Re: "spare hosts" as personal DNS nameservers for 'mynew.org'

2017-07-12 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2017-07-12 at 16:21 -0500, b...@zq3q.org wrote:
> OK, I'm ready to consider other registrars, any suggestions
> would be appreciated.

I like gkg.net - they have an API so you can automatically upload new DS
records when you do DNSSEC key rollovers.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEUEAREKAAYFAllmtQwACgkQL6j7milTFsGcNQCdEMVMhDjbb/G++ors2jJgH5Yp
zHsAl3mvhHy0EybJzoO1g0rF+lLvDuc=
=/PA6
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "spare hosts" as personal DNS nameservers for 'mynew.org'

2017-07-12 Thread Grant Taylor via bind-users 

On 07/12/2017 03:21 PM, b...@zq3q.org wrote:

OK, I'm ready to consider other registrars, any suggestions
would be appreciated.


$Dynadot++ has been good to me.  I can pay them via PayPal and they 
support DS records for DNSSEC if you eventually want to mess with that. 
-  I think they were reasonably priced too.


I dislike the following and voted by spending my money elsewhere.
$GoDaddy--  They try to up sell you ever chance they get and IMHO their 
web UI tries to make every possible chance to up sell possible.
$Hover--  Formerly "It's Your Domain" (who was decent) changed to Hover 
and seemed to be a registrar as a side need of a different service they 
were selling.  They really put me off.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "spare hosts" as personal DNS nameservers for 'mynew.org'

2017-07-12 Thread bind 
Hi Reindl:

On Tue 7/11/17 18:05 +0200 Reindl Harald wrote:
> 
> Am 11.07.2017 um 15:57 schrieb b...@zq3q.org:
> > Assume I register domain 'mynew.org' with registrar namecheap; and as an 
> > exercise,
> > I plan to setup my own two authoritative DNS nameservers for 'mynew.org'.
> > 
> > I have several linux VMs, that are under used, so I want to use them
> > for the nameservers for 'mynew.org'.  **Neither are in 'mynew.org';
> > is that going to work?**
> > 
> > namecheap support seems to suggest that the personal DNS authorative 
> > nameservers
> > for 'mynew.org', must be in 'mynew.org', as in
> > 
> >  ns1.mynew.org
> >  ns2.mynew.org
> 
> for sure not 
> and i am repsonsible for both zones and some hundret others 
> on that nameservers over 15 years

Thanks for confirming.

> https://intodns.com/rhsoft.net confirms that all is fine

Thanks for this tool!

> and when your 
> registrar really has such crazy requirements switch to a sane one - 
> frankly it's even not helpful in case you need to switch nameservers 
> because in the case above they become GLUE records with a TTL of 172800 
> independent from the zone TTL

OK, I'm ready to consider other registrars, any suggestions
would be appreciated.

https://www.gandi.net/ 
has been suggested by Matthew Seaman. Looks good to me.

related rant: http://zq3q.org/pz/#zycbu_Choosing_a_DNS_registrar

> i had to switch a server which hosted websites and one of the 
> nameservers (i know don't mix it) to a different machine some years ago 
> and it was not funny that it took ages until webclients used the new IP 
> address while NDS would not have been a problem by just keep the old one 
> as additional slave until shut it down
> 
> ns1.thelounge.net.   ['85.124.176.242']   [TTL=172800]
> ns2.thelounge.net.   ['91.118.73.16']   [TTL=172800]
> 
> [harry@rh:~]$ whois rhsoft.net
> ...
> Name Server: ns1.thelounge.net
> Name Server: ns2.thelounge.net
> DNSSEC: Unsigned
> 
> [harry@rh:~]$ dig NS rhsoft.net @ns1.thelounge.net
> ; <<>> DiG 9.10.5-P2-RedHat-9.10.5-2.P2.fc25 <<>> NS rhsoft.net 
> @ns1.thelounge.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27172
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1024
> ;; QUESTION SECTION:
> ;rhsoft.net.IN  NS
> 
> ;; ANSWER SECTION:
> rhsoft.net. 86400   IN  NS  ns2.thelounge.net.
> rhsoft.net. 86400   IN  NS  ns1.thelounge.net.
--snip

On Tue 7/11/17 21:33 +0200 Reindl Harald wrote:
--snip
> > What is a domain registrar with good support, that can guide me through
> > getting this to work under linux (fedora 24 and bind 9.x)?  I can buy a new 
> > domain
> > if need be.
> 
> no need - you can transfer your domains at any point in time

Thanks.  I may as well learn that process.

--snip
> 
> in case of .at we are directly registrar and our infrastructure talks 
> idrectly via 
> https://en.wikipedia.org/wiki/Extensible_Provisioning_Protocol to 

Thx for the above link.

> nic.at, for other TLD's we use https://www.epag.de/ which belongs in the 
> meantime to GoDaddy

Thx, I looked at https://www.epag.de/en/

> it should not be that hard to find a service which let you define the 
> nameservers of your domain - if it's a registrar at it's own or a 
> reseller don#t matter that much because the only point is whatever 
> interface that let you define "these hosts are the nameservers for 
> excample.com"

--
regards,
Tom

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automatic RRSIG Refresh in BIND 9.8.2

2017-07-12 Thread Tony Finch 
Latitude  wrote:
>
> Should DNSSEC key signing keys and zone signing keys also be located in a
> directory inside the /dynamic directory? Would it be acceptable to have them
> in a directory such as /var/named/chroot/etc/keys/dnssec?

On my master server I have zone files and journals in a .../zone/
directory writable by named, and DNSSEC keys in a different .../key/
directory read-only for named, but writable by a semi-privileged user
that is responsible for key maintenance.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Shannon: Variable 3, becoming west 4 or 5. Moderate. Occasional drizzle.
Moderate or good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "spare hosts" as personal DNS nameservers for 'mynew.org'

2017-07-12 Thread Tony Finch 
b...@zq3q.org  wrote:

> One of my real hosts is below xen.prgmr.com, like the fake 'zap' above,
> so I would have to email prgmr.com support to get them to add
>
> mynew.org. IN NS zap.xen.prgmr.com.
> ^^^ << Is this valid?
>
> to the xen.prgmr.com zone.

There's a bit of confusion here, but this is a legitimately confusing
part of the DNS because there are multiple layers of indirection and
two kinds of indirection...

The first kind there are the delegation records in the parent zone, and
the authoritative records at the apex of the child zone.

The other kind, zones have name servers, and name servers have addresses.

For example, my zone is dotat.at. It has the name servers

dotat.at.   3600IN  NS  ns1.gratisdns.dk.
dotat.at.   3600IN  NS  ns3.gratisdns.dk.
dotat.at.   3600IN  NS  grey.dotat.at.
dotat.at.   3600IN  NS  puck.nether.net.

For a correct delegation, these NS records have to appear in the parent
zone (which I configure through my registrar) and at the apex of my zone
(on my master server, alongside the SOA etc.).

The second level of indirection is from name server names to addresses.
These are just normal hostname address records, so they appear in the
authoritative zones indicted by their names.

(You seemed to be confused about where NS records live. I hope this
clarified it for you!)

(To make GratisDNS and Puck authoritative for my zone, I used their user
interfaces to ask them to act as secondaries, telling them what my master
server IP addresses are. No changes to their DNS records, just their
server configutation which isn't visible from the outside.)

But, there's also glue.

Glue is a special case for name server hostnames which are in the child
zone - in my example this applies to grey.dotat.at. These hostnames need
address records in the delegation to avoid a circular dependency.

$ dig +noall +additional grey.dotat.at @d.ns.at
grey.dotat.at.  10800   IN  A   131.111.57.57
grey.dotat.at.  10800   IN  2001:630:212:110::d:7a7

You configure your glue records through your registrar alongside your
delegation NS records. Usually you get to specify a list of nameserver
names, each with optional addresses - you only need to specify the
addresses when the hostname is in the child zone.

Basically what you are doing with this registrar user interface is
providing a COPY of data from the delegated zone: the apex NS records,
and any addresses of nameservers whose hostnames are inside the delegated
zone.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Fisher: Northwesterly 5 to 7, occasionally gale 8 in east. Moderate or rough.
Showers. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users