN {
type master;
file "/etc/named/example.net.internal";
  };
};
view "external" {
  match-clients { any; };
  zone "example.net" IN {
type master;
file "/etc/named/example.net.external";
  };
};



example.net.external:
$TTL 3600
example.net. IN SOA ns1.example.net. example.net. (
2001062501
21600
3600
604800
3600 )
example.net. IN NS ns1.example.net.
example.net. IN NS ns2.example.net.
example.net. IN MX 10 mx.zoho.com.
example.net. IN MX 20 mx2.zoho.com.
ns1.example.net. IN A bind_wan_ip
ns2.example.net. IN A bind_wan_ip
example.net. IN A service_server_wan_ip
www.example.net. IN CNAME example.net.
mail.example.net. IN A service_server_wan_ip
mail.example.net. IN MX 10 mail.example.net.
mail.example.net. IN SPF "v=spf1 +a +mx +include:mail.example.net -all"
service.example.net. IN A service_server_wan_ip



example.net.internal:
$TTL 3600
example.net. IN SOA ns1.example.net. example.net. (
2001062501
21600
3600
604800
3600 )
example.net. IN NS ns1.example.net.
example.net. IN NS ns2.example.net.
example.net. IN MX 10 mx.zoho.com.
example.net. IN MX 20 mx2.zoho.com.
ns1.example.net. IN A bind_wan_ip
ns2.example.net. IN A bind_wan_ip
example.net. IN A service_server_lan_ip
www.example.net. IN CNAME example.net.
mail.example.net. IN A service_server_lan_ip
mail.example.net. IN MX 10 mail.example.net.
mail.example.net. IN SPF "v=spf1 +a +mx +include:mail.example.net -all"
service.example.net. IN A service_server_wan_ip



When I dig my subdomain however I get this replies:
# dig +noall +answer service.example.net @ns1.example.net
service.example.net.3600INAservice_server_lan_ip
# dig +noall +answer service.example.net @8.8.8.8
service.example.net.3599INAservice_server_wan_ip

Can you spot anything wrong with it?
Thanks


On 19 April 2017 at 09:37, Tony Finch  wrote:

> Alberto Rinaudo  wrote:
>
> > I have a bind installation on a aws server and I'm trying to set up views
> > to give different responses based on the source location.
> >
> > It works fine when this dns server is the first dns used by a client, I
> > guess because the source address used to discriminate between views is
> the
> > last hop.
> >
> > If the query goes first to google dns instead I end up in the wrong view.
> >
> > So here's the question: is it possible to use the original source address
> > to chose the view?
>
> This is what the EDNS client subnet option is about. You can use it in
> BIND by adding "ecs" clauses to your address match lists for views or
> acls. However it isn't documented in the ARM and it has significant
> problems. See
> https://kb.isc.org/article/AA-01432/0/BIND-9.11.0-Release-Notes.html
> and especially
> https://kb.isc.org/article/AA-01480/0/BIND-9.11.1rc3-Release-Notes.html
>
> EDNS client subnet specification:
> https://tools.ietf.org/html/rfc7871
>
> Google Public DNS support for ECS on authoritative servers:
> https://groups.google.com/forum/#!topic/public-dns-announce/67oxFjSLeUM
>
> Tony.
> --
> f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h
> punycode
> Viking, North Utsire: Southwesterly 5 or 6, decreasing 4 at times. Slight
> or
> moderate. Rain at times. Good, occasionally poor.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: views

2017-04-19 Thread Tony Finch
Alberto Rinaudo  wrote:

> I have a bind installation on a aws server and I'm trying to set up views
> to give different responses based on the source location.
>
> It works fine when this dns server is the first dns used by a client, I
> guess because the source address used to discriminate between views is the
> last hop.
>
> If the query goes first to google dns instead I end up in the wrong view.
>
> So here's the question: is it possible to use the original source address
> to chose the view?

This is what the EDNS client subnet option is about. You can use it in
BIND by adding "ecs" clauses to your address match lists for views or
acls. However it isn't documented in the ARM and it has significant
problems. See
https://kb.isc.org/article/AA-01432/0/BIND-9.11.0-Release-Notes.html
and especially
https://kb.isc.org/article/AA-01480/0/BIND-9.11.1rc3-Release-Notes.html

EDNS client subnet specification:
https://tools.ietf.org/html/rfc7871

Google Public DNS support for ECS on authoritative servers:
https://groups.google.com/forum/#!topic/public-dns-announce/67oxFjSLeUM

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire: Southwesterly 5 or 6, decreasing 4 at times. Slight or
moderate. Rain at times. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: HA: RE: BIND 9 windows XP builds

2017-04-19 Thread Reindl Harald



Am 19.04.2017 um 06:52 schrieb i.chu...@volga.ttk.ru:

Hello all.

Regarding the "critical mass": I'm the one who downloads BIND from XP box
and I do it just to set it up on internal Linux machine. The reason to use
XP as PC OS is company's policy and lack of money after all. :)

P. S.: I can not imagine any user of BIND to even try to run it from
Windows machine but I think if it is possible to provide Windows XP builds
and there are still plenty of BIND users running Windows XP (Even if it is
botnets. Bontnet is just a piece of software like Windows XP or BIND. Why
do you want to drop botnet support?) there is a reason to build binaries
for Windows XP. Still it is all about money. Not everyone are able to pay
Microsoft for the new OS. And there might be legacy software too. Why do
users have to update and break everything if it works for them? So, my
final answer is: "Don't drop the Windows XP binaries if it's technically
possible to build them."


> Not everyone are able to pay Microsoft for the new OS.
> And there might be legacy software too

so your whole OS is legacy, there is running other legacy software - why 
would you then need BIND as the one and only non-legacy software on that 
box?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


views

2017-04-19 Thread Alberto Rinaudo
Hello,
I have a bind installation on a aws server and I'm trying to set up views
to give different responses based on the source location.
It works fine when this dns server is the first dns used by a client, I
guess because the source address used to discriminate between views is the
last hop.
If the query goes first to google dns instead I end up in the wrong view.
So here's the question: is it possible to use the original source address
to chose the view?
Am I looking at the right option or should I use something different than
views?
Thanks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users