notify explicit and also-notify

[Blason R]

Hi,

So I was playing with these two statements and wanted to know something on
also-notify.

also-notify by default will update slaves about delta changes on port
TCP/53 if not explicitly set right?

e.g.

also-notify {10.0.1.2; "notify-them" port 2034;};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamic zone vs static records

[Grant Taylor via bind-users]

On 05/03/2018 12:42 PM, Darcy Kevin (FCA) wrote:

As far as I know, Domain Controllers still only maintain SRV records


DCs, likely all member servers, and possibly all workstations (or the 
DHCP server on their behalf) will try to register A /  and PTR 
records too.


Also, updates to the AD sub-domains should be infrequent.  Updates to A 
/  / PTR may be more frequent.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Dynamic zone vs static records

[Darcy Kevin (FCA)]

“We are aware that we should not mix the plain text configuration with these 
dynamic records (and use a subdomain instead)”

So, why don’t you do that? As far as I know, Domain Controllers still only 
maintain SRV records, so the “underscore zones” approach should still work. 
Make _tcp.example.com, _udp.example.com, _msdcs.example.com, etc. separate 
subzones, with Dynamic Updates allowed (for the Domain Controllers to 
add/delete/refresh their SRV records), and have the main zone (example.com) 
maintained by FusionDirectory. No need to get fancy with LDAP backends…




- Kevin


From: bind-users  On Behalf Of Jérôme BECOT
Sent: Wednesday, May 02, 2018 9:49 AM
To: bind-users@lists.isc.org
Subject: Dynamic zone vs static records

Hello,

We are managing our DNS zone within LDAP through a 3rd party editor 
(FusionDirectory). This software is configured to export the LDAP configuration 
to plain text zone files, updated on the master (and a zone reload is made by 
the software by calling rndc).

If we make this zone dynamic we have a serial issue because each server (Acitve 
Directory) dynamically updating the zone increments the serial which do not 
update the LDAP. Refreshing the zone via FusionDirectory do not work as the 
generated serial is lower.

We are aware that we should not mix the plain text configuration with these 
dynamic records (and use a subdomain instead). As we want to edit the zone in 
LDAP and we would like to make the AD servers autoregister their record in the 
zone, would using bind with the LDAP backend allow us to do so ? 
(FusionDirectory can be configured as a simple LDAP editor without pushing text 
config).

Let me know if my question is odd or lacking of information.

Thank you for your further advices.

JEROME BECOT
Ingénieur Système et Réseau
DSIRN
Bureau n°4.29

Institut national des langues et civilisations orientales
65 rue des Grands Moulins
Paris 75013, France

01 81 70 10 78
jerome.be...@inalco.fr
www.inalco.fr
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS RPZ Master/Slave configuration

[Blason R]

Again unicast could be any IP address or normal IP address given on server?
There is no such specification like multicast

On Thu, May 3, 2018 at 7:46 PM, Blason R  wrote:

> Thanks I got it, Below link helped me understand.
>
> https://deepthought.isc.org/article/AA-00518/0/How-can-I-
> synchronize-DNS-RPZ-firewall-policies-across-multiple-DNS-servers.html
>
> The one thing I didnt understand is how to assign unicast address from DNS
> perspective?
>
> On Thu, May 3, 2018 at 7:36 PM, Blason R  wrote:
>
>> Hi there,
>>
>> Can someone please guide me on working configuration of Mater/Slave zone
>> in DNS RPZ for reference?
>>
>> Is that available with someone? And does it work exactly as master/slave
>> like any other zone?
>>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS RPZ Master/Slave configuration

[Blason R]

Thanks I got it, Below link helped me understand.

https://deepthought.isc.org/article/AA-00518/0/How-can-I-synchronize-DNS-RPZ-firewall-policies-across-multiple-DNS-servers.html

The one thing I didnt understand is how to assign unicast address from DNS
perspective?

On Thu, May 3, 2018 at 7:36 PM, Blason R  wrote:

> Hi there,
>
> Can someone please guide me on working configuration of Mater/Slave zone
> in DNS RPZ for reference?
>
> Is that available with someone? And does it work exactly as master/slave
> like any other zone?
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS RPZ Master/Slave configuration

[Blason R]

Hi there,

Can someone please guide me on working configuration of Mater/Slave zone in
DNS RPZ for reference?

Is that available with someone? And does it work exactly as master/slave
like any other zone?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and automatic renewal of RRSIG-expiration-time

[Tony Finch]

Tom  wrote:

> Does the "inline-signing"-mechanism also automatically renew the
> expiration-time of the RRSIGs?

Yes.

> If so: When or in which interval does BIND verify the expiration-times
> of the RRSIGs and renew them?

The documentation for sig-validity-interval says renewal time is 1/4 of
the validity period, so for your 1 day interval, 6 hours before expiry.

sig-validity-interval

Specifies the number of days into the future when DNSSEC signatures
automatically generated as a result of dynamic updates (Section 4.2) will
expire. There is an optional second field which specifies how long before
expiry that the signatures will be regenerated.  If not specified, the
signatures will be regenerated at 1/4 of base interval.  The second field
is specified in days if the base interval is greater than 7 days otherwise
it is specified in hours. The default base interval is 30 days giving a
re-signing interval of 7 1/2 days. The maximum values are 10 years (3660
days).

The signature inception time is unconditionally set to one hour before the
current time to allow for a limited amount of clock skew.

The sig-validity-interval should be, at least, several multiples of the
SOA expire interval to allow for reasonable interaction between the
various timer and expiry dates.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
South Utsire: Westerly 3 or 4, backing southerly 4 or 5. Slight or moderate.
Showers. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: root hints

[Anand Buddhdev]

On 02/05/2018 23:39, Rick Dicaire wrote:

> Thanks for the responses folks...so if I don't need to manage root.hints,
> can I remove the line:
> 
> zone "." IN {type hint;file "root.cache";};
> 
> from named.conf?

Yes, you can remove it.

Regards,
Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC and automatic renewal of RRSIG-expiration-time

[Tom]

Hi list

Using latest BIND (9.12.1) with dnssec and inline-signing enabled. 
SIG-VALIDITY-INTERVAL is set to 1 day (for testing).

Look the following RRSIG:

test01.example.com. 300 IN RRSIG A 8 3 300 (
20180504060124 20180503052321 1 test01.example.com.
rUch7bFR18Nmaeu+gqS29fG8oTPQm1SIBe9x+0iVPpXw
GnXBy6bZacXiBwYPjgJd7GK+3giGq/Mw2URXexW8PuuV
IGBz8bRUczNbQPHsaZUWXlv32RelJArykWB8S/N5pvOn
r8Q9w4asKR6JNiDnzoF/09EVlSyXvaluVrZT7kMGKdgC
OB7H20kwcBkGdwUYMclna2XmddQMeicc5yjxglQgpg89
48Om5L8A0hjGDQEyTTTaOA91D+7/F2yI99TPvSYizC+6
vYUoleAIWQi3GRG/KJRd9N8OouZIYgOtf2jKPwsEQwhQ
sS7G3w4BxrkEB8Q8btx5CWaKX2CVD8Jv2A== )

The record does expire in a few hours.
Does the "inline-signing"-mechanism also automatically renew the 
expiration-time of the RRSIGs? If so: When or in which interval does 
BIND verify the expiration-times of the RRSIGs and renew them? If no, 
what do I have to do, to force BIND automatically to renew the RRSIGs?


Thank you.
Kind regards,
Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users