Re: disable dnssec for particular domain

2018-02-07 Thread Michelle Konzack
Thankyou,

Am 2018-02-08 hackte Warren Kumari in die Tasten:
> On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch  wrote:
>> Michelle Konzack  wrote:
>>
>>> If someone is interested making a slave for me, I can do
>>> the same with him/her/whatelse.
>>
>> I'm cheap, so for my personal domains I use free secondaries from
>> https://puck.nether.net/dns/ and https://admin.gratisdns.com/
>
> Not adding anything relevant to the thread (shocking, I know!), but a
> number of us use puck --- and I wanted to give a quick shout-out to
> Jared Mauch for providing this to the community.
>
> W

True, I have my own NS since 2007 and hav slaved a bunch of zones.
Funny, my dedicated  has a traffic allowance of 1 TByte (!)
which I have including System Upgrades arround 200 MByte only.

Now I got a Slave in London and a second in the USA.

Thanks in advance

-- 
Michelle KonzackMiila ITSystems @ TDnet
GNU/Linux Developer 00372-54541400

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Warren Kumari
On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch  wrote:
> Michelle Konzack  wrote:
>
>> If someone is interested making a slave for me, I can do
>> the same with him/her/whatelse.
>
> I'm cheap, so for my personal domains I use free secondaries from
> https://puck.nether.net/dns/ and https://admin.gratisdns.com/

Not adding anything relevant to the thread (shocking, I know!), but a
number of us use puck --- and I wanted to give a quick shout-out to
Jared Mauch for providing this to the community.

W


>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
> Viking, North Utsire, South Utsire, Forties: Northwesterly 4 or 5, backing
> southerly or southwesterly 5 to 7, occasionally gale 8 in Viking and North
> Utsire. Moderate or rough. Wintry showers, then occasional rain. Good,
> occasionally poor.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Michelle Konzack
Guten Abend,

Am 2018-02-07 hackte Reindl Harald in die Tasten:
> Am 07.02.2018 um 18:38 schrieb Matus UHLAR - fantomas:
>> neither is possible for now. as I said, neither our customer not
>> itsupstream does maintain the domain.
>
> i will point at that case when someone asks why i insist of be registrar
> as well as dns-provider for anything i have to deal with it - to avoid
> that someone is repsonsible for something but without responsibility aka
> not reachable nor cooperative

1+

Thanks in advance

-- 
Michelle KonzackMiila ITSystems @ TDnet
GNU/Linux Developer 00372-54541400

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Reindl Harald



Am 07.02.2018 um 18:38 schrieb Matus UHLAR - fantomas:
neither is possible for now. as I said, neither our customer not 
itsupstream does maintain the domain.


i will point at that case when someone asks why i insist of be registrar 
as well as dns-provider for anything i have to deal with it - to avoid 
that someone is repsonsible for something but without responsibility aka 
not reachable nor cooperative


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Matus UHLAR - fantomas

Matus UHLAR - fantomas  wrote:

I wonder why does it do that. I have configured a zone to be type
forward and expected it to work as confdigured, not be validated
upstream.


On 07.02.18 14:14, Tony Finch wrote:

Validation is mostly independent of resolution, so even if you configure a
zone explicitly, the validator will still go chatting to its parent zones
in search of its delegation. (The exception is authoritative zones, which
are not validated.)


so I need 9.11 ot turn validation off... great :-)
(np, it was off on other server, I just set up a new one)


Do people with private versions of domains have this problem too when
using DNSSEC?


Yes :-) I'm relatively lucky that my predecessors set up private.cam.ac.uk
rather than a shadow cam.ac.uk which made it easier for them to roll out
DNSSEC.


I have feeling that we need to reserve TLD for internal private domains
that would be guaranteed not to use DNSSEC at all.


There's no need for that (and that would involve a lot of tricky
politics).


other than reserving TLD, not signing it and recommending people to use its
subdomains?


Instead, either use a subdomain of an existing domain (like us)
or register a domain with an insecure delegation for internal use.


neither is possible for now. as I said, neither our customer not itsupstream
does maintain the domain.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Tony Finch
Matus UHLAR - fantomas  wrote:
>
> I wonder why does it do that. I have configured a zone to be type
> forward and expected it to work as confdigured, not be validated
> upstream.

Validation is mostly independent of resolution, so even if you configure a
zone explicitly, the validator will still go chatting to its parent zones
in search of its delegation. (The exception is authoritative zones, which
are not validated.)

> Do people with private versions of domains have this problem too when
> using DNSSEC?

Yes :-) I'm relatively lucky that my predecessors set up private.cam.ac.uk
rather than a shadow cam.ac.uk which made it easier for them to roll out
DNSSEC.

> I have feeling that we need to reserve TLD for internal private domains
> that would be guaranteed not to use DNSSEC at all.

There's no need for that (and that would involve a lot of tricky
politics). Instead, either use a subdomain of an existing domain (like us)
or register a domain with an insecure delegation for internal use.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Lundy, Fastnet, Irish Sea: Variable 4, becoming southwest 5 or 6. Very rough
at first in southwest Fastnet, otherwise slight or moderate, occasionally
rough except in Irish Sea. Wintry showers, then occasional rain. Good,
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Matus UHLAR - fantomas

On 07.02.18 12:26, Tony Finch wrote:

Aha! I think what's happening here is that BIND is expecting a NODATA
response, to indicate that there is a delegation without a DS record.
(For an example, `dig +dnssec +multiline europa.eu ds)



However the validator gets an NXDOMAIN response claiming the domain
doesn't exist at all. But this is an opt-out NXDOMAIN so it is not a
proof. Nevertheless the validator believes it, and is convinced that it
has not proved the NODATA that it was expecting to prove, so it tells
itself it has not found an insecure delegation.


I wonder why does it do that. 


I have configured a zone to be type forward and expected it to work as
confdigured, not be validated upstream.

(type forward - the fun continues, we don't have access to the origin
nameservers, however tried static-stub with the same result)


This is a tricky case. You can argue convincingly either way whether it is
a bug or not, I think. Even if it is a bug, fixing it is not going to
solve your problem any time soon - you need a pragmatic operational
solution.


I can only guess that this is a part of dnssec functionality - validate
everything even for domains configured locally.

Do people with private versions of domains have this problem too when
using DNSSEC?

I have feeling that we need to reserve TLD for internal private domains
that would be guaranteed not to use DNSSEC at all.

(I have thought of reserving private TLD already before, anyonw wants to
write a RFC?)


What you should do is add some nameservers to the registration (serving an
empty zone or something), so that the .eu nameservers return a NODATA
response instead of an NXDOMAIN response. Then your private zone will
work.


that would apparently take ages, neither we nor our customer have contact to
the registrator.

I currently see the only option to disable dnssec on the server, or upgrade
to 9.11 ...

but I'll upgrade the server to debian 8 (bind9.9.5) first.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread G.W. Haywood via bind-users

Hi there,

On Wed, 7 Feb 2018, Michelle Konzack wrote:


... Note:  If someone is interested making a slave for me ...


Is there a reason you don't use e.g. he.net?

https://dns.he.net/

They do say of DNSSEC that they are "exploring this now" but it seems
to work for me.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Tony Finch
Michelle Konzack  wrote:

> If someone is interested making a slave for me, I can do
> the same with him/her/whatelse.

I'm cheap, so for my personal domains I use free secondaries from
https://puck.nether.net/dns/ and https://admin.gratisdns.com/

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire, South Utsire, Forties: Northwesterly 4 or 5, backing
southerly or southwesterly 5 to 7, occasionally gale 8 in Viking and North
Utsire. Moderate or rough. Wintry showers, then occasional rain. Good,
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Enable systemd hardening options for named

2018-02-07 Thread Ludovic Gasc
Hi, More below.

2018-02-06 21:49 GMT+01:00 Petr Menšík :

> Hi, More below
>
> Dne 1.2.2018 v 01:36 Ludovic Gasc napsal(a):
> > 2018-01-31 21:47 GMT+01:00 Petr Menšík  > >:
> >
> > Hi Ludovic,
> >
> >
> > Hi Petr,
> >
> > I didn't expect to discuss directly with the Fedora maintainer :-)
> > Just in case you are at DNS devroom of FOSDEM this
> > Sunday: https://fosdem.org/2018/schedule/track/dns/
> > 
> > I'm interested in to meet you.
>
> Unfortunately I were not at FOSDEM, so that was not possible. I hope
> next time I will be there. I will have to watch the recorded videos.
>

As each year, it was a great event :-)


> > Anyway, about SELinux discussion, I'm convinced that SELinux proposes
> > better security features than systemd before it exists.
> > However, in Debian universe, no MAC is enabled by default: Some extra
> > default config in systemd will be easier to integrate in the mainstream
> > distribution than a MAC enabled by default :-)
> > Moreover, from my small experience of CentOS, I already seen several
> > times in setup documentation of several proprietary software for CentOS
> > that the first step is to disable SELinux first before the installation.
> There is clear reason why we support our packages and not the third
> party ones. This is the best reason for that. I admit maintaining
> working SELinux labels is difficult for a person who has minimal
> experience with it. I am not quite good myself in fact. However
> disabling SELinux at all is the worst practice possible.
>
> I hope there is nothing like that on any Fedora or Red Hat Enterprise
> Linux guides. Switch to permissive mode, use audit2allow, create local
> exceptions (semanage), switch back to enforcing. That is what we recommend.
>

No, I have read that in several setup manual of third party tools that uses
CentOS as basis, but not related with RHEL ressources.
Anyway, it's a reality, and maybe a second level of security might reduce a
little bit the impact.
But, it could also have an impact in term of maintenance and support to
enable these systemd options by default in Fedora, not my role to decide
that ;-)


> > I will ask if there are such statistics.
>

If one moment, you have this information, I'm interested in, if it's
possible to you to communicate on it.


> > On Fedora, CAP_DAC_OVERRIDE is not granted to bind, because it might
> be
> > dangerous feature. CAP_DAC_READ_SEARCH is a little bit safer, but
> still
> > might be unnecessary. It should be possible to run even without it
> with
> > careful permission configuration of keys and config files.
> >
> > I think CAP_SYS_RESOURCE is required to automatically adjust maximum
> > number of file descriptors/sockets from configuration. But I am not
> 100%
> > about that.
> >
> >
> > For this part, you can define values in systemd config file: LimitNOFILE
> Sure, thanks for looking this up. There are 4 limit options in
> named.conf for this. files, datasize, coresize, stacksize. I guess all
> these values can be configured from systemd instead. In fact, according
> to ns_os_adjustnofile of named/main.c, this is always set to
> LimitNOFILE=infinity after named starts. At least on my Fedora build of
> 9.11.2, it is always logged:
> "adjusted limit on open files from 2048 to 1048576"
> Increasing limit from the service unit will prevent logging this. I
> think I want increased limit more obvious.
>
> Unless you want to disable options from named.conf, CAP_SYS_RESOURCE
> should be provided.
>

The solution might be to add a comment in the named.conf to explain it's
now necessary to change that in systemd unit file.
With the override mechanism of systemd, it's pretty easy to customize a
unit file without to break upgrades.
It's a distribution decision to decide what is the default configuration, I
will check with Debian developers.

Have a nice week.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: disable dnssec for particular domain

2018-02-07 Thread Michelle Konzack
Ahoi Matus,

Am 2018-02-07 hackte Matus UHLAR - fantomas in die Tasten:
> yes. even web whois shows no 'nameserver' information.
>
> the name is "testa.eu".

Oi, the owner is the European Commission!

It seems, they have the privileg,
not to attribute Name Server to the domain.

A normal registrant has not the right to do this!

> I'm not good at dnssec to find out more.
>
> thanks you

And it becomes even more worse.  Now ICANN and others request,
that a Domain has not only TWO Name Server but instead MINIMUM THREE!

Time to get my server in Tallinn running to get my  back.

Note:  If someone is interested making a slave for me, I can do
   the same with him/her/whatelse.  My 
   is located in Nürnberg/Germany and a dedicated machine.
is the same as my
   .

   I will change in the future the servers to the domain
to make things shorter!

will be located in Tallinn/Estonia

   I would prefer a NS-Slave in Paris/France and/or in the USA

Thanks in advance

-- 
Michelle KonzackMiila ITSystems @ TDnet
GNU/Linux Developer 00372-54541400

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Tony Finch
Pruned debug logs...

validating testa.eu/DS: looking for closest encloser
validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA indicates 
potential closest encloser: 'eu'
validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA at super-domain 
eu
validating testa.eu/DS: NSEC3 GLIBHU0LF7IH1TGCCS68E3R5508AKBFR proves name does 
not exist: 'testa.eu'
validating testa.eu/DS: NSEC3 GLIBHU0LF7IH1TGCCS68E3R5508AKBFR indicates optout
validating testa.eu/DS: NSEC3 4EIKQ8ORL4U4NTG72QEDRA6P3NDA1UNC proves name does 
not exist: '*.eu'
validating testa.eu/DS: in checkwildcard: *.eu
validating testa.eu/DS: NEEDNODATA = 0
validating testa.eu/DS: FOUNDNODATA = 0
validating testa.eu/DS: FOUNDOPTOUT = 1
validating testa.eu/DS: NEEDNOQNAME = 1
validating testa.eu/DS: FOUNDNOQNAME = 1
validating testa.eu/DS: NEEDNOWILDCARD = 1
validating testa.eu/DS: FOUNDNOWILDCARD = 1
validating testa.eu/DS: FOUNDCLOSEST = 1
validating testa.eu/DS: nonexistence proof(s) found

Looks OK so far...

fctx 0x7f1a5bfc1a10(testa.eu/DS): nonexistence validation OK
validating testa.eu/SOA: in dsfetched2: ncache nxdomain
validating testa.eu/SOA: resuming proveunsecure
validating testa.eu/SOA: insecurity proof failed

Then it goes pear-shaped.

Aha! I think what's happening here is that BIND is expecting a NODATA
response, to indicate that there is a delegation without a DS record.
(For an example, `dig +dnssec +multiline europa.eu ds)

However the validator gets an NXDOMAIN response claiming the domain
doesn't exist at all. But this is an opt-out NXDOMAIN so it is not a
proof. Nevertheless the validator believes it, and is convinced that it
has not proved the NODATA that it was expecting to prove, so it tells
itself it has not found an insecure delegation.

This is a tricky case. You can argue convincingly either way whether it is
a bug or not, I think. Even if it is a bug, fixing it is not going to
solve your problem any time soon - you need a pragmatic operational
solution.

What you should do is add some nameservers to the registration (serving an
empty zone or something), so that the .eu nameservers return a NODATA
response instead of an NXDOMAIN response. Then your private zone will
work.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Tyne, Dogger: Northwest 4 or 5, backing southwest 5 to 7. Slight or moderate.
Wintry showers, then occasional rain. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Tony Finch
Matus UHLAR - fantomas  wrote:
>
> the name is "testa.eu".

OK, let's dig it (trimmed for relevance):

; <<>> DiG 9.13.0-dev <<>> +multiline +dnssec testa.eu
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39666
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

So we know two things from this: the domain doesn't exist, and it is not
an authenticated denial of existence - no AD flag. So you should be OK to
have a private testa.eu domain without DNSSEC validation problems.

Looking in the AUTHORITY section...

4EIKQ8ORL4U4NTG72QEDRA6P3NDA1UNC.eu. 589 IN NSEC3 1 1 1 5CA1AB1E (
4EIOQGMMDB0BP76VHHBDNVEN2UUNABGK
NS DS RRSIG )

$ NSEC3 1 1 1 5CA1AB1E *.eu
*.eu NSEC3 1 1 1 5CA1AB1E 4EIO9SO8DATCD8U1KI8ATQ6K5UTE1QCS

This NSEC3 record proves there is no wildcard (observe the hash from my
NSEC3 utility is lexically between the two hashes above).


GLIBHU0LF7IH1TGCCS68E3R5508AKBFR.eu. 589 IN NSEC3 1 1 1 5CA1AB1E (
GLIJ3PFD0FCA2FL8AJIASQMBMAK8F8HB
NS DS RRSIG )

$ NSEC3 1 1 1 5CA1AB1E testa.eu
testa.eu NSEC3 1 1 1 5CA1AB1E GLIBUAUN6HLU7OONLEAJE4PFAHE8CFEU

This NSEC3 record proves there is no signed delegation for testa.eu. There
is an opt-out bit which means that there can be any unsigned delegations
with hashes between GLIBH... and GLIJ3...


QBQ65Q6097OCPPR0EUCQNSC1FHE073UA.eu. 589 IN NSEC3 1 1 1 5CA1AB1E (
QBQ6OCGMT2JNIJ4JNF2CCRFI4CE4NUE0
NS SOA RRSIG DNSKEY NSEC3PARAM )

$ NSEC3 1 1 1 5CA1AB1E eu
eu NSEC3 1 1 1 5CA1AB1E QBQ65Q6097OCPPR0EUCQNSC1FHE073UA

This is the closest encloser proof, identifying the .eu zone apex, which
you can tell from the type bitmap as well as the matching hashes.


So according to my understanding, a local testa.eu zone should work ok.
Letsa testa it. I have configured an empty zone on my authoritative view,
with a static-stub version in the recursive view. This is a cunning hack
to make my server validate its local authoritative zones, which I use for
all the real zones on the server.

$ named-checkconf -l | grep testa
testa.eu IN rec static-stub
testa.eu IN auth master

$ dig testa.eu soa

; <<>> DiG 9.13.0-dev <<>> testa.eu soa
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38193
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

Oh dear! As you said, it doesn't work!

I think this warrants further investigation...

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Rockall, Malin, Hebrides, Bailey: West or southwest 5 to 7, occasionally gale
8 in Hebrides and Bailey. Very rough or high, occasionally rough in Malin.
Rain then showers, becoming wintry and squally except in Malin. Good,
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Mark Elkins
Thanks for providing the domain name in question (testa.eu).

Indeed, port 43 whois shows no nameservers - neither does the web based
whois on whois.eurid.eu, though the name does exist in the 'eu' registry
system.

Dig gives me nothing either...

$ dig testa.eu ns +short
$ dig testa.eu ds +short

If there are no Nameservers for testa.eu in the eu zone (which appears
to be the case) - then DNSSEC in this case is a Red Herring. There is
nothing to validate.

It's possible to register a Domain in EU without supplying Nameservers.
I guess this is so people can either reserve a name for future use or
block anyone else from ever having it without the complications of
setting up Nameservers. This seems to be the case here.


On 07/02/2018 13:07, Matus UHLAR - fantomas wrote:
>> On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
>>> what's the difference, when the domain doesn't exist?
>>>
>>> is it because .eu is signed?
>
> On 06.02.18 16:35, Ray Bellis wrote:
>> Perhaps, although I'm not sure why given that .eu is signed with NSEC3
>> and opt-out.
>>
>> Are you *sure* that the domain doesn't now actually exist in the DNS?
>
> yes. even web whois shows no 'nameserver' information.
>
> the name is "testa.eu".
> I'm not good at dnssec to find out more.
>
> thanks you

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Reindl Harald



Am 07.02.2018 um 12:12 schrieb Reindl Harald:



Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:

On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:

what's the difference, when the domain doesn't exist?

is it because .eu is signed?


On 06.02.18 16:35, Ray Bellis wrote:

Perhaps, although I'm not sure why given that .eu is signed with NSEC3
and opt-out.

Are you *sure* that the domain doesn't now actually exist in the DNS?


yes. even web whois shows no 'nameserver' information.

the name is "testa.eu".
I'm not good at dnssec to find out more


probably it's just a stupid idea to have no namservers instead some 
fake-nameserver without DS records when you override the domain locally 
anyways


my "rhsoft.net" domain on local networks also has nothing in common with 
the public nameservers


https://dnssec-debugger.verisignlabs.com/testa.eu

 Found 3 DNSKEY records for .
 DS=20326/SHA-256 verifies DNSKEY=20326/SEP
 DS=19036/SHA-256 verifies DNSKEY=19036/SEP
 Found 1 RRSIGs over DNSKEY RRset
 RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
eu
 Found 1 DS records for eu in the . zone
 DS=59479/SHA-256 has algorithm RSASHA256
 Found 1 RRSIGs over DS RRset
 RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
 Found 2 DNSKEY records for eu
 DS=59479/SHA-256 verifies DNSKEY=59479/SEP
 Found 2 RRSIGs over DNSKEY RRset
 RRSIG=43743 and DNSKEY=43743 verifies the DNSKEY RRset
 Zone eu (2600:2000:3004::1) returns NXDOMAIN for testa.eu


and that proves that your setup with no nameservers is stupid because 
otherwise you would get "domain not signed" and you are done


https://dnssec-debugger.verisignlabs.com/rhsoft.net

Found 3 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
DS=19036/SHA-256 verifies DNSKEY=19036/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
net 
Found 1 DS records for net in the . zone
DS=35886/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
Found 2 DNSKEY records for net
DS=35886/SHA-256 verifies DNSKEY=35886/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=35886 and DNSKEY=35886/SEP verifies the DNSKEY RRset
rhsoft.net  
No DS records found for rhsoft.net in the net zone
No DNSKEY records found
rhsoft.net A RR has value 91.118.73.11
No RRSIGs found
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: disable dnssec for particular domain

2018-02-07 Thread Reindl Harald



Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:

On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:

what's the difference, when the domain doesn't exist?

is it because .eu is signed?


On 06.02.18 16:35, Ray Bellis wrote:

Perhaps, although I'm not sure why given that .eu is signed with NSEC3
and opt-out.

Are you *sure* that the domain doesn't now actually exist in the DNS?


yes. even web whois shows no 'nameserver' information.

the name is "testa.eu".
I'm not good at dnssec to find out more


probably it's just a stupid idea to have no namservers instead some 
fake-nameserver without DS records when you override the domain locally 
anyways


my "rhsoft.net" domain on local networks also has nothing in common with 
the public nameservers


https://dnssec-debugger.verisignlabs.com/testa.eu

Found 3 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
DS=19036/SHA-256 verifies DNSKEY=19036/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
eu  
Found 1 DS records for eu in the . zone
DS=59479/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
Found 2 DNSKEY records for eu
DS=59479/SHA-256 verifies DNSKEY=59479/SEP
Found 2 RRSIGs over DNSKEY RRset
RRSIG=43743 and DNSKEY=43743 verifies the DNSKEY RRset
Zone eu (2600:2000:3004::1) returns NXDOMAIN for testa.eu
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: disable dnssec for particular domain

2018-02-07 Thread Matus UHLAR - fantomas

On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:

what's the difference, when the domain doesn't exist?

is it because .eu is signed?


On 06.02.18 16:35, Ray Bellis wrote:

Perhaps, although I'm not sure why given that .eu is signed with NSEC3
and opt-out.

Are you *sure* that the domain doesn't now actually exist in the DNS?


yes. even web whois shows no 'nameserver' information.

the name is "testa.eu".
I'm not good at dnssec to find out more.

thanks you
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users